New APWG Report Shows Need for Strategic Phishing Awareness Training

The volume of phishing attacks rose in the first half of 2017 and more brands are being targeted than in 2016, according to a new report by the Anti-Phishing Working Group (APWG). As these attacks become more strategic and sophisticated in nature, your organization’s phishing awareness training should follow suit.

The APWG report, published in October, explores phishing activity trends in the first half of 2017. It’s the latest installment in a series that began in 2004.

The following table compiles some key APWG statistics from 2016 through mid-2017:
 

As we reported in April, early 2016 saw a historic high in phishing activity, followed by a slowdown in the second half of the year. So far, the data from 2017 shows an uptick in some key areas.

Most notably, the APWG reported a rise in the number of brands targeted by attackers — more than seen at the peak in 2016. “Several hundred companies are being targeted regularly, at least every few weeks, while a smaller number of companies are attacked intermittently,” according to the report. “Over time a few companies fall off the lists completely, to be replaced by new and up-and-coming targets of opportunity.”

Reported phishing attacks were also higher than in the previous six months, and were most frequent in the Payment, Financial, and Webmail sectors. Financial institutions (16% of phishing incidents) and cloud storage companies (9% of phishing incidents) were among those that saw an increase in the first half of 2017.

The number of unique phishing websites was significantly lower than in 2016; however, that lower number may be due in part to a change in tracking and reporting methods by the APWG’s contributing organizations. (The report notes that, at the beginning of 2017, contributor MarkMonitor “revised its attack-counting methodology, which yielded lower attack numbers than previously.”)

Fewer Phishing Websites Doesn’t Mean Lower Risk

While the number of unique phishing websites may be down, that doesn’t mean lower risk for organizations. It may simply mean that cybercriminals are becoming more sophisticated about phishing, and using fewer, more targeted websites as attack vectors.

The APWG report notes that free hosting providers or website builders are increasingly used to carry out phishing attacks. Free hosting providers allow attackers to work with greater anonymity, and to create subdomains that spoof brands and make phishing sites appear more legitimate.

Phishing Emails Still Get Through Filters – and End Users Need to Be Prepared

As the APWG statistics show, the number of unique phishing reports may be lower now than at their peak in early 2016, but the numbers are still high. And that means plenty of phishing emails are still getting through to employees’ inboxes.

According to a recent Dark Reading article, nearly 9.3% of emails delivered to Office 365 inboxes last month were phishing messages, spam, and known or zero-day malware. The article drew upon research from threat intelligence firm Cyren, which analyzed 10.7 million messages delivered to Office 365 users. Out of those 10.7 million delivered emails, 34,077 were phishing messages.

Unfortunately, the end users who receive phishing messages that slip through often lack the anti-phishing training they need to avoid clicking on dangerous links. In our 2017 User Risk Report, we surveyed more than 2,000 working adults in the US and UK, and learned that 30% still do not know what phishing is; more than 10% of respondents wouldn’t even hazard a guess. The very real threat of phishing — and the equally real lack of awareness on the part of end users — underscores the need for regular assessments and phishing awareness training.

Get a Better Understanding of Risk by Combining Phishing Tests and Knowledge Assessments

Many organizations rely on simulated phishing attacks to determine how vulnerable their end users are to real attacks. While these phishing tests are valuable, you can only learn so much about why a user did or did not click, as we noted in our 2017 Beyond the Phish™ Report. Combining simulated attacks with question-based knowledge assessments, such as those available in our CyberStrength® tool, may reveal a more accurate picture of your end users’ vulnerabilities — and a greater need for phishing awareness training.

We found that employees in the healthcare industry, for example, showed a significant difference in how they responded to simulated attacks vs. question-based assessments. They had an 18% click rate on simulated phishing attacks, but answered 26% of phishing questions incorrectly in knowledge assessments. This difference points to a need for more in-depth security awareness training that may not have been apparent from the simulated attacks alone.

Given that the APWG’s phishing statistics show the number of reported attacks was on the rise in the first part of 2017, there’s no reason to think the end is in sight. When a certain percentage of those phishing emails do make it through your company’s email filters and other technological safeguards, they land in employees’ inboxes. What those employees do next depends on their level of phishing awareness — and could have serious implications for your company.