Phishing Emails and Your Security: Research Details the Continued Risk

“Phishing” lends itself to tongue-in-cheek humor and images, but it’s no laughing matter.

Cybercriminals continue to use phishing attacks to trick people into opening emails and/or clicking on links and files that allow malware (like ransomware) to breach your network security.

Phishing attacks continue because they work (for tips on how to avoid being hooked, read Some Day Your Nigerian Prince Will Come - 9 Simple Attempts to Dodge Phishing Emails).

In case you’re still one of those business leaders who think “not gonna happen to me,” here are some key stats from State of the Phish 2018, a research report from Wombat Security.

This survey of information security pros from around the world reveals that everyone needs to worry about phishing.

• 76% said they had at least one phishing attack in 2017 (the same as from 2016)
• 45% experienced phishing via phone calls and SMS/text messaging
• 3% experienced a USB-based social engineering attack (if you see a USB stick on the street, don’t pick it up!)

As for the overall rate of phishing attacks, an equal number -- 48% -- say that attacks are increasing or staying the same. A much small number paint a happier picture, 4% say rate of phishing attacks are decreasing.

In the actual good news category, click rates for phishing emails declined. That indicates a combination of software and user education is working. On the downside, cybercriminals are switching to more consumer-based email templates which fool users at a higher rate.

While that’s a good trend, there are three phishing templates that have an extraordinary high rate of success that you need to educate everyone in your office about:

• Online shopping security updates -- 86%
• Corporate voicemail from unknown caller -- 86%
• Corporate email improvements -- 89%

Two other types of emails sent as simulated attacks to gauge user response gathered a near 100% click rate -- a database password reset alert and an email that claimed to have an updated building evacuation plan.

The Impact and Cost of Phishing

Sadly, phishing does work. There was a rise in the three major impacts of successful phishing attacks from 2016 to 2017:

• Malware infection -- from 27% to 49%
• Compromised accounts -- from 17% to 38%
• Loss of data -- from 7% to 13%

The graphic below shows how companies measure the cost of phishing:

Phishing emails are increasing. Hopefully, next year’s research will reveal another dip in the overall success of these attacks. Do your part to prevent these attacks and protect your information, keep your network secure with updates and software patching and educate your users.