Wombat’s state of phishing report shows that attack rates remain steady, but there is some good news: User Click rates have dropped.
- The most successful phishing attacks are now consumer focused, instead of business focused. The merging of business and personal email accounts is a major threat to corporate security.—Wombat Security
- IT professionals need to enforce segregation of personal and business email. Doing so can greatly reduce the risk of a successful phishing attack.—TechRepublic
Wombat Security has released its fourth annual State of the Phish report (registration required).
Wombat revealed that phishing rates in 2017 remained steady—76% of infosec professionals surveyed said that their companies experienced phishing attacks, roughly the same as 2016. Click rates have dropped to an average of nine percent, down from 15% in 2016, which is encouraging—users seem to be getting the message about the dangers of phishing.
The kinds of bait to watch out for
Wombat breaks phishing messages into four categories:
- Consumer: The types of phishing messages the average person gets. E.g., fake social network notifications, account compromise spoofs, frequent flyer miles, photo tagging, etc.
- Corporate: These try to mimic official communications, such as invoices, HR messages, email quarantine messages, benefit enrollment messages, etc.
- Commercial: Business-related phishing that is not organization specific. These include shipment notifications, wire transfer requests, etc.
- Cloud: Fake notifications tricking users into downloading files from a public cloud site, edit a cloud-hosted document, etc
Of the four, consumer and corporate messages were the overwhelming favorite of phishing campaigners in 2017—they were used in 45% and 44% of attacks, respectively.
Consumer and corporate attacks weren’t the most successful, though—to find out what was the most clicked, the report digs down a bit deeper into specifics. The rates at which the most successful phishing email templates were clicked is alarming—as opposed to the nine percent average across the board, each highly successful template saw click rates in the mid to high 80-percent range:
- 86% clicked on online shopping security update messages
- 86% clicked on corporate voicemail from unknown caller messages
- 89% clicked on corporate email improvements messages
hose high rates were only bested by two message templates, which had near 100% click rates: database password reset alerts and messages reported to contain new building evacuation plans.
Wombat attacks are simulated, but others won’t be
The statistics gathered by Wombat are alarming, but it’s important to understand that they’re all from simulated attacks using Wombat’s Security Education Platform, one module of which is for conducting phishing attack simulations.
Those tests are what gives the success statistics, but the numbers in the report about prevalence of attacks, namely that consumer and corporate phishing leads, comes from real-world data.
In 2016, corporate attacks were the leader, but those have been overtaken by consumer attacks, which Wombat attributes to the growing merging of personal and business email. “As employees begin to blend their personal email accounts into their work accounts, this creates a risk with regards to consumer-themed email attacks,” said Amy Baker, VP of Marketing at Wombat Security.
Baker said the blending of personal and work accounts increases infection risk because both consumer and commercial messages are now potential attack vectors on corporate networks.
Looking forward into 2018, it’s important for infosec professionals and IT teams to ensure users aren’t being casual in their use of business email accounts. Managed email should only be used for business purposes, and personal accounts and messages should be strictly separated. IT teams should also encourage users to access personal email only on personal devices, such as smartphones, to reduce the risk of consumer phishing to business networks.