2018 State of the Phish: Phishing Data, Insights, and Advice

We’re excited to announce the release of our 2018 State of the Phish™ Report, an annual research study that is a trusted resource for infosec professionals who are planning and delivering security awareness training programs for their end users. This year’s report combines data and analysis from three key sources:

1. Tens of millions of simulated phishing attacks sent through our Security Education Platform over a 12-month period
2. 10,000+ responses collected from quarterly surveys of our database of infosec professionals (customers and non-customers) from more than 16 industries
3. A third-party survey of more than 3,000 technology users (1,000+ adults each in the US, UK, and Germany)

Valuable Phishing Statistics and Insights

We structured this fourth annual publication a bit differently than in years past in an effort to better capture and deliver the types of data infosec professionals are seeking. The 2018 State of the Phish Report is a study in four parts:

• Business intelligence gathered from simulated phishing data and the real-world experiences of infosec professionals
• Factors that influence click rates and email reporting (such as industry and program maturity) and data about the use of consequence models
• Key differences between organizational approaches to end-user risk management in the US and the UK
• End-user knowledge levels related to phishing, ransomware, and smishing (SMS/text message phishing)

Here are a few of the nuggets you will find in the report:

• 76% of organizations said they experienced phishing attacks in 2017.
• Nearly half of infosec professionals said that the rate of attacks increased from 2016 to 2017.
• The impacts of phishing were more broadly felt than in 2016, with an 80+% increase in reports of malware infections, account compromise, and data loss related to phishing attacks.
• UK organizations are more likely than their US counterparts to rely on once-a-year training models and passive security awareness training tools (like videos, newsletters, and email notifications). US organizations — which favor interactive training methods delivered on a monthly or quarterly basis — are more than twice as likely as UK organizations to report quantifiable results from their efforts.
• Smishing is a threat to watch in 2018. Our data shows that average failure rates on simulated smishing attacks are the same as those on email phishing tests. However, just 16% of global technology users surveyed were able to correctly identify the definition of smishing in a multiple-choice query.

Source: Quarterly surveys of infosec professionals for the 2018 State of the Phish Report

“The State of the Phish Report shows that simulated phishing attacks are certainly valuable tools in the battle against social engineering attacks, but it also reinforces the need for CSOs, CISOs and their teams to take a broader view of cybersecurity education,” said Joe Ferrara, Wombat President and CEO. “A cyclical approach to security awareness and training is the most effective. Organizations should employ a methodology that both raises awareness of cybersecurity best practices and teaches users how to employ these practices when they inevitably face a security threat.”