Seventy-six percent of organizations experienced phishing attacks in 2017 and nearly half of information security professionals said the attack rate increased from 2016. Meanwhile W-2 tax-scams are now in season.
Pittsburgh-based Wombat Security Technologies released its annual “State of the Phish” research report. Among its findings: organizations in 2016 saw about an 80% increase in reports of malware infections, account compromise, and data loss related to phishing attacks.
Even so, Wombat customers showed positive trends and progress within their programs, with declining click rates and increases in the number of suspicious emails identified and reported by end users. Unfortunately, awareness of phishing and ransomware showed no signs of trickling down to the average technology user, as revealed by the international third-party survey conducted as part of the phish research.
Other key findings:
- For the fourth consecutive year, Wombat saw an increased number of organizations that assessed and trained users on phishing avoidance.
- Organizations using computer-based training jumped from 62% in 2016 to 79% in 2017.
- Forty-five percent of infosec professionals reported experiencing phishing via phone calls (vishing) and SMS/text messaging (smishing). Yet, globally, 67% of technology users surveyed did not know what smishing is.
- Across all populations, adults aged 55 and older significantly outpace millennials in their recognition of phishing.
“The State of the Phish Report shows that simulated phishing attacks are certainly valuable tools in the battle against social engineering attacks, but it also reinforces the need for CSOs, CISOs and their teams to take a broader view of cybersecurity education,” Joe Ferrara, President and CEO of Wombat Security said. “A cyclical approach to security awareness and training is the most effective. Organizations should employ a methodology that both raises awareness of cybersecurity best practices and teaches users how to employ these practices when they inevitably face a security threat.”
The phishing report assembled data from three main sources: analysis of tens of millions of simulated phishing attacks sent through Wombat’s Security Education Platform over a 12-month period; 10,000-plus responses collected from quarterly surveys of Wombat’s database of infosec professionals from more than 16 industries; and insights from a third-party survey of more than 3,000 technology users in the U.S., U.K., and Germany.
Meanwhile not only is tax season underway, but so is W-2 spear phishing season. The privacy and data protection team at Cleveland-based law firm BakerHostetler warned that companies always need to guard against criminals attempting to obtain sensitive information through a variety of scams, but tax season presents a time for extra vigilance.
In W-2 spear-phishing scams, criminals often send a spoofing email that appears sent by a company’s CEO or CFO to one or more employees in human resources or payroll. The employee thinks the request is legitimate and sends the requested information, which criminals then use to file fraudulent tax returns for refunds.
BakerHostetler attorneys said in the alert, “We expect W-2 scams to continue to rise because of the success attackers had in the past several years; the increase in activity year over year; the time and effort it takes to send targeted emails to employees across industries, which are significantly less than the effort it takes to infiltrate a network; and the low cost to enter the market as an entry-level criminal conducting W-2 scams.”
Although these scam target consumers individually, the bigger prize comes from targeting organizations. “According to the IRS, the number of businesses, public schools, universities, tribal governments and nonprofits victimized by W-2 scams increased to 200 in 2017 from 50 in 2016. Those 200 victims translated into several hundred thousand employees whose sensitive data was stolen,” BakerHostetler cautioned in the alert.
BakerHostetler also suggested companies need to take phishing scams seriously as a growing number of cases have found standing for employees to sue for damages in data security incidents, and others have recognized that the purchase of credit-monitoring services and certain out-of-pocket costs associated with fraudulent activity following the theft of personally identifiable information constituted cognizable injuries from W-2 phishing scams.
