Ransomware Resources Center

What is ransomware?
According to TrendMicro, “Ransomware is a type of malware that prevents or limits users from accessing their system. This type of malware forces users to pay the ransom through certain online payment methods in order to grant access to their systems, or to get their data back.”

  • Ransomware is readily-available and changes faster than detection technologies can respond
  • In most cases, paying ransom is the only way to free hostage data and systems
  • Recent successful ransom situations will only encourage more attempts
  • Cryptocurrencies such as Bitcoin can be used to force untraceable ransom payments
  • Without proper ransomware awareness training, humans are widely susceptible to phishing, the most commonly used ransomware attack vector

How does ransomware affect businesses?
Cofense co-founder Aaron Higbee explains ransomware and its business impact on CNBC:

Help Create
Active Defenders

Our new study shows why email
reporting — human action — is the
beating heart of a strong phishing


How susceptible are your users to the top active threats?

With phishing still the #1 entry point for cyber-attacks, your defenses need to focus on the most pressing threats—active phishing campaigns that are probing your organization. This report breaks down the Top 10 threats, with metrics showing how well users respond to each.

Download the Free Report

All nets have holes—including your ‘secure’ email gateway

Learn how 90% of verified phish were found in environments using secure email gateways (SEGs). That’s just one of the key findings in this expanded report, now covering phishing threats as well as malware developments. Download the 2019 Phishing Threat and Malware Review to learn new tactics threat actors are using to ensure malware delivery and tips for defending against evolving phishing and malware threats.

Download the Free Report

It’s not easy to keep up with today’s threats. Now, with Cofense Threat Alerts, you’ll have a simple way to stay on top of emerging phishing and malware threats and attacks, all delivered straight to your inbox. FREE.

Subscribe to Cofense Threat Alerts

Phishing Prevention: 8 Email Security Best Practices

To advance phishing prevention, most security professionals concur that anti-phishing best practices for organizations must include regular and effective workforce training to identify phishing emails that evade detection by common technology controls. It is also important to have a mitigation strategy in place for phishing prevention, and to limit the consequences of a phishing email that avoids identification and is acted on.

Phishing emails – particularly social engineered phishing emails – are often highly sophisticated, and are designed to evade detection during an email filter´s front-end tests by having the right Sender Policy Frameworks and SMTP controls. They are rarely sent from blacklisted IP addresses, and therefore pass RBL checks before being delivered to the recipient´s inbox.

When a phishing email evades detection by all the technological solutions available and arrives in a target´s inbox, the only thing that will now stop the phishing attack from being successful is the vigilance of the intended target. In order to ensure employees remain vigilant, anti-phishing best practices for organizations should include sharing the following information. Phishing prevention requires constant vigilance; these characteristics commonly found in phishing emails will help your teams stay safe.

1. Emails Insisting on Urgent Action
Emails insisting on urgent action do so to fluster or distract the target. Usually this type of email threatens a negative consequence if the action is not taken, and targets are so keen to avoid the negative consequences that they fail to study the email for inconsistencies or indications it may be bogus.

2. Emails Containing Spelling Mistakes
Most companies now use spell-checking features in email clients or web browsers to ensure their corporate communications maintain a professional appearance. Emails purporting to come from a professional source that contains spelling mistakes or grammatical errors should be treated with suspicion.

3. Emails with an Unfamiliar Greeting
Emails sent by friends and work colleagues usually start with an informal salutation. Those addressed to “Dear XXXXX” when that greeting is not normally used, and those containing language not often used by friends and work colleagues, likely originate from an attacker and should not be actioned or replied to. Instead they should be reported to the organization’s IT security team as an important phishing prevention precaution.

4. Inconsistencies in Email Addresses
Among other email security best practices to introduce is the random checking of senders’ email addresses – especially when an email address belonging to a regular contact is unfamiliar. By checking the sender email address against previous emails received from the same person, it is possible to detect inconsistencies.

5. Inconsistencies in Links and Domain Names
Links to malicious websites can easily be disguised as genuine links. Therefore, it is also advisable to encourage employees to hover a mouse pointer over a link in an email to see what `pops up´ as an address. If an email claims to be from (say) a business contact, but the pop up indicates an unfamiliar website, the email is likely a phishing email.

6. Be Wary of Suspicious Attachments
File sharing in the workplace now mostly takes place via collaboration tools such as Dropbox, OneDrive or SharePoint. Therefore emails from colleagues with file attachments should be treated suspiciously – particularly if the attached file has an unfamiliar extension or one commonly used to deliver malware payloads (.zip, .exe, .scr, etc.).

7. Emails That Seem Too Good to Be True
Emails that seem too good to be true incentivize targets to click a link or open an attachment with the promise that they will benefit by doing so. Even when phishers use social engineering to appeal to the target ́s curiosity or greed, the intended targets have  not usually initiated contact. These emails should be flagged as suspicious at once.

8. Emails Requesting Login Credentials, Payment Information or Other Sensitive Information
Emails requesting login credentials, payment information or other sensitive information should always be treated with caution. By adopting the anti-phishing best practices detailed above, recipients of these emails should be able to determine whether or not they represent a threat, and deal with them accordingly.

