Five key takeaways from the 2016 ‘State of The Phish’ report

Five key takeaways from The State of the Phish 2016 report

corporate data breach prevention and mitigation

Phishing — the malicious attempt to skim sensitive data such as usernames, passwords, and credit card details by someone posing as a trustworthy entity in an electronic communication such as email — has gotten more sophisticated and prevalent in the enterprise world.

Industry research firm Ponemon Institute recently estimated that phishing attacks cost businesses an average of US$3.77 million per year.

And a recent Wombat Security report, titled State of the Phish 2016, reveals just how the malware approach is impacting businesses and how organizations can develop a successful anti-phishing program.

Here are some of the key findings:

Corporate- and consumer-based email phishing attacks are popular


The study — a joint effort by security threat awareness vendor Wombat Security and its recently acquired ThreatSim business unit — surveyed security pros across a range of industries including telecommunications, manufacturing, finance and government; it compiled data from the millions of phishing attacks sent through the ThreatSim and Wombat platforms from October 1, 2014, through September 30, 2015, according to the company.

The report also collected findings from account administrators who sent simulated phishing attacks to their end users. Most administrators used corporate- and consumer-based email templates for their phishing attacks.

Users were most likely to click on attachments and messages they expected to see in their work inboxes, like an HR document or a shipping confirmation. In addition, one of the most popular attacks, an Urgent Email Password Change request had a 28 per cent click rate, the report noted.

Wombat Security’s State of the Phish Report

Spear phishing is hitting the mark

Photo by weerapatkiatdumrong from

The term spear phishing refers to a personalized email that appears to be from an recognized individual or business. Spear phishers often go to great lengths to gather information on key people within an organization in order to craft a personalized and convincing email; the report found that 67 per cent reported experiencing spear phishing attacks in 2015, up 22 per cent from 2014.

In addition, the report noted emails personalized with a first name had click rates 19 per cent higher than those with no personalization.

Steps to avoid being a spear phishing attack victim, according to the report, include ensuring staff never give out passwords via email and refraining from logging onto a website via an email link.

Telecom firms are most likely to fall victim to phishing
Screenshot 2016-04-24 21.20.26

End users in industries such as telecommunications and professional services (consulting, law and accounting firm) seem to click so much more than others, the report reveals, adding that this might be due to industry maturity, age of the overall workforce, or the fact that these industries may not have suffered as many breaches as others.

At any rate, security professionals in the industries at the higher end of our scale should adopt end-user training policies to ensure they are aware of cybersecurity threats, according to the report.

Spam filters are key for phishing protection

Graphic illustrating data protection


Organizations are overwhelmingly adopting email spam filters to reduce the risk from phishing attacks (99 per cent). This is followed by outbound proxy protection (56 per cent), advanced malware analysis (50 per cent) and URL wrapping (24 per cent).

In addition, 92 per cent of respondents noted they are training staff how to identify and avoid phishing attacks.

This includes activities such as annual security awareness training using computer-based training (68 per cent).

Steps for developing an anti-phishing action plan


The report outlines key steps for increasing security awareness across the organization. This includes evaluating the current state of phishing attacks and setting objectives for improvement and communicating the program to all appropriate stakeholders.

This also involves developing a simulated phishing attack to gain a baseline vulnerability, and educating end users on how to identify a safe link and web address in email communications.

Developing a baseline is key, according to the report, in helping establish a “culture of security awareness” and driving measurable change across the enterprise.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada
Ryan Patrick
Ryan Patrick
Seasoned technology reporter, editor and senior content producer.

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Slideshows

Top Tech News