Tue | Feb 5, 2019 | 8:54 AM PST

Proofpoint Security Awareness Training (formerly Wombat Security) has released its latest State of the Phish Report, an annual study that offers insights into three key components of the phishing threat landscape: end-user understanding of fundamental cybersecurity concepts; an InfoSec view of social engineering attacks and impacts; and how security awareness training can be used to better manage end-user risk.

This year’s report draws data from three primary sources:

  • A five-question third-party survey of more than 7,000 working adults across seven countries (the U.S., Australia, France, Germany, Italy, Japan, and the UK). Questions were designed to show how well end users understand commonly used cybersecurity terms like phishing, ransomware, and vishing.
  • Nearly 15,000 responses to quarterly surveys of InfoSec professionals from around the world.
  • Data from tens of millions of simulated phishing attacks Proofpoint customers sent to their end users over a one-year period (October 2017 through September 2018).

Following are three key findings from this year’s report.

#1: Social engineering attacks jumped across the board

Overall, 83% of global info security respondents experienced phishing attacks in 2018, an increase from 76% in 2017. However, this attack method wasn’t the only one that saw greater use last year; survey respondents reported a higher frequency of all types of social engineering attacks year over year:


Source: Proofpoint 2019 State of the Phish Report

A word to the wise if you’re inclined to file USB attacks under I for “irrelevant”: it’s worth a look at recent research detailing 29 different ways USB devices could be used to compromise devices within your organization. End users are likely to be trusting of found devices like these (particularly if they haven’t been educated to the contrary). The rise (modest though it may be) in organizations that experienced these attacks shows cybercriminals’ tenacity and desire to utilize all possible channels to exploit end-user behaviors.

#2: Credential compromise has increased 280% since 2016

Each year, Proofpoint asks InfoSec professionals about the impacts they are experiencing related to phishing attacks. This year, responses showed an interesting trend: Compromised accounts bypassed malware infections as the most commonly identified impact of successful phishing attacks.

In 2018, reports of compromised accounts rose 70% over 2017, and they’ve soared 280% since 2016. The responses from the InfoSec audience reinforce the rise in credential-based phishing that Proofpoint researchers noted in its mid-2018 Protecting People report.  


Source: Proofpoint 2019 State of the Phish Report

Interestingly, Proofpoint saw few organizations using data entry-style simulated phishing attacks, which mimic credential phishing by prompting users to submit login names, passwords, or other sensitive data. As a result, they highly recommend that InfoSec teams use these kinds of phishing tests to increase their defenses against credential compromise attacks—a worthy pursuit given that a single set of corporate credentials often provides access to multiple sources of sensitive content.

#3: Baby boomers outperform all others in recognition of phishing and ransomware terminology

The State of the Phish Report offers cautionary advice for InfoSec teams: At a fundamental level, many working adults still aren’t familiar with terms like phishing and ransomware—and assumptions of familiarity could be negatively impacting security awareness training initiatives.

But the study also illustrates the differences that exist at a generational level, particularly with millennials, who are playing such a significant role in today’s global workforce. Often, the perception is that these “digital natives” have a level of cyber-savvy that leaves them more aware of digital risks and, as such, more likely to understand cybersecurity best practices.

Unfortunately, it’s clear that a high level of cyber comfort does not translate into a solid sense of cybersecurity fundamentals. In fact, millennials fell significantly behind at least one other age group on all questions we asked, and baby boomers—arguably the least cyber-savvy demographic from our survey—outperformed all others in fundamental understanding of phishing and ransomware.


Source: Proofpoint 2019 State of the Phish Report

Download the report for additional insights into the state of phishing

“Email is the top cyber attack vector, and today’s cybercriminals are persistently targeting high-value individuals who have privileged access or handle sensitive data within an organization,” said Joe Ferrara, general manager of Security Awareness Training for Proofpoint. “As these threats grow in scope and sophistication, it is critical that organizations prioritize security awareness training to educate employees about cybersecurity best practices and establish a people-centric security strategy to defend against threat actors’ unwavering focus on compromising end users.”

Download your copy of the 2019 State of the Phish Report for a full look at the results of Proofpoint’s global surveys (including regional data comparisons); how users across 16 industries are performing on simulated phishing tests; and the ways organizations can use threat intelligence and their security awareness training data to identify weak spots in security postures and address the users and departments that are putting them at risk.

To hear more about the report’s findings, including advice about using consequence models to influence end-user behavior, register for the January 30th 2019 State of the Phish Report SecureWorld web conference.