Security Awareness Training

Although phishing represents the biggest threat to online security, Cofense knows there’s no shortage of other cyber threats. That’s why we’ve created a broader program of security awareness training. In myriad ways, it helps employees and other Internet users better protect themselves, their devices and the company from online theft and fraud.

Specifically, we’ve built a series of SCORM-compliant security awareness training modules to complement businesses´ existing training programs. These modules are free to download and use whether you’re a Cofense customer or not.

What’s in the Security Awareness Training Modules?

We’ve made our security awareness training modules as comprehensive as possible. In addition to covering subjects such as keeping passwords secure and practicing safe web surfing, our modules cover the physical security of devices and protecting data outside the office. All IT administrators are advised to review the module about Insider Threats.

We know that engaging, interactive models make for better learning. Each module contains concise lessons with interactive play and learning activities to help absorb and retain content. Most of our security awareness training is available in multiple languages for businesses with a multi-national workforce.

Help Create
Active Defenders

Our new study shows why email
reporting — human action — is the
beating heart of a strong phishing


Free Compliance Training Modules Are Available

In many industries, security awareness training goes hand in hand with privacy and data security compliance. In Europe and elsewhere, there are stricter regulations vs. the U.S. on protecting personal data, implementing security measures, and taking steps to report a breach. Businesses operating in regulated industries may wish to review these free modules in particular:

  • Health Care Compliance.
  • Payment Data Compliance.
  • Personal Data Compliance.

Like our security awareness training modules, you can download and run our compliance training modules through a Learning Management System (LMS). For businesses that do not have an LMS system, these modules are also available as interactive PDF files. If you choose to download the PDF files, please note that Cofense refreshes the content regularly to mirror developments in online security and regulatory compliance.

How to Access the Free Training Modules

Visit our “CBFree Computer-Based Training” web page. You have the choice of downloading a sample module, the security awareness training modules, or the compliance modules. Naturally, you can download all three if you wish! If you experiencing any problems, don’t hesitate to contact us.

To complete your security awareness training program, request a free demo of Cofense PhishMe, our award-winning software for conditioning employees to be resilient against phishing threats. Used by more than 1000 businesses worldwide, including 50 Fortune 100 companies, Cofense PhishMe has reduced the threat of advanced cyber-attacks by up to 95%.

It’s impossible to know when the next cyber-attack will hit. Don’t wait to strengthen your defenses. Download our training modules and request your free demo of Cofense simulator today.

1:1 Demo
Powerful Solutions

We'll talk with you about your company'sspecific needs and providedemonstrations of ourrecommended solutions.


Cofense Free Security Awareness Training

Cofense CBFree


These look great! The presentation and audio are exactly what we needed!– Director, Information Security

For many of our customers, security awareness Computer Based Training (CBT) helps check-a-box to satisfy a compliance need. We recognize this need is a requirement so we’ve developed a set of SCORM-compliant materials to help meet that need for all companies- Cofense customers and non-customers alike and Free of Charge.  That’s right.  Free.

Does that mean our training isn’t good or doesn’t meet requirements – not at all! “Free” doesn’t mean sub-par or obsolete content. The same amazing team that produces Cofense’s best-in-class Simulation content keeps the material fresh, compliant, and relevant!

Easy to Understand, Use and Adapt

We’ve made it easy for you to take advantage of this content. If you have a Learning Management System (LMS) that ingests SCORM-compliant materials, just download the files and run the training through your own LMS. Our current library of CBTs includes 17 security awareness modules and 4 compliance training modules.  CBFree was developed using the latest eLearning techniques and trends that promote substantial engagement by the pupil. Each module takes about 5 minutes to complete and comes with an optional 5-15 minutes of interactive Q&A.Most of our security awareness modules are now available in multiple languages including English, Chinese, French, German, Portuguese (Brazilian), Spanish (Latin America) and Japanese. Languages are noted below.


Help CreateActive Defenders

Our new study shows why email reporting — human action — is the beating heart of a strong phishing defense.



4 Compliance Specific Modules

These modules focus on compliance training for a better understanding of the policies, procedures, and reporting standards when it comes to handling protected personal information:


Health Care Compliance

An overview of the HIPAA, HITECH and Omnibus legislation and security measures that can be taken to protect the data, and the reporting procedures in case of a data breach.Available in English Only

Payment Data Compliance

Answers “what is cardholder data,” the standard and regulations both an IT-Professional and Non-IT Professional must follow to protect the data and privacy of the cardholder, and how to report a data breach.Available in English Only

Personal Data Compliance

Focuses on the laws and regulations that govern the protection of sensitive personal data, security measures that can be taken to protect the data, and the steps to take when reporting a data breach.Available in English Only

General Data Protection Regulation (GDPR) Compliance

An overview of the new compliance regulations, your responsibilities under GDPR, and how to report a non-compliance issue. EU-specific.
Available in Multiple Languages.

CBFree Website Disclaimer


1:1 Demo
Powerful Solutions

We'll talk with you about your company's specific needs and provide demonstrations of our recommended solutions.


