Stats & Trends
Ryan Harnedy
Aug 2016

The State of Phishing 2016: What IT Pros Are Seeing In the Real World

Photo by Source


One thing we’re committed to here at Barkly is providing resources that solve real problems that real IT people are facing in cybersecurity. To do that, we regularly survey IT pros so we can hear directly from them what they’re seeing in cybersecurity day-to-day.

Most recently, we conducted a survey on phishing attacks to find out what people in the IT world were seeing out there in the wild. We asked participants how many phishing attacks they’ve seen, how many have been successful, that types of tactics were used to trick their users, and what type of security they had in place to prevent these attacks from doing damage.

While there were a wide range of answers, we did see several trends amongst the people surveyed that reflect the continued rise of phishing as the top delivery vehicle for ransomware and other malware, and the continued need for additional protection.

93 percent of organizations have been the target of a phishing attack


One of the most clear findings from our survey data was that phishing attacks are extremely prevalent. Nine out of ten IT pros responded they had seen at least one phishing attack in the past 12 months. Nearly 14 percent saw over 100 attempted phishing attacks directed at their organization during that time.

1 in 5 organizations have suffered a successful phishing attack


Even more troubling than the high frequency of attempted phishing attacks is the number of attacks that are successful — nearly 22 percent of the IT pros surveyed said at least one attack aimed against their organization hit the mark. Phishing is a numbers game, and it looks like cyber criminals are sending enough phishing emails to make it pay off.

Nearly half of phishing victims have experienced multiple successful attacks


To make matters worse, if your organization falls victim to one phishing attack, responses indicate it’s likely you’ll be hit again. 40 percent of our survey respondents indicated they had suffered 2-5 successful phishing attacks in the past 12 months. Another 8 percent reported they had been hit with 6-10 successful attacks.

Those responses suggest the pressure is on phishing victims to quickly determine how an attack happened and put additional security measures in place before it happens again.

Over 90% of phishing victims were using antivirus and email filtering


It’s also concerning that the vast majority of phishing victims had basic cybersecurity protection in place. Nearly all of them were running antivirus and spam/email filtering, over 80 percent had firewalls in place, and more than half had conducted some form of security awareness training at the time of the attack.

In other words, the IT pros at these organizations had checked off many of the standard boxes in terms of basic anti-phishing advice.


If phishing attacks are still succeeding with the usual security measures in place, what’s left for you to do?


You need a new layer of endpoint security.


As long as attacks are successful, phishing isn’t going anywhere. And, unfortunately, the standard approaches to protecting organizations from phishing attacks aren’t proving to be enough.

The fact is you need to prepare for the inevitability of mistakes happening and users inadvertently taking the bait.

While it’s important to keep up with user training to reduce the risk of employees clicking on links and attachments in phishing emails, the fact is you need to prepare for the inevitability of mistakes happening and someone inadvertently taking the bait.

That means not only do you need to focus on making phishing a less effective delivery system for malware, you also need to focus on limiting malware’s ability to execute on your users’ machines.

There’s currently a lot of exciting new developments in endpoint security, and here at Barkly we’re proud to be leading the way with a new form of behavior-based protection that stops even new, never-seen-before malware from executing. That means, even if a phishing email does get clicked, users will be protected and won’t be infected.

That’s a pretty big deal considering the majority of phishing emails are now delivering ransomware that can disrupt your business and hold your data hostage.

Ryan Harnedy

Ryan Harnedy

Ryan writes about how to make cybersecurity make sense to end users and keep employees safe from ransomware, malware, and phishing attacks. He enjoys decoding buzzwords and sharing security tips that users might actually follow.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.