As we indicated in our recent 2017 State of the Phish™ Report summary, we noticed some positive trends with regard to the reported volume of phishing attacks, and these trends coincided with the numbers noted in the Anti-Phishing Working Group’s Phishing Trends Report, 3rd Quarter 2016, which was released in late December. The APWG headlined its report summary with “Record Wave of Phishing Comes to an Ebb in Autumn 2016” and noted several key comparison metrics:
- The number of phishing sites detected in Q3 was 25% lower from the record high numbers reported in Q2.
- The number of brands targeted by attackers dipped 17% from Q2 to Q3.
- Between Q2 and Q3, the number of URLs per brand was down 25%, which the APWG indicates is a sign that “phishers were, on average and overall, creating fewer phishing URLs.”
For our State of the Phish Report, we surveyed information security professionals about their observations and practices related to the phishing threat during the same time frame that the APWG’s Q3 statistics were being recorded, and they seemed to be sensing a similar trend:
- While 60% of respondents for our 2016 report said they thought the rate of attacks were increasing, only 51% felt the same this year.
- This year, 61% of infosec professionals said their organization had experienced a spear phishing attack, a marked decrease from the 85% who said they experienced this last year.
But in the end, what do these trends really mean?
Threats Will Morph, End-User Risk Will Remain
While we are heartened to hear of any reduction in the number of active attacks on organizations and individuals, we certainly recognize this: The next APWG report could very well show an uptick in attacks again. (And, frankly, with holiday traffic and a closer proximity to U.S. tax season falling in that window of time, an increase is downright likely.)
The reality is that whether the numbers trend up or down by a few percentage points, we’re still talking about a tremendous volume of attacks — case in point, the Q3 report stated that, on average, 200,000 new malware samples were discovered per day in Q3. And like it or not, end users are in the thick of it.
A great example of a shifting threatscape can be seen with ransomware. This attack vector didn’t even garner a mention in our January 2016 State of the Phish; in this year’s report, it is front and center. Although those of us in the cybersecurity space have a very good sense of the dangers associated with ransomware attacks, the awareness is not there with end users yet. In our survey of 2,000 U.S. and UK adult consumers, only 36% knew what ransomware was (and 52% of U.S. respondents wouldn’t even hazard a guess).
The good news, though, is that general awareness of phishing is growing. Of those same 2,000 users we surveyed, nearly 70% were able to correctly identify what phishing is. And because ransomware is often delivered via a phishing email, this increased understanding will help on all fronts.
Our report can help you prove the need for an effective cybersecurity awareness training program.
Focus on Trends You Can Control
Ultimately, the actions and strategies attackers take are out of your control. You cannot make them send fewer phishing attacks, and you cannot stop them from creating new malware variants. What you can control is the emphasis you put on managing end-user risk. It’s important to recognize that, even outside of phishing, there are risky behaviors in play that magnify your susceptibility to data loss — sensitive files that are left unencrypted, poor password management, known vulnerabilities that go unpatched, etc.
To that end, we saw some significantly positive trends in this year’s State of the Phish Report:
- 72% of infosec professionals said they assess the risk that end users pose to their organizations, a dramatic 64% increase year over year.
- More organizations are measuring their susceptibility to phishing (66% this year vs. 63% last year).
- Significantly fewer out-of-date end-user plug-ins were detected by our ThreatSim® simulated phishing tool, with an average year-over-year reduction of 57% across Adobe PDF, Adobe Flash, Microsoft Silverlight, and Java software.
- 52% of infosec professionals said they have been able to quantify a reduction in phishing susceptibility based on their anti-phishing training activities (a 40% increase from our 2016 report).
While it’s certainly important to stay on top of the latest news and threats and work to address those that affect your business, it’s critical that you prioritize risk management over risk elimination. Consistent, action-oriented advice and education — in the form of a structured, thoughtful security awareness and training program — will help your end users gain the knowledge they need to become cybersecurity advocates within your organization.