17 Interactive Modules Covering Today’s Biggest Threats

Available in Multiple Languages.

Cybersecurity Awareness

This Cybersecurity module was developed to raise awareness about how to avoid online threats that might target you or our organization. By identifying common online threats, understanding risk factors for each type of threat, and learning how to minimize the risk of an attack.

Cloud Computing

The Cloud Computing module will differentiate desktop from cloud computing; identify the advantages and disadvantages of cloud computing; and describe several best practices for using the cloud safely.

Advanced Spear Phishing

The Advanced Spear Phishing module covers topics on: identifying three types of advanced spear phishing techniques, identifying indicators of an advanced spear phishing email, and understanding what to do if you are the target.

Business Email Compromise

The Business Email Compromise (BEC) Scams module covers topics on: identifying BEC scams, differentiating between the three main types of BEC scams, and reporting a suspected attack.


The Ransomware module covers topics on: what ransomware is and how it is delivered, ransomware’s effect, minimizing the threat of ransomware, and reporting ransomware attacks.

Spear Phishing

A majority of cyber-intrusion attempts begin with spear phishing emails. These targeted attacks are delivered via malicious links, file attachments, and login forms. This lesson helps show the warning signs to look out for and what to do in the event of a spear phishing attack.

Surfing the Web

Encouraging safe Web browsing habits is critical to the safety of your organization. In this lesson, we cover an array of concepts such as secure sockets layer (SSL) encryption, illegal content, and browser plug-ins and extensions.

Data Protection

Data protection is a core value for any organization that handles confidential information. This lesson covers how to handle information safely and common responsibilities under various laws and policies.

Insider Threats

Some of the most dangerous threats to your organization can come from within. In this lesson, we discuss the three main types of insider threats, what motivates them, and what you can do to help minimize the risk of an inside attack.

Malicious Links

On the Web and in email, hyperlinks are the easiest tool that cyber criminals can use to deliver malware—all it takes is the click of a link. In this lesson, we break down the parts of a link and the structure of a URL to reveal the warning signs of a malicious link.


Malware has been a threat for decades, and it has grown more sophisticated over the years. Various forms of malware might spy on your activity, allow attackers remote access to your drives, or take control of your device. This lesson teaches what the different types of malware do, and how to avoid falling victim to them.

Mobile Devices

Modern mobile devices allow you to bring your office anywhere; they also leave your information incredibly vulnerable. In this lesson, learn the best practices for keeping your information safe when browsing on a mobile device.

Security Outside of the Office

When working outside of the office, employees must be on their guard against an array of threats. Use this lesson to educate your users about threats that linger in public places, and what they can do to protect sensitive information.


A password is your account’s first line of defense, but it is also vulnerable to cyber attacks. In this lesson, we discuss password strength and password diversity along with the best password security tools and practices for keeping your account secure.

Physical Security

Physical security measures are used to deter and detect unauthorized access to your technical devices. In this lesson, teach your employees about the steps you have taken to secure the workspace; where they are most at risk; and what they can do to prevent falling victim to theft.

Social Engineering

When working outside of the office, employees must be on their guard against an array of threats. Use this lesson to educate your users about threats that linger in public places, and what they can do to protect sensitive information.

Social Networking

Social networking profiles are easily exploited by cyber criminals. In this lesson, we cover the basics of responsible social networking; topics include app permissions, privacy settings, and more.

Introducing: CBFree Games

5 Interactive Game Modules to Make Security Awareness Training Fun for Employees

Available in English Only. Download by filling out the form below.

Category Challenge

Test your knowledge by answering questions about passwords, malicious links, spear phishing, malware and social engineering. Collect enough points to win the game.

Honey Comb Challenge

Test your knowledge by answering questions about cybersecurity and phishing topics. Start at the first cell on the left. Select adjoining cells to move across the board. If you answer incorrectly, you must start over. Once you make it to the right side of the board, you win the game.

Indicators of a Phish

Investigate the email and answer the prompts. If you score more than 80% you win the game.

Resiliency Quiz

Resilience is an indicator of how well recipients are conditioned to not interact with phishing emails. Take this quiz to assess your awareness of habits that may make you vulnerable to targeted phishing or malware and learn tips to make you more resilient.

To Catch a Threat

Taken from real phishing emails, click each indicator within the email and then report each phishing email using the Report Phishing button. Each email has 2-3 indicators displayed. Each correct response receives 5 points, you must score 50 points to win.

What Are Phishing Attacks and How Do You Stop Them?


Phishing Attacks: A Definition

A phishing attack is when a fraudster sends an email to trick the recipient. The idea is to persuade the target into giving up sensitive information, for instance, your corporate network credentials, or perhaps to authorize some type of financial transaction. You’ve probably seen phishing emails in your personal inbox too, for example, the notorious “Nigerian Prince” who wants to make sure you get your share of his inexplicable fortune.

