Proofpoint's sixth annual State of the Phish report is a data-rich study that examines phishing trends on a global level. With a focus on actionable data, the report provides an in-depth look at user phishing awareness, vulnerability, and resilience.
This year's report compiles data from the following sources:
- A survey of more than 3,500 working adults across seven countries (the U.S., Australia, France, Germany, Japan, Spain, and the UK)
- A survey of more than 600 InfoSec professionals across those same seven countries
- Nearly 50 million simulated phishing attacks sent by Proofpoint customers over a one-year period
- More than 9 million suspicious emails reported by our customers end users
Summary of key findings
• Nearly 90% of organizations experienced spear-phishing and BEC last year.
InfoSec survey results revealed that 88% of organizations worldwide faced spear phishing attacks and 86% dealt with business email compromise (BEC) attacks. Proofpoint threat intelligence reinforces this finding; researchers have noted an ongoing trend toward more targeted, personalized attacks over bulk campaigns.
• Reported email volume increased 67% year over year.
Proofpoint customers' end-users reported 9.2 million suspicious emails in 2019, a nearly 70% jump from 2018. According to State of the Phish, organizations should ensure that users have access to a quick, easy reporting mechanism and be educated about the importance of alerting InfoSec teams to suspicious messages. The study states that reporting rates are critical metrics and are a prime indicator of positive user behaviors. Reporting mechanisms also provide a valuable opportunity for organizations, as user-reported messages can alert InfoSec teams to potentially dangerous messages that evade perimeter defenses.
• 78% of organizations said that security awareness training reduces phishing susceptibility.
The vast majority of InfoSec survey respondents said that their organization's phishing education activities have led to measurable improvements.
• Most organizations experienced social engineering attempts across a range of methods.
InfoSec survey respondents indicated that their organizations frequently face social engineering attacks outside of email. In 2019, 86% of organizations dealt with social media attacks, 84% reported SMS/text phishing (smishing), 83% faced voice phishing (vishing), and 81% reported malicious USB drops.
• Many working adults fail to follow cybersecurity best practices.
The study cautions that organizations need to be aware of how users' personal choices breed organizational risk. For example, 45% of working adults admit to password reuse, more than 50% do not password-protect home networks, and 90% said they use employer-issued devices for personal activities. In addition, 32% don't know what a virtual private network (VPN) is.
Download the report and register for the SecureWorld webinar
Download your copy of the State of the Phish report for access to additional global findings, as well as regional survey results for each of the seven countries noted above. The study provides information about global user awareness levels; the impacts phishing and ransomware are having on organizations worldwide; and high-level and granular views of phishing failure rates and email reporting rates.
In addition, be sure to register for the January 30th "State of the Phish 2020" SecureWorld web conference. Join in real time or watch on-demand to hear security awareness training experts highlight State of the Phish findings and analysis and provide advice about using the report to guide data collection efforts and cybersecurity education initiatives within your organization. CPE credits are available.