Despite the emergence of numerous new and sophisticated attack methods, cyber criminals and hackers continue to turn to phishing attacks, which are increasing in volume and complexity, according to a new report by Wombat Security Technologies.
The annual State of the Phish report is based on data from millions of simulated phishing attacks collected between October 1, 2014 and September 30, 2015, as well several hundred responses from a survey of security professionals.
The report found that 85 percent of organizations report being the victim of a phishing attack, up 13 percent from 2014. Moreover, 67 percent report a spear phishing attack, up 22 percent from 2014.
The consequences of these attacks are malware infections, compromised accounts, and loss of data. Organizations can also suffer damage to reputation, loss of employee productivity, and huge financial repercussions.
“Phishing continues to be a highly effective attack vector that is increasingly responsible for a significant percentage of data breaches in the market today,” said Trevor Hawthorn, CTO of Wombat. “In spite of continued investments in a number of popular security technologies, phishing messages continue to reach end users and can result in serious damages to a company’s critical data and reputation."
Wombat’s findings are supported by a number of similar reports. As Homeland Security Today previously reported, a 2014 report by McAfee Labs saw a significant uptick in both the total volume and sophistication of phishing attacks.
Verizon’s 2015 Data Breach Investigations Report stated that although cybersecurity discussions often focus on the increasing sophistication of cyberattacks, recent data from Verizon revealed cybercriminals continue to rely on old techniques that have been around for decades, particularly phishing scams.
Although phishing traditionally involved sending an email from a reputableinstitution, such as a bank, and asking the user to provide personal information or change their password, phishing attacks have evolved over the years, now featuring the installation of malware in the second stage of the attack.
In addition, research conducted in 2015 on the Cost of Phishing and Value of Employee Training by Wombat and Ponemon Institute found that successful phishing attacks often result in loss of employee productivity and uncontained credential compromise, which together cost an average sized company $3.77 million per year.
Wombat’s recent report emphasized five key steps to every successful anti-phishing program: create a plan, conduct baseline assessments, communicate your program, deliver simulated attacks and auto-enroll employees in anti-phishing training, and repeating the cycle to create a “culture of security awareness.”
Hawthorn added, “Our methods have shown that a Continuous Training Methodology which educates end users on cybersecurity threats changes employee behavior and reduces risk within an organization.”
Other key findings include:
Personalized Spear Phishing – Spear phishers tailor emails to key people within an organization. Emails personalized with a first name had click rates 19 percent higher than those with no personalization.
Industry Breakdown – Click rates vary by industry, with telecommunications and professional services clicking phishing emails more than other industries.
Technology Protection – The primary means organizations use to mitigate phishing attacks including email spam filters, outbound proxy protection, advanced malware analysis, and URL wrapping.
Endpoint Vulnerability – The plugins most susceptible to an attack include Adobe, Adobe Flash, Microsoft Silverlight, and Java.
Suspicious Attachments – The most suspicious attachments identified by Wombat include pdf (29 percent), doc (22 percent), html (13 percent), and xls (12 percent) among others.