Phishing attacks started in the 1990s and are still going strong. The vast majority of data breaches against businesses today begin as phishing attacks or other forms of “social engineering,” a fancy term for manipulating unwitting victims. It’s the work of scam artists, part of an arsenal that includes counterfeit, forgery, and lies of all kinds. Phishing attackers play on human emotions like fear and urgency, so victims will take action before they stop and think—clicking a link to activate malware, filling out a login form with user name and password, or greenlighting the transfer of funds to a bogus account.

Think Like
a Cybercrook

This special report focuses
on the realities of phishing
and recommends defenses
you can use to reduce your risk.

Read More


Phishing by the Numbers

Over 90% of data breaches start as phishing attacks or related forms of fraud.

5-year global cost of just one type of phishing attack, business email compromise (BEC).

the average cost of a phishing attack to a mid-sized business.

Examples of Phishing Attacks

Phishing Emails with Malicious Links

Sometimes a phishing attack is simply an email with an embedded link. When you click, you either unknowingly activate malware or are directed to a webpage that looks perfectly legitimate but is designed to harvest your information.

Phishing Attacks with Malicious Attachments

Phishing attackers often send emails with attachments containing malware. When you click, look out. Many times phishing attackers use popular document types such as Microsoft Word or Excel or even Adobe PDFs. They take advantage of the trust people place in popular business tools.

Business Email Compromise (BEC)

A BEC phishing attack is good old fashioned fraud. BEC emails typically don’t use malware but simply try to manipulate the target into sending money. Traditionally, BEC phishing attacks try to get employees in the finance department to authorize wire transfers, for instance, to a “vendor” or “partner.” The phishing attackers might pretend to be the CEO or CFO to spur quick action.

Data Entry Phishing Attacks

In this type of phishing attack, the attacker wants you to do the heavy lifting. The phishing email might contain a link to a fake login page, where you supply your network credentials so you can perform an allegedly legitimate action, for example, reading and agreeing to a new corporate policy.

1:1 Demo
Powerful Solutions

We'll talk with you about your company'sspecific needs and providedemonstrations of ourrecommended solutions.


Why Phishing Attacks Are a Growing Problem

There are a number of reasons why phishing attacks are such a massive problem.

Phishing Attacks Are Easy to Launch

Phishing attackers strike with emails because it’s easy and effective. Email addresses are easy to get and, when you think about it, emails are basically free to send. With minimal effort, phishing attackers can  gain access to valuable data. Victims of phishing attacks can find themselves dealing with malware infections, identity theft, and data loss.

Phishing attackers also target employees’ email, social media, and other accounts to compromise them and then use those accounts to launch attacks. Attackers sometimes try to obtain permissions to modify and compromise connected systems, like point-of-sale terminals and order processing systems. Some of the biggest data breaches, like the infamous Target breach back in 2013, start with a phishing email aimed at a connected system, maybe belonging to a vendor or another third party. When successful, phishing attackers can establish a beachhead in business systems and build on it. Phishing also appeared prominently in the Mueller Report on the 2016 presidential election hacking.

Even Basic Phishing Attacks Can Deceive Recipients

Although phishing emails have been around for more than two decades, awareness of them has not prevented phishing attacks from growing. The FBI reports that successful phishing attacks were costing U.S. business half a billion dollars each year—and those are just the attacks organizations reported. Many more go unreported due to concerns about reputational damage.

Phishing Attacks Constantly Utilize New Tactics

Phishing is constantly evolving, so it’s important to be aware of the latest trends in phishing attacks. For example, whereas the percentage of phishing emails harboring “ransomware”—malware that locks down computer systems until a ransom is paid—has declined in the past couple of years, the IT security industry has identified an increase in the percentage of phishing emails with the goal of  crypto-jacking the user´s computer. “Crypto-jacking” is the unauthorized use of a computer to mine cryptocurrency. Phishers deceive users into downloading cryptocurrency mining software, which runs quietly in the background. The proceeds are sent to the phishers, while the cost of paying for the extra processing power used by the computer or a cloud server is absorbed by the business.

Technology Alone Cannot Stop Phishing Attacks

Face it, all nets have holes. That includes the latest and greatest perimeter security technology, for example, secure email gateways. Cofense has found that 90% of the phishing emails reported to us by customers’ users were active in environments using email gateways. There is no silver bullet. Some phishing attacks will always get through and lurk in employees’ inboxes like ticking bombs.

It only takes one employee to disclose the log-in credentials to their corporate email account for a phishing attacker to pounce, taking remote control of the account and send phishing emails to colleagues, other businesses, and customers on the employee’s contact list.

As the employee’s account is regarded as a genuine source, the phishing emails will not be detected by email filters and the recipients will be more likely to interact with them. This could multiply the degree of damage done by the phishing email, not only to the business itself but also to customers and vendors.

You Need Educated Employees to Stop Phishing Attacks

Once a phishing attack gets by the email gateway and reaches employees’ inboxes, the employees themselves – the attack’s actual intended targets – are the final defense. If they aren’t educated and conditioned to spot and report all forms of phishing, employees are the weakest link. But that doesn’t have to be the case. A phishing awareness and education program can not only help to stop attacks but supply vital threat intelligence to your security teams.

