• by Ray Schultz , Columnist, January 29, 2018

In a world of daily hack attacks and data breaches, it's hard to imagine any good news about spear phishing. But there is some: the number of organizations reporting spear phishing attacks fell from 2016 to 2017, according to a report by Wombat Security Technologies.

Of the info/security pros surveyed by Wombat, 53% experienced spear phishing efforts in 2017 — a 13% decline from 2016. Moreover, click rates on corporate-themed phishing tests fell from 15% to 10% in that one-year period, and cloud-themed simulated attacks click declined from 19% to 6%.

Of course, there is also some bad news: More than two thirds of companies that experienced spear phishing in 2017 were hit by these types of target attacks from one to five times per quarter. 

In addition, 76% of all companies suffered general phishing attacks last year — a number that has held steady from 2016. In the first quarter, that number rose to 81% in the U.S.

And while the number of spear-phishing attacks may have declined, security staffers saw increases in impact: Malware infection rose to 49% from 27% in 2016, compromised accounts to 36% (from 17%) and loss of data rose to 13% (up from 7%). 

Last year’s phishing attacks were not all driven by email — 45% were hit with phone calls (vishing) and SMS/text messaging (smishing). Still, while 48% say the rate of phishing is increasing, the same percentage believe it is holding steady. And 4% feel it is decreasing. 

Things are worse in the U.S. — 57% of organizations endured spear phishing, compared with 36% in the UK. And U.S. firms were more likely to lose data — 14% versus 5% in the UK. But U.S. firms are more likely to assess their susceptibility.

Wombat found that some simulated phishing tests had extremely high click rates among its customers' end users. Examples include simulated attacks that posed as online shopping security updates (with an average 86% click rate), a corporate voicemail from an unknown caller (86%), and a notice of corporate email improvements (89%).

Consumer goods companies have the highest corporate click rates. Second — go figure — is technology firms.

The cost of phishing is most often measured in loss of productivity for employees — by 64%. But 50% also gauge it in terms of business impacts through loss of proprietary information. And 40% see it in terms of harm to their reputation.

Companies are becoming more aware of the problem — 75% measure their firm’s susceptibility to it, compared with 61% in 2014 and 66% in 2016. And 95% now train end users how to identify and avoid phishing attacks.

What kinds of safeguards are they using? A full 97% are using email/spam filters, whereas only 47% employ advanced malware analysis, 44% use outbound proxy protections, and 31% rely on URL wrapping.

The results are based on 10,000 responses from info security professionals, and a third-party survey of over 3,000 computer users. Also reflected is data from thousands of customers in 16 industries around the globe.