An annual report into the virulence of phishing scams has found that more than half of organizations dealt with at least one successful phishing attack in 2019.
The 2020 "State of the Phish" report, by cybersecurity and compliance firm Proofpoint, was produced using data from nearly 50 million simulated phishing attacks sent by Proofpoint to end users over a one-year period. In addition, researchers combed through third-party survey responses from more than 600 information security professionals and analyzed the fundamental cybersecurity knowledge of more than 3,500 working adults in the US, Australia, France, Germany, Japan, Spain, and the UK.
Among the key findings, 55 percent of surveyed organizations dealt with at least one successful phishing attack in 2019, and infosecurity professionals reported a high frequency of social engineering attempts across a range of methods.
Other forms of attack reflect cyber-criminals' continued focus on compromising individual end users. Spear-phishing attacks were reported by 88 percent of organizations worldwide, while 86 percent reported business email compromise (BEC) attacks and social media attacks.
Phishing via text/SMS, also known as smishing, struck 84 percent of organizations, while 83 percent reported experiencing voice phishing, or "vishing." Malicious USB drops had caused problems for 81 percent of organizations surveyed.
On a more positive note, the sixth annual "State of the Phish" report revealed that equipping individuals with instructions on how to avoid taking the phishers' bait garnered good results. Seventy-eight percent of organizations reported that security awareness training activities resulted in measurable reductions in phishing susceptibility.
“Effective security awareness training must focus on the issues and behaviors that matter most to an organization’s mission,” said Joe Ferrara, senior vice president and general manager of security awareness training for Proofpoint.
“We recommend taking a people-centric approach to cybersecurity by blending organization-wide awareness training initiatives with targeted, threat-driven education. The goal is to empower users to recognize and report attacks.”
Proofpoint researchers noted an increase in the volume of reported phishing messages and identified a trend toward more targeted, personalized attacks carried out over bulk campaigns.
The volume of reported messages jumped significantly year on year, with end users reporting more than nine million suspicious emails in 2019, an increase of 67 percent over 2018.