Phishing simulation is recognized as best way to condition employees against phishing, especially when the simulation platform can identify the types of phishing emails and emotional triggers employees tend to fall for. This enables personalized training that makes every employee aware of their weaknesses and more alert to phishing attacks.

Cofense Can Help Protect You Against Phishing Attacks

According to Gartner, Cofense PhishMeTM, our phishing simulation platform, is the “most recognized security awareness and simulation solution” for conditioning employees and raising awareness of phishing attacks. The platform is part of a suite of solutions from Cofense that empowers employees to quickly identify and report phishing emails and in turn enable response teams to mitigate threats.

If you have responsibility for IT security, employee training, or compliance, and would like to know more about defending your business against phishing attacks, get in touch with us. Our team will be happy to answer your questions or walk you through a free demo of the Cofense suite.

Ransomware Attack Examples and the Psychology Behind Ransomware

The purpose of publishing a page dedicated to ransomware examples is not only to highlight the consequences of successful ransomware attacks or companies affected by ransomware. We aim to elaborate on the different ways ransomware programs are deployed, why they are so successful, and how your business can use a phishing awareness course to help defend itself against becoming a victim of ransomware – or mitigate the consequences should your defenses fail.

The first thing to point out is that, over time, the ransomware examples listed will date. What will not date is the psychology behind ransomware attacks, nor the weaknesses that result in ransomware attacks being successful. It is therefore viable to suggest that the measures recommended defending against ransomware – or mitigate its consequences – will also remain current.

What is Ransomware

The first recorded example of ransomware was in 1989, when evolutionary biologist Dr. Joseph Popp sent floppy discs containing the PC Cyborg Trojan to hundreds of recipients under the heading “AIDS Information Introductory Diskette”. The Trojan encrypted file names on the C drive before displaying a message demanding money was sent to a P.O. Box in Panama for “license renewal”.

The concept of demanding a ransom for data kidnapping expanded during the 1990s, as did the anonymous methods for collecting ransoms. Until the development of Bitcoin, ransoms payments were demanded via prepaid cash services, Western Union wire transfers, and Amazon or iTunes gift cards. One ransomware attack demanded texts were sent to a premium-rate SMS messaging service.

The nature of ransomware also evolved. Whereas the majority of recent ransomware examples below focus on the encryption of data and servers´ web directories, there are many examples of non-encrypting ransomware that lock users´ systems or that threaten to publish stolen data from victims´ systems – rather than deny victims access to the data – if a ransom is not paid.

Think Like
a Cybercrook

This special report focuses
on the realities of phishing
and recommends defenses
you can use to reduce your risk.

Read More

Ransomware Examples from Recent Years

The development of Bitcoin and the availability of ransomware-as-a-service on the Dark Web led to substantial growth in ransomware attacks. Although the actual number of attacks and victims is hard to quantify due to underreporting, the scale of the recent attacks is greater than has been seen before. Some ransomware examples from recent years include:

  • From September 2013 to May 2014, the CryptoLocker ransomware attack is estimated to have affected between 250,000 and 500,000 computers. The ransomware was deployed via a Trojan hidden within a ZIP file attached to spam emails.
  • In September 2014, a similar attack evaded detection by email filters by requesting recipients visit a rogue website (via a link) in order to address a failed parcel delivery notice. The rogue website would then download the ransomware payload.
  • Also in September 2014, the CrypoWall ransomware spread wildly due to users downloading executable files disguised as images on spam emails. This attack deleted backup copies, installed spyware to obtain passwords and steal Bitcoin wallets.
  • The Petya ransomware variant discovered in 2016, was the first ransomware to be allegedly used for a politically-motivated attack. The malware spread rapidly via a hacked tax preparation program in Ukraine and affected major business partners across the globe.
  • In May 2017, the WannaCry ransomware, the biggest ransomware attack in history, exploited vulnerabilities in unpatched and older versions of Windows operating systems. WannaCry is estimated to have affected 200,000 computers, but could have been much worse had a security expert not discovered a kill switch.

This list of ransomware examples from recent years indicates that ransomware attacks are becoming more sophisticated in nature, with potentially more devastating consequences, especially for companies affected by ransomware. However, a common theme is that they could all have been avoided with better security awareness and due diligence – an important consideration bearing in mind where ransomware attacks seem to be heading.

Ransomware Examples: Mobile Devices and the Cloud

As technology has evolved, the sophistication of ransomware attacks has kept pace. Device blocking ransomware loaded into applications made available in the Google Store has infected devices on the Android platform, while attackers have exploited iCloud accounts and vulnerabilities on the Find My iPhone system to lock access to devices on the Apple platform.

Although it is believed developments in machine learning and artificial intelligence in the cloud will be able to detect and correct vulnerabilities and suspicious behaviors in the future, some security experts have warned attackers will also use these technologies to learn from defensive responses and disrupt detection models in order to exploit newly discovered vulnerabilities before defenders patch them up.

Concerns have also been raised that machine learning technology will be better at generating convincing phishing emails, and be able to do it at scale. Therefore, it is essential businesses implement measures to counter the threat from ransomware – and not just technological measures. In order to be better defended against ransomware, end users must understand the psychology behind ransomware attacks.

