Find out what the latest phishing statistics can tell you about the types of threats landing in your employees' inboxes in 2018, and how much successful attempts are costing victims.
Phishing continues to be a major concern, not only because the rate of incidents is increasing, but also because attack methods are becoming more sophisticated. The latest stats show the extent of the threat and which tactics are most popular with attackers.
No one is safe from phishing attacks. Big and small organizations across all industries are routinely affected. In fact, almost half (48%) the respondents to Wombat’s 2018 State of the Phish survey say that the rate of phishing attacks is increasing.
Part of the reason phishing is so popular with cyber criminals is that it provides them with direct access to the most vulnerable part of any network — the end users. Attackers aren’t just wasting the opportunity to get in front of employees with typical spam messages, either. They have replaced easy-to-spot tactics with much more sophisticated techniques that even careful users may not catch until it’s too late.
Case in point: attackers behind Emotet, Ursnif, and other popular banking trojans are increasingly launching campaigns from their victims' hijacked email accounts. They send their malicious messages to the victim's contacts, sometimes even replying to existing email chains in order to trick the contacts into thinking it's a message from the person they know and trust.
On average, 53% of IT and security professionals who responded to the Wombat survey reported their organizations have experienced more advanced, targeted phishing attacks (spear phishing) in 2017.
The average number of malicious emails each user receives per month. Source: Symantec 2018 ISTR
According to Symantec’s 2018 Internet Security Threat Report (ISTR), a whopping 54.6% of all email is spam. Even more to the point, their data shows that the average user receives 16 malicious spam emails per month, which leads to some scary math. Even if you only have 20 employees, that's 320 times a month you have to trust in their ability to correctly scrutinize emails and make the right call. That's 3,840 bullets to dodge over the course of a year.
The increase in phishing means employee training should be a priority, but unfortunately, training videos and mock phishing attacks also only go so far. You can’t rely on every employee to make the right choice every time a malicious email hits their inbox. No one is perfect, and attacks can be extremely well disguised. Eventually, someone somewhere is going to slip up. When they do, you need to ensure you have the right security solutions that can act as safety nets, and you need to have the proper policies in place.
For example, employees need to be encouraged to report phishing attempts without fear of punishment if they were successful, and they need to be provided with clear instructions on exactly how to do so. If your organization is like most, there's vast room for improvement on this front — according to Verizon’s 2018 Data Breach Investigations Report, users only reported 17% of phishing campaigns.
Find out how Barkly helps admins sleep better knowing users are protected from errant clicks.
Thanks to the accessibility that email provides it's no surprise it continues to be criminals' go-to method for distributing malware. That doesn't mean things are completely static on the malspam front, though.
One of the biggest changes has been a shift away from using malicious attachments to a preference for utilizing malicious URLs, instead. In 2017, for example, Proofpoint reported 3 out of 4 malspam emails delivered malware via attachments. Fast-forward to Q1 2018 and the firm's data showed that emails with malicious links outnumbered emails with malicious attachments 4 to 1.
The type of malware that spam campaigns are distributing is also changing. For instance, Proofpoint's Q1 2018 Quarterly Report also notes that banking trojans have supplanted ransomware as the #1 type of malware delivered via email, accounting for nearly 59% of all email payloads. Within the banking trojan category, Emotet is the go-to malware, responsible for 57% of all baking trojan activity in the first three months of the year.
Learn how Emotet works, how to remove it, and how to block costly infections before they start.
Spam and phishing emails come packaged up in all sorts of disguises. According to Symantec's 2018 Internet Security Threat Report, these are the most common when it comes to distributing malware.
Below are the most common types of attachments attackers use in spam campaigns, according to Cisco's 2018 Annual Cybersecurity Report.
Top malicious email attachment types. Source: Cisco 2018 Annual Cybersecurity Report
According to Proofpoint, in 2017, phishing lures associated with Dropbox file-sharing far outnumbered any other lure, accounting for a disproportionately high volume of phishing activity (more than a third of all tracked lures). The next most prevalent lures were those related to financial institutions and generic email credential harvesting.
Most popular phishing lure by volume in 2017. Source: Proofpoint's The Human Factor 2018 Report
Interestingly, although there were far more Dropbox lures in play, it was DocuSign lures that garnered the highest relative click rate (nearly 7%). DocuSign lures were approximately 3x more effective than Dropbox lures. In fact, DocuSign click rates beat out all other credential phishing email lures by a long shot.
Most effective phishing lures on average, by click rate in 2017. Source: Proofpoint's The Human Factor 2018 Report
Though business email compromise (BEC) scams don’t typically garner as many headlines as malware outbreaks and other cyber attacks, they are a serious threat with the ability to cost companies millions.
Unlike other kinds of malicious email campaigns which tend to cast a wide-but-generic net, BEC attacks feature highly sophisticated targeting along with a mix of potential tactics (including social engineering, email spoofing, or computer intrusion) to fool the target into believing that an email is coming from an executive within the organization or from a trusted partner.
Often, the primary purpose of BEC attacks (and the consumer version — email Account Compromise or EAC) is to manipulate the target into executing an unauthorized transfer of funds. According to the FBI’s 2017 Internet Crime Report, in 2017 the Internet Crime Complaint Center (IC3) received 15,690 BEC/EAC complaints with adjusted losses of more than $675 million. This figure is nearly twice the 2016 figure of $360 million.
To bring those figures closer to home, an analyst for Firebird Analytical Solutions & Technologies estimates that the average successful BEC attack earns the cyber criminal $130,000.
When it comes to protecting your organization from phishing scams, training your employees to recognize bogus emails is a great place to start, but based on the increasing sophistication of targeted attacks, it’s not enough. That's why Barkly offers the strongest endpoint protection platform that protects companies from malware even when users make a mistake. See it in action and find out how Barkly can help your company stay secure.
Get the latest security news, tips, and trends straight to your inbox.
Get the latest security news, tips, and trends straight to your inbox.