Phishing Surpasses Ransomware Attacks in 2018

Enterprises around the globe have seen a surge in compromises resulting from phishing attacks, so much so that phishing has surpassed ransomware by an overwhelming margin, according to Proofpoint.

According to the new 2019 State of the Phish report, last year saw a 65% increase in enterprises compromised by phishing attacks, with credential compromises rising by more than 70% to become the most commonly experienced attack in 2018.

The comprehensive study analyzed tens of millions of simulated phishing emails in its survey of nearly 15,000 information security professionals and 7,000 end users across 16 different industries.

As cyber-criminals continue to focus their attention on people rather than technologies, the study found that many end users “are relying on IT teams to automatically discover and fix accidental downloads of malicious software. The lack of clarity with regard to the role of IT in attack prevention could be giving users a false sense of security and unnecessarily taxing infosec resources.”

While the report reflected a global average of 66% of end users who know what phishing is, more than half of the respondents (55%) reported that they do not know what smishing is and 63% were unfamiliar with vishing. Though ransomware awareness has improved, there has been little growth in phishing awareness for users in the US, UK and Germany.

In fact, from 2017 to 2018, the average number of users who said they know what phishing is actually declined in the UK and Germany. When broken down by age group, the 54+ population seem to have the greatest awareness, with 73% correctly defining phishing, while only 47% of those aged 18-21 were able to correctly do so.

“Baby boomers and Gen X respondents (ages 38-53) exhibit much stronger recognition of phishing and ransomware, which we feel is likely due to longer-term exposure to security awareness training about these topics,” the report said.

“Millennials and their younger counterparts are strongest in recognition of smishing and vishing, two more recent threat vectors –though less than a third of each group responded correctly, so not a great showing overall.”

What’s hot on Infosecurity Magazine?