The Psychology Behind Ransomware Attacks

When the first phishing emails harboring ransomware circulated, they were very simplistic. “Click on the image to see the cute cat” or “Look what tricks my doggy can do” were typical hooks used to prey on a victim´s curiosity and get them to open an attachment or click on a link. As awareness of ransomware increased, so did the sophistication of ransomware attacks and the psychology behind them.

Phishing emails evolved to trigger other emotions – for example, urgency, sympathy, fear and greed. Victims now received phishing emails appearing to be from technical support departments, charitable organizations and law enforcement agencies demanding action, or from bogus lottery companies with “click to win” offers.

Social engineering became the next development in ransomware psychology. Cybercriminals used freely available personal information to make emails look like they came from a legitimate source. In these ransomware examples, victims believed they were replying to an email from their bank or medical provider. Or, in a business environment, somebody from their own company.

Psychology of Ransomware Demands

Ransomware distributors know how to use psychology in their ransom demands as well. In many successful ransomware attacks, there are examples of urgency (“Pay within 72 hours or the ransom doubles”), and fear (“Pay within 72 hours or the recovery key will be destroyed and your data will remain encrypted forever”). Other ransomware examples of psychological manipulation include fake FBI warnings and fake accusations that the target has been viewing pornography.

Ransomware examples even extend to sympathy – or purport to. One variant of the CtyptoWall4 ransomware distributed in 2016 promised to forward ransoms to a children’s charity. Just in case victims debated whether the promise was genuine, they were only given twenty-four hours to make their “donation” before the five Bitcoin ransom was doubled.

The charitable angle has been around for more than twenty years. Indeed, when Dr. Joseph Popp was detained following the PC Cyborg Trojan scam in 1989, he claimed in his defense the purpose of his scam was to support AIDS research. Authorities were not so charitable and charged him with eleven counts of blackmail. He was subsequently declared mentally unfit to stand trial.

Help Create
Active Defenders

Our new study shows why email
reporting — human action — is the
beating heart of a strong phishing


Google Docs Scam Raises Concerns for Future Attacks

Most ransomware attacks are one-off events in which an attack is carried out deployed and the consequences resolved – either with the payment of a ransom or a technological solution. The Google Docs scam is different, and raises concerns as it doesn’t follow previous patterns but rather raises the possibility of future sizable, carefully-crafted, and socially engineered ransomware attacks.

In the Google Docs scam, targets received an email from a known source, claiming they were sharing a Google Doc. The email contained what appeared to be a link to the Google Doc file. When recipients clicked on it, they were taken to a legitimate Google.com page. On the page, the mystery attacker had uploaded a rogue web app asking the recipient to allow “Google Docs” to access their Gmail account.

When permission was granted, the app gained control over the webmail account and sent the same spam message to targets´ contact lists (explaining why the emails appeared to have come from a known source). Google acted quickly to prevent the email spreading, but the contact lists of more than one million email accounts were accessed and compromised before the attack was stopped.

What’s concerning about this scam is that there was no apparent negative outcome. Every target is still able to access their contacts list and nobody has been asked to send a ransom. Somebody, somewhere, is sitting on the contact lists of more than one million email accounts, with the potential the information could be used to generate convincing phishing emails harboring ransomware.

Use a Phishing Awareness Course to Prepare against Future Ransomware Threats

Nobody knows if, when or how the email data extracted from the Google Docs scam will be used to deliver ransomware, but it’s very likely to happen and may be the biggest ransomware attack in history. The phishing email will appear to originate from somebody known to the target (and therefore bypass spam filters), will likely involve an uncomplicated action (like sharing a Google Doc) and will have a psychological hook (urgency, sympathy, fear or greed).

Various solutions have been suggested to mitigate a ransomware attack on the scale of our ransomware examples above. These vary from ensuring systems and software are up-to-date with relevant patches, to using object storage versioning to maintain critical data in the cloud (which doesn´t help if networks are infected with system-locking ransomware or your business is threatened with data exposure).

A better way to prepare against the future ransomware attack is to raise the awareness of end users -and the best way to do that is to use past ransomware examples as part of a comprehensive phishing awareness course. This is how Cofense operates, providing simulation exercises based on real examples of ransomware attacks. We can reduce employee susceptibility to phishing emails by up to 95%. 

Cofense also provides end-to-end phishing mitigation for when a phishing email avoids detection by trained end users. Our Human Phishing Defense solutions condition end users to recognize and report phishing attacks in progress in order that security operation center teams can respond quickly and address the issue with minimal disruption to business continuity.

To learn from ransomware examples through phishing simulation, get in touch with Cofense now and request a free demonstration. Our intelligence-driven solution is proven to protect businesses from ransomware threats. Our team will be glad to provide you with examples of ransomware attacks that have been prevented by raising employees´ awareness of ransomware psychology.

1:1 Demo
Powerful Solutions

We'll talk with you about your company's</br>specific needs and provide</br>demonstrations of our</br>recommended solutions.


Frequently Asked Questions

What are the most common types of ransomware?

