The war against phishing is still on, with 76% of organizations experiencing phishing attacks in 2017. Further, nearly half of information security professionals surveyed said that the rate of attacks increased from 2016.
That’s according to the Wombat Security Technologies' annual State of the Phish research report, which also found that the impacts of phishing were more broadly felt last year than in 2016, with an 80 % increase in reports of malware infections, account compromise and data loss related to phishing attacks.
The data shows that smishing (SMS/text message phishing) as an emerging threat: 45% of infosec professionals reported experiencing phishing via phone calls (vishing) and smishing.
The report is based on the analysis of tens of millions of simulated phishing attacks sent through Wombat's Security Education Platform over a 12-month period, 10,000 responses collected from quarterly surveys of Wombat's database of infosec professionals (customers and non-customers) from more than 16 industries and insights from a third-party survey of 1,000 adults each in the US, UK and Germany.
It found that while Wombat customers show positive trends and progress within their programs, with declining click rates and an increasing number of suspicious emails identified and reported, awareness of phishing and ransomware has not trickled down to the average technology user.
Globally, the majority (67%) of technology users surveyed were not able to garner a guess as to what smishing is. Across all populations, adults aged 55 and older significantly outpace millennials in their recognition of what phishing is. Meanwhile, German users struggle to define ransomware: Nearly 70% of surveyed technology users in Germany were unable to identify what ransomware is.
A silver lining is continued momentum for anti-phishing education. For the fourth consecutive year, Wombat saw an increase in the number of organizations that assess and train their users on phishing avoidance. There has also been an increased use of computer-based training: The number of organizations using computer-based training jumped from 62% in 2016 to 79% in 2017.
"The State of the Phish Report shows that simulated phishing attacks are certainly valuable tools in the battle against social engineering attacks, but it also reinforces the need for CSOs, CISOs and their teams to take a broader view of cybersecurity education," said Joe Ferrara, president and CEO of Wombat Security. "A cyclical approach to security awareness and training is the most effective. Organizations should employ a methodology that both raises awareness of cybersecurity best practices and teaches users how to employ these practices when they inevitably face a security threat."