Wombat Security Technologies Issues 2018 State of the Phish Report

September 2, 2018


Wombat Security Technologies has announced its 2018 State of the Phish Report – an assessment of data from tens of millions of simulated phishing attacks carried out through its Security Education Platform throughout the past 12 months. The account also provides insights on the present state of phishing from three-monthly surveys sent to its clients, emphasizing the rate of recurrence of phishing attacks on companies, the effect those attacks are having, and the steps being taking to decrease danger.

The Status of Phishing in 2017

Phishing attacks are persistent – They are a danger across all industry sectors. The Wombat three-monthly analyses demonstrate that 76% of companies faced a phishing attempt in 2017, like the percentage of businesses that faced phishing attacks in 2016.

Electronic mail is the key attack route, however, there has been a surge in phishing using other routes such as text messaging platforms/SMS (Smishing) and the telephone (vishing). 45% of respondents to the survey stated they had faced either a vishing or smishing attack in the previous 12 months, a 2% rise from 2016.

When questioned how 2017 compared to 2016, 48% of respondents stated phishing attacks have risen and 48% said the rate of phishing attacks has remained unchanged. Just 4% thought the rate of phishing attacks had dropped.

Fewer businesses faced spear phishing attacks such as business electronic mail compromise attacks in 2017. 53% of businesses informed facing these attacks which is a 16% reduction from 2016. Nevertheless, several businesses have been extensively targeted and have faced a high number of spear phishing attacks. 67% faced between 1 and 5 attacks and 21% faced between 6 and 15 attacks in 2017.

Methods Used to Decrease Vulnerability to Phishing

Most companies (97%) use electronic mail sieving solutions to decrease the volume of malevolent messages that are transmitted to end users’ inboxes. 47% have installed sophisticated malware analysis tools, 44% use outbound proxy security, and 31% use URL wrapping.

76% of companies are now assessing their vulnerability to phishing attacks, compared to 66% in 2016. There has also been a rise in the number of firms that are teaching end users how to find phishing attacks. In 2016, 92% of companies provided anti-phishing training to workers. In 2017 the figure increased to 95%. 54% of companies stated that they have been able to demonstrate that vulnerability to phishing attacks has decreased as a consequence of their training attempts.

The most usually used training tools were CBT courses (79%), phishing simulation drills (68%), videos and poster campaigns (46%), in-person safety consciousness teaching (45%), and newsletters and monthly notices (38%). Companies are realizing that yearly training is no more sufficient. 40% of companies now provide three-monthly training, 35% provide training once-a-month, and 5% conduct training once every two weeks. 19% only provide training yearly.

As anti-phishing teaching programs mature, click rates fall. There was an average decrease in click rates of 30% between year one and year two of running an anti-phishing teaching program.

69% of businesses now evaluate the risk each worker poses to the business, with several phishing simulation failures most usually resulting in advising from a manager (74%), elimination of access to systems (25%), termination (11%), or a monetary fine (5%). 30% of companies take other actions such as providing additional teaching, one-on-one teaching sessions, or counseling from the IT division.