Ransomware, delivered overwhelmingly via phishing email, comes in many varieties. The most common types of ransomware include Ryuk, Conti, Mass Logger and Avaddon. Also seen are Dharma, Nemty and Hakbit ransomware. We explain this and more in our 2021 Annual Report.

How do you protect against ransomware

The best way to protect against ransomware is a multi-pronged defense that combines these tactics: Reducing user susceptibility, reducing vulnerability to ransomware, and ransomware training. Users trained to spot phishing attacks, detect reply-chain campaigns and report suspicious emails can be the difference between a failed ransomware attack and full network compromise.

How do you stay current on ransomware attacks?

Accurate and timely ransomware intelligence is vital to thwarting this threat. The ransomware landscape changes constantly; enterprises find that combining human reporting with technology that filters nuisance email and spam from active threats is highly effective. Cofense Intelligence simplifies the process. It integrates easily with leading threat intelligence platforms, as well as security information and event management applications, to provide contextual intelligence that helps security teams better protect their network.

How to Better Use Phishing Statistics

Phishing Statistics Highlight Only a Portion of the Threat

Phishing statistics vary considerably in how they are compiled, represented, and interpreted. However, this does not necessarily mean they are without value. By identifying trends within phishing attack statistics, businesses can better prepare themselves against the types of threat they are more likely to encounter and mitigate the likelihood of becoming phishing statistics themselves.

In the 2006 edition of the “Information Security Management Handbook,” author Christopher Pilewski entitled a section of his chapter on computer crime “Lies, Darned Lies, and Phishing Statistics.” Pilewski gives examples of widely varying phishing attack statistics and attributes the variations to businesses being unwilling to disclose their security failings or the financial consequences.

Fast forward more than a decade and phishing statistics still vary a lot. There are many reports, available online, that pull from vastly different users and survey groups. For example, the 4-19 “State of the Phish” Report claims 83 percent of nearly 15,000 users surveyed experienced a phishing attack in the previous year. At the other end of the scale, the British Government’s “Cyber Security Breaches Survey 2019” reports that only 32 percent of respondents identified a phishing attack or breach during the same period.

Further examples of widely varying phishing attack statistics exist with relation to the cost of a successful phishing attack. In their respective 2018 reports, KeepNetLabs claims the average cost of a successful cyberattack is $1.6 million. Accenture calculates the average cost at $2.4 million, Microsoft at $3.8 million, and IBM at $7.35 million. Juniper Research – clearly anticipating a period of hyper-inflation – predicts that by 2020 the average cost of a successful cyberattack will be $150 million.

Why Phishing Attack Statistics Vary So Much

Phishing attack statistics are not unique in displaying variance. Most statistics vary according to factors such as who, what, where, when, and why. For example, the report above claiming 83 percent of businesses experienced a phishing attack is compiled from client reports made to a security company, whereas the phishing statistic of 32 percent is the result of a UK government survey of business leaders – who may or may not have been aware of the volume of phishing attacks in their businesses.

Email Phishing Statistics

Our own 2019 Annual Phishing Report found that 90% of our clients’ real phish emails were found in environments Using SEGs (Secure Email Gateways). 74% of those phish attacks were hunting for credential information. “Cyber Security Breaches Survey 2019” reports that 20% of attacks came from phishing emails impersonating an organization. While each percentage or phishing stat is important information, it is vital to remember that each report is controlled by the data available and the publishing organization.

The same factors apply to the discrepancies in how much cyberattacks cost businesses. Costs not only vary according to the industry the business operates in, its size, its location, and how long it takes the business to recover from the attack, but also what factors are taken into account when calculating the costs. For example, some calculations include only the costs of information loss, business disruption, and revenue loss, whereas others include costs such as:

  • Equipment damage.
  • Investigation costs.
  • Increased insurance premiums.
  • Technology and security upgrades.
  • Identity theft and credit services.
  • Civil lawsuits and legal fees.
  • Reputation loss.
  • Regulatory fines and sanctions.

One also has to consider the motives for publishing phishing statistics – and how the motives are interpreted. A cynical person might be of the opinion that a security company ́s motive for publishing phishing statistics is to raise concerns and attract more clients, and therefore inflate the statistics in order to represent a far worse situation than actually exists.

That is not necessarily the case, and in fact the figures quoted in the “State of the Phish” report align closely with those produced by the Anti-Phishing Working Group (APWG) – a global data exchange, research and public awareness organization with more than 1,800 members. If Christian Pilewski ́s assertion that businesses are unwilling to disclose their security failings is true, it may not be the case that business leaders “may or may not have been aware of the volume of phishing attacks in their businesses” but rather that they did not want to reveal them.

See the Latest
Trends in Phishing Security

Get ahead of trending threats
with our insights and solutions
into phishing threats & attacks..


Why Phishing Statistics Trends are More Important

Phishing statistics trends are more important than the numbers themselves because they provide metrics about where phishing attacks are heading and give companies the opportunity to alert employees to new attack methods. However, as with phishing statistics, it is important to understand how trends are being compiled, represented, and interpreted in order to correctly identify them.

