Survey Revealed 65% of U.S. Companies Experienced a Successful Phishing Attack in 2019

The cybersecurity company Proofpoint published its 2020 State of the Phish report, which revealed that 65% of companies in the U.S. (55% worldwide) had at least one successful phishing attack last year 2019.

The report was based on data that Proofpoint obtained from a third-party survey participated by 3,500 working, adults in America, United Kingdom, France, Australia, Germany, Japan, Spain as well as a survey participated by 600 IT security pros in those nations. Data was additionally obtained from reports of customers who received 9 million suspicious emails and over 50 million simulated phishing emails last year.

Infosec experts think the number of phishing attacks stayed the same or dropped in 2019 in comparison with 2018. This concurs what a lot of cybersecurity companies have discovered: Phishing strategies are evolving. Cybercriminals are currently concentrating on quality versus quantity.

Ordinary phishing might have become less common, however, spear-phishing attacks are far more prevalent. 88% of companies claimed they had spear-phishing attacks in 2019 and 86% claimed they encountered business email compromise (BEC) attacks.

Phishing attacks are most often executed through email, however, phishing through SMS messages (Smishing), social media websites, and voice phishing by phone (vishing) are at the same time prevalent. 86% of survey participants reported they encountered a social media phishing attack last year, 84% encountered a smishing attack, and 83% suffered a voice phishing attack.

Proofpoint’s report shows ransomware attacks diminished from 2017, however IT experts noted ransomware infections increased through phishing emails. This is because of the increase in popularity of ransomware-as-a-service, that enables people with no the skills to create their own ransomware variants to perform attacks utilizing ransomware created by others.

If a ransomware attack is experienced, paying the ransom demand doesn’t ensure the restoration of encrypted information. Only 69% of organizations that paid the ransom obtained access to their information after the initial payment. 7% were given with additional demands which they declined to pay, leading to loss of data. 2% paid those further demands and obtained access to their files, and 22% claimed they were not able to retrieve the encrypted information.

Layered defenses are important for fighting the risk from ransomware, malware and phishing, however, Proofpoint remarks that technical protection could only go thus far. What is additionally needed is frequent training on security awareness for the employees.

Proofpoint advises using a people-centric strategy to cybersecurity by mixing organization-wide awareness training efforts and focused threat-driven guidance. The objective is to allow users to identify and report attacks.

95% of surveyed companies reported they give security awareness training to the employees and 94% of the companies that indeed, really provide training more frequently than annually. The figures are nice, however, there is still substantial room for enhancement. Only 60% of organizations that offer training do so by means of} formal cybersecurity training and 30% explained they only give training to a part of their user base.

Training certainly appears to be having a positive effect, as there was a 67% increase in reported phishing emails in 2019 compared to 2018, so employees are taking training onboard, are becoming better at recognizing threats, and are taking the right action – reporting suspicious emails to their security teams.