Five key takeaways from The State of the Phish 2016 report

corporate data breach prevention and mitigation

Phishing — the malicious attempt to skim sensitive data such as usernames, passwords, and credit card details by someone posing as a trustworthy entity in an electronic communication such as email — has gotten more sophisticated and prevalent in the enterprise world.

Industry research firm Ponemon Institute recently estimated that phishing attacks cost businesses an average of US$3.77 million per year.

And a recent Wombat Security report, titled State of the Phish 2016, reveals just how the malware approach is impacting businesses and how organizations can develop a successful anti-phishing program.

Here are some of the key findings:

Corporate- and consumer-based email phishing attacks are popular


The study — a joint effort by security threat awareness vendor Wombat Security and its recently acquired ThreatSim business unit — surveyed security pros across a range of industries including telecommunications, manufacturing, finance and government; it compiled data from the millions of phishing attacks sent through the ThreatSim and Wombat platforms from October 1, 2014, through September 30, 2015, according to the company.

The report also collected findings from account administrators who sent simulated phishing attacks to their end users. Most administrators used corporate- and consumer-based email templates for their phishing attacks.

Users were most likely to click on attachments and messages they expected to see in their work inboxes, like an HR document or a shipping confirmation. In addition, one of the most popular attacks, an Urgent Email Password Change request had a 28 per cent click rate, the report noted.

Wombat Security’s State of the Phish Report

Spear phishing is hitting the mark

Photo by weerapatkiatdumrong from

The term spear phishing refers to a personalized email that appears to be from an recognized individual or business. Spear phishers often go to great lengths to gather information on key people within an organization in order to craft a personalized and convincing email; the report found that 67 per cent reported experiencing spear phishing attacks in 2015, up 22 per cent from 2014.

In addition, the report noted emails personalized with a first name had click rates 19 per cent higher than those with no personalization.

Steps to avoid being a spear phishing attack victim, according to the report, include ensuring staff never give out passwords via email and refraining from logging onto a website via an email link.

Telecom firms are most likely to fall victim to phishing
Screenshot 2016-04-24 21.20.26

End users in industries such as telecommunications and professional services (consulting, law and accounting firm) seem to click so much more than others, the report reveals, adding that this might be due to industry maturity, age of the overall workforce, or the fact that these industries may not have suffered as many breaches as others.

At any rate, security professionals in the industries at the higher end of our scale should adopt end-user training policies to ensure they are aware of cybersecurity threats, according to the report.

Spam filters are key for phishing protection

Graphic illustrating data protection


Organizations are overwhelmingly adopting email spam filters to reduce the risk from phishing attacks (99 per cent). This is followed by outbound proxy protection (56 per cent), advanced malware analysis (50 per cent) and URL wrapping (24 per cent).

In addition, 92 per cent of respondents noted they are training staff how to identify and avoid phishing attacks.

This includes activities such as annual security awareness training using computer-based training (68 per cent).

Steps for developing an anti-phishing action plan


The report outlines key steps for increasing security awareness across the organization. This includes evaluating the current state of phishing attacks and setting objectives for improvement and communicating the program to all appropriate stakeholders.

This also involves developing a simulated phishing attack to gain a baseline vulnerability, and educating end users on how to identify a safe link and web address in email communications.

Developing a baseline is key, according to the report, in helping establish a “culture of security awareness” and driving measurable change across the enterprise.

Previous articleCSO Digital: Four security best practices for enterprise mobility
Next articleEight things you should know about cloud computing in the enterprise
Ryan Patrick
Seasoned technology reporter, editor and senior content producer.


Please enter your comment!
Please enter your name here