Proofpoint: State of the Phish 2021

Ready for some scary stats?

Three out of four U.S. organizations were hit with a successful phishing attack in 2020. At least half of Proofpoint’s Email Protection customers received at least 1,000 phishing attempts. For some, the service managed to block over a million attempts for just one customer. This is according to the company’s 2020 State of the Phish report, available now on their Data Connectors , which is packed with data regarding the status of phishing and ransomware attacks on an international level.

The numbers continue to trend upward. There’s been a 14% year-over-year increase in the

number of companies hit with those successful phishes. And the way things are going, it’s not a matter of “if,” but “when” it happens to your company (if it hasn’t already).

NO HONOR AMONG THIEVES

As you’d likely expect, the COVID-19 crisis brought out both the best and the worst in humans. And for the hackers out there, of course, they found a way to capitalize on people’s fear. It comes as no small surprise that coronavirus was often used as bait for phishers and other scammers.

Throughout 2020, Proofpoint blocked well over a million coronavirus-themed attempts, with the peak number of scams coinciding with the peak of the panic, in March and April. Though, the settling of tensions didn’t stop hackers from their dirty work; as the year progressed, the themes shifted toward stimulus checks through smishing (SMS-based attacks) and vaccines through email phishing.

“As long as the coronavirus remains a global concern, we expect the topic to feature prominently in future attacks,” the report states.

“Fast-changing conditions at the onset of the pandemic only reinforced how important agility is. To keep up with emerging threats and unfolding events, organizations quickly began to incorporate pandemic-related testing and training activities,” the report continued.

And ultimately, organizations found that their employees were often successful in COVID-related phishing tests. Depending on the subject, testing failure rates ranged from less than 1% to 20% — impressive, considering the lure was playing on such a clear and present fear.

PAYING UP

If you don’t have a service like Proofpoint, those messages will often find their way straight to your inbox — often bearing the name of your company’s CEO or another VIP who you would be inclined to answer quickly.

And that’s where they get you. These phishing attacks result in bad actors commandeering data and looking for cash in exchange. But, as uncovered in the report, 60% of companies who paid that ransom were able to recover their data (a 9% drop from the previous year, perhaps showing a trend of far more brazen hackers).

Ready for the big yikes? The number of bad guys asking for more cash after companies already paid more-than tripled since 2019… and a third of those responding in the survey said they’d pay the additional ransom.

PENCILS DOWN

One way to make sure your team is ready to handle “the real thing” when and if it lands in their inbox is through a phishing test. The State of the Phish report showed a decrease in the number of people failing these — 11% in 2020, down from 12% the year before.

Link-based tests held that 12% failure rate and paralleled the real-world prevalence of these types of attacks. While the least common, tests that used attachments were the least common but held the highest failure rate at 20%, according to the report.

Proofpoint also assessed the most-used and most successful themes in these tests. Topping the “most-used” leaderboard was “New Microsoft Teams Request,” while the trickiest was “Free month of Netflix streaming for employees.” (Friendly reminder that some things are just too good to be true!)

WINNERS AND LOSERS?

Keeping in mind that anyone could fall for a phishing scam, there were some industries and departments who performed better than others. Want to know how your industry ranked? Be sure to check out Section 2: Benchmarking: Industry & Department Data when you download the State of the Phish report.