Three Highlights from the Cofense 2022 Annual State of Phishing Report
Author: Tonia Dudley
I hope by now you’ve had a chance to download our Annual State of Phishing Report and listen to our webinar discussing the highlights. And if not, you can still download it and even sign up for one of our subsequent webinars highlighting key topics over the following months. A key topic that you will see throughout this report is that threat actors are still finding ways to navigate your Secure Email Gateway (SEG) to land in your users’ inbox, as evidenced by the graph below. This leads to the ultimate question, are your users prepared?
Key Takeaway #1: Credentials are in high demand.
As organizations continue to move to a cloud first strategy, it’s not surprising that we saw a 10-percentage point increase over the previous year for credential phish. Even more concerning is the number one brand leveraged in credential phish is Microsoft. Just as your users have figured out what alerts to expect when interacting with your Microsoft services, so too has the threat actor. Microsoft has made it clear that enabling Multifactor Authentication (MFA) significantly mitigates this threat. Full Enterprise deployment can be complex and time consuming, so take the time to prioritize your high-risk targets such as finance teams.
Key Takeaway #2: BEC didn’t improve.
When it comes to Business Email Compromise (BEC), we also saw an increase overall moving from 6% to 7% this year. We also see that the Healthcare industry still takes the lead at 17% of their reported emails categorized as BEC. When it comes to tactics used in this category, we observed direct deposit, gift cards and invoice scams. We’ll dig deeper into this in an upcoming webinar, but in the meantime, a simple message from your CEO to everyone in the organization – “I will never send you an email to go buy gift cards” is a great start!
Key Takeaway #3: Well-conditioned Users are Prepared!
When it comes to preparing your users for phish hitting their inbox, we saw a two-point increase in resiliency rate for simulation campaigns. What was even more exciting was to see organizations that have full phishing defense programs show a seven-point resiliency rate. It was also great to see that our PhishMe operators took notice of the current threat and used credential phishing in the campaign scenarios.
As you can see from the highlights above, phishing is not going anywhere. In fact, it’s quite the opposite; it’s only getting worse. Threat actors are continuing to use emerging tactics and techniques to bypass traditional email security solutions and the only way to stay ahead of the curve is to have a comprehensive phishing defense strategy. If you’re interested in a more detailed analysis of SEG effectiveness, BEC insights or catching ransomware at the phishing stage, sign up for our upcoming webinars.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.