Nearly 90% of organizations faced Business Email Compromise (BEC) and spear phishing attacks in 2019
Nearly 90% of global organizations surveyed were targeted with business email compromise (BEC) and spear phishing attacks in 2019, reflecting cybercriminals’ continued focus on compromising individual end users, according to Proofpoint’s State of the Phish report. 78% also reported that security awareness training activities resulted in measurable reductions in phishing susceptibility.
The study examines global data from nearly 50 million simulated phishing attacks sent by Proofpoint customers over a one-year period, along with third-party survey responses from more than 600 information security professionals in the US, Australia, France, Germany, Japan, Spain, and the UK. The report also analyzes the fundamental cybersecurity knowledge of more than 3,500 working adults who were surveyed across those same seven countries.
“Effective security awareness training must focus on the issues and behaviors that matter most to an organization’s mission,” said Joe Ferrara, senior vice president and general manager of Security Awareness Training for Proofpoint. “We recommend taking a people-centric approach to cybersecurity by blending organization-wide awareness training initiatives with targeted, threat-driven education. The goal is to empower users to recognize and report attacks.”
End-user email reporting, a critical metric for gauging positive employee behavior, is also examined within this year’s report. The volume of reported messages jumped significantly year over year, with end users reporting more than nine million suspicious emails in 2019, an increase of 67% over 2018. The increase is a positive sign for infosec teams, as Proofpoint threat intelligence has shown a trend toward more targeted, personalized attacks over bulk campaigns. Users need to be increasingly vigilant in order to identify sophisticated phishing lures, and reporting mechanisms allow employees to alert infosec teams to potentially dangerous messages that evade perimeter defenses.
Key findings of the study include:
- More than half (55%) of surveyed organizations dealt with at least one successful phishing attack in 2019, and infosecurity professionals reported a high frequency of social engineering attempts across a range of methods: 88% of organizations worldwide reported spear-phishing attacks, 86% reported BEC attacks, 86% reported social media attacks, 84% reported SMS/text phishing (smishing), 83% reported voice phishing (vishing), and 81% reported malicious USB drops.
- 65% of surveyed infosec professionals said their organization experienced a ransomware infection in 2019: 33% opted to pay the ransom while 32% did not. Of those who negotiated with attackers, 9% were hit with follow-up ransom demands, and 22% never got access to their data, even after paying a ransom.
- Organizations are benefitting from consequence models: Globally, 63% of organizations take corrective action with users who repeatedly make mistakes related to phishing attacks. Most infosec respondents said that employee awareness improved following the implementation of a consequence model.
- Many working adults fail to follow cybersecurity best practices: 45% admit to password reuse, more than 50% do not password-protect home networks, and 90% said they use employer-issued devices for personal activities. In addition, 32% of working adults were unfamiliar with Virtual Private Network (VPN) services.
- Recognition of common cybersecurity terms is lacking among many users: In the global survey, working adults were asked to identify the definitions of the following cybersecurity terms: Phishing (61% correct), ransomware (31% correct), smishing (30% correct), and vishing (25% correct). These findings spotlight a knowledge gap among some users and a potential language barrier for security teams attempting to educate employees about these threats. It’s critical for organizations to communicate effectively with users and empower them to be a strong last line of defense.
- Millennials continue to underperform other age groups in fundamental phishing and ransomware awareness: This is a caution that organizations should not assume younger workers have an innate understanding of cybersecurity threats. Millennials had the best recognition of only one term: Smishing.