Social Engineering & Credential Compromise Attacks Jump in 2018

The bad news is 83% of global infosecurity respondents experienced phishing attacks in 2018; the good news is nearly 60% saw an increase in employee detection following security awareness training.

In its fifth annual State of the Phish Report, Sunnyvale, Calif.-based security firm Proofpoint revealed in 2018 the effects of phishing were significant – attacks contributed to an increase in compromised credentials by more than 70% in 2018. For the first time, compromised accounts bypassed malware infections as the most commonly identified result of successful phishing attacks.

The report uncovered phishing cyberattack trends across more than 15 industries and detailed the fundamental cybersecurity knowledge of more than 7,000 working adults in the U.S., Australia, France, Germany, Italy, Japan, and the UK. Data from tens of millions of simulated phishing attacks sent over a one-year period were analyzed along with nearly 15,000 cybersecurity professional survey responses, from both Proofpoint customers and outside organizations, to provide an in-depth look at state of global phishing attacks.

Overall, phishing attacks in 2018 were up from 2017. In addition, more organizations were affected by all types of social-engineering attacks (phishing, spear phishing, SMS phishing, voice phishing, and USB drops) year over year.

“Email is the top cyberattack vector, and today’s cybercriminals are persistently targeting high-value individuals who have privileged access or handle sensitive data within an organization,” Joe Ferrara, general manager of security awareness training for Proofpoint, said. “As these threats grow in scope and sophistication, it is critical that organizations prioritize security awareness training to educate employees about cybersecurity best practices and establish a people-centric strategy to defend against threat actors’ unwavering focus on compromising end users.”

This year’s State of the Phish Report key findings included:

• Infosecurity professionals reported a higher frequency of all types of social engineering attacks year over year. Phishing increased to 83% versus 76%. Spear phishing increased to 64% from 53%. Vishing and/or SMiShing increased to 49% versus 45%, and USB attacks increased to 4% versus 3%.
• Credential compromise increased 70% since 2017 and 280% since 2016, surpassing malware infections to become the most common successful phishing attack result in 2018. Respondents reporting phishing attacks, which resulted in data loss, more than tripled between 2016 and 2018, underscoring the growing phishing threat and effect from such attacks.
• Only 10% of respondents reported experiencing a ransomware attack, confirming ransomware took a back seat to other types of attacks last year.
• Almost 60% of suspicious emails reported by end users were classified as potential phishing, indicating that employees are more diligent and thoughtful about the emails they receive.
• Baby boomers outperformed all other age groups in fundamental phishing and ransomware knowledge, underscoring why organizations should not assume a younger workforce has an innate awareness of cybersecurity threats.
• These findings raise the alarm for enterprises to invest in security training for employees, which was found effective by 57% of infosec pros who could quantify a reduction in phishing susceptibility.

The report also revealed educating employees about today’s cyberthreats is essential. In a global survey, working adults identified the following terms correctly: phishing (66% correct), ransomware (45% correct), SMiShing (23% correct), and vishing (18% correct). These findings spotlight a knowledge gap when it comes to the language security teams are using when communicating to end users.