Wombat surveyed its database of IT security professionals and found that 85% of organizations were victims of phishing scams in 2015, a 13% increase over 2014. And 60% of respondents reported that the number of phishing attacks is up overall.
“The threat of phishing attacks is real. News headlines and numerous studies have proven that phishing attacks are on the rise, and our survey of security professionals showed the same,” the report reads. “Not only are more organizations reporting being the victim of phishing attacks, but the number they are experiencing has gone up. Attackers are becoming more sophisticated and varied in their approach, using multiple threat vectors.”
The most effective phishing scams
In addition to the survey results provided in Wombat’s new “State of the Phish” report, the company also analyzed the results of millions of simulated phishing attacks sent through its platform to customers between October 1, 2014, through September 30, 2015. The simulated phishing attacks are one of the tools the company uses to help train businesses on how to steer clear of phishing scams. The analysis shed light on the most effective types of phishing scams.
Wombat found that phishing emails disguised as legitimate work emails are some of the most effective when it comes to hooking victims. In one example, a simulated phishing email disguised as an “Urgent Email Password Change” request had a 28% click rate.
“Users were most likely to click on attachments and messages they expected to see in their work inboxes, like an HR document or a shipping confirmation,” Wombat writes. “They were more cautious with messages we consider to be ‘consumer oriented,’ such as gift card offers and social networking notifications.”
- Technical emails
These types of scams typically pose as error reports and bounced email notifications. A “Delivery Status Notification Failure” is a popular example, according to Wombat.
- Corporate emails
Corporate email scams are designed to look like official corporate communications. Examples of these include benefits enrollment messages, invoices and communications about confidential human resources documents.
- Commercial emails
These are business-related emails that may not be specific to your organization. Some of the topics of these phishing emails include insurance notifications, shipping confirmations and wire transfer requests.
- Consumer emails
These types of scams are designed to replicate many of the emails that are regularly sent to the general public. Examples include messages about social networking notifications, gift cards, bonus miles, frequent flier accounts, big-box store memberships and more.
“Remember, phishing attacks are often preceded by social engineering phone calls, or impostors gaining access to information or areas they should not,” the report reads. “You should teach your end users to not only watch out for phishing emails, but other [social engineering] threat vectors as well.”