We’re excited to announce the launch of our fifth annual State of the Phish Report, which offers insights into three key components of the phishing threat landscape: end-user understanding of fundamental cybersecurity concepts; an infosec view of social engineering attacks and impacts; and how security awareness training can be used to better manage end-user risk.
Source: 2019 State of the Phish Report
Key Finding #2: Credential Compromise Has Soared Since 2016
Each year, we ask infosec professionals about the impacts they are experiencing related to phishing attacks. This year, we saw an interesting trend: Compromised accounts bypassed malware infections as the most commonly identified impact of successful phishing attacks.
In 2018, reports of credential compromise rose 70% over 2017, and they’ve soared 280% since 2016. The responses from the infosec audience reinforce the rise in credential-based phishing that Proofpoint researchers noted in its mid-2018 Protecting People report.
Source: 2019 State of the Phish Report
Interestingly, we saw few organizations using data entry-style simulated phishing attacks, which mimic credential phishing by prompting users to submit login names, passwords, or other sensitive data. We highly recommend that infosec teams use these kinds of phishing tests to increase their defenses against credential compromise attacks — a worthy pursuit given that a single set of corporate credentials often provides access to multiple sources of sensitive content.
Key Finding #3: Baby Boomers Outperform All Others in Recognition of Phishing and Ransomware Terminology
We think it’s critical for infosec teams to realize that, at a fundamental level, many working adults still aren’t familiar with terms like phishing and ransomware — and that assumptions of familiarity could be negatively impacting security awareness training initiatives.
But we also wanted to illustrate the differences that exist at a generational level, particularly with millennials, who are playing such a significant role in today’s global workforce. Often, the perception is that these “digital natives” have a level of cyber-savvy that leaves them more aware of digital risks and, as such, more likely to understand cybersecurity best practices.
Unfortunately, it’s clear that a high level of cyber comfort does not translate into a solid sense of cybersecurity fundamentals. In fact, millennials fell significantly behind at least one other age group on all questions we asked, and baby boomers — arguably the least cyber-savvy demographic from our survey — outperformed all others in fundamental understanding of phishing and ransomware.
Source: 2019 State of the Phish Report
Download the Report for Additional Insights into the State of Phishing
“Email is the top cyberattack vector, and today’s cybercriminals are persistently targeting high-value individuals who have privileged access or handle sensitive data within an organization,” said Joe Ferrara, general manager of Security Awareness Training for Proofpoint. “As these threats grow in scope and sophistication, it is critical that organizations prioritize security awareness training to educate employees about cybersecurity best practices and establish a people-centric security strategy to defend against threat actors’ unwavering focus on compromising end users.”
Download your copy of the 2019 State of the Phish Report for a full look at the results of our global surveys (including regional data comparisons); how users across 16 industries are performing on simulated phishing tests; and the ways organizations can use threat intelligence and their security awareness training data to identify weak spots in security postures and address the users and departments that are putting them at risk.