For example, if you were to compare year-on-year phishing statistics compiled from client reports made to the security company, the actual percentage of businesses experiencing a phishing attack decreased. This should not be taken as an indication that phishing attacks are declining, but rather that the security company’s solutions are having an effect – albeit a limited one.

Our own review of phishing attack statistics trends reveals that, although the vast majority of phishing emails have the objective of installing ransomware, there has been a significant increase in phishers attempting to fool email recipients into complacency by acquiring SSL certificates for their phishing sites and in the deployment of “quiet malware” such as remote access trojans.

These trends are disturbing inasmuch as the targets of phishing attacks often misunderstand the purpose of an SSL certificate (82% according to a study by APWG) and divulge log-in credentials believing the phishing site is legitimate. Consequently, there has been a noticeable increase in phishers taking remote control of user accounts and deploying software to mine cryptocurrencies in the cloud.

How to Prevent Your Business from Becoming a Phishing Statistic

One positive phishing statistics trend is that businesses are investing more in phishing awareness training. However, due to the increasing sophistication of phishing, threats are becoming harder to detect, and even technically savvy employees can fall victim to a particularly good or well-crafted phishing scam. Phishing Awareness Training alone will not reduce the consequences of a successful phishing attack, and businesses need to be prepared for the times when phishing emails avoid detection and their requested actions are performed.

Cofense is the leading provider of phishing awareness training and threat management solutions for businesses. Our human intelligence-driven solutions have reduced employee susceptibility by up to 95 percent and, when a phishing email does evade detection, Cofense enables security teams to mitigate the consequences. To date, we’ve helped hundreds of IT security teams contain the consequences of a successful phishing attack.

To learn more about defending your business, your data, and employees against the threat from phishing, contact us now and request a free Cofense demo. Our team will be glad to answer any questions you have about phishing attacks and discuss any specific vulnerabilities. Make sure you’re not helping to feed the next set of phishing attack statistics. Act and be informed. Speak with Cofense today.

1:1 Demo
Powerful Solutions

We'll talk with you about your company'sspecific needs and providedemonstrations of ourrecommended solutions.



How to Identify a Phishing Attack

It’s critical that employees know how to identify a phishing attack. When they can identify an attack before its malware payload is deployed, they help avoid potential data or financial loss. And even if a phishing attack succeeds in deploying its payload, it might be possible to eliminate the threat or contain it before much damage is done.

Identifying the signs of a phishing attack, either attempted or executed, is not a skill you learn overnight. Phishing attacks vary in nature and sophistication; they evolve over time. That’s why phishing awareness training should be ongoing and frequently refreshed.

Rule #1 of How to Identify a Phishing Attack

Rule #1 of how to identify a phishing attack: every email you receive is a potential threat. It doesn´t matter if the (supposed) sender is known to you, or even if the incoming email is a reply to one you’ve sent. If it contains a link, an attachment, asks for confidential information, or is written to appeal to your sense of curiosity, sympathy, fear or greed, you should treat it suspiciously.

Email scammers are experts at creating “lookalike” email accounts and bogus domain names. Some use social engineering tactics to discover personal information, scam the individual into revealing the login credentials of their email account and then send phishing emails to everyone on their contact list. If this happens within a business, the fallout can be dire.

Most so-called “tips” to identify a phishing attack are just clickbait and not helpful at all. For example, tracing an email´s header will not prevent the successful execution of a phishing attack if the email originates from a compromised company email account. Hovering your mouse over a malicious URL may not reveal an attack if the URL has been well disguised and, if neither the sender nor the recipient of an email are strong on spelling, how are you supposed to tell if an email contains poor grammar?

See the Latest
Trends in Phishing Security

Get ahead of trending threats
with our insights and solutions
into phishing threats & attacks..


Identifying the signs of a phishing attack is difficult, and the examples provided so far are just the tip of the iceberg. Remember Rule #1 of how to identify a phishing attack: every email you receive is a potential threat. If you get an email you are unsure about, check its validity by phoning the (supposed) sender. If that’s not possible, say something to somebody in a position of authority – preferably a member of the IT department—and, if you click on a malicious URL or open an infected attachment, say something quickly. It may not be too late to prevent a malware attack.

Signs that a Phishing Attack has been Executed

If, despite all your care, you click on a malicious URL, open an infected email, or inadvertently disclose your login credentials, you are unlikely to know straightaway that malware has been deployed on your computer. The exception is ransomware. It wastes very little time scanning your computer´s drives and any connected devices for files to encrypt. Within minutes you will likely see a message appear on your screen demanding a ransom.

If this happens, immediately report the ransomware to a person in authority or your IT team. Depending on the ransomware variant, it may be possible to decrypt the locked files. Or maybe a recent backup of your data exists to restore onto your computer. However, speed is of the essence, not only because many ransom demands are time-sensitive, but because swift action by the IT department may prevent the ransomware spreading throughout the network.

In other, non-immediate ransomware scenarios, it’s possible to identify a phishing attack by changes in the behavior of your computer. Changes to your home page or search engine page can indicate a spyware infection. Advertising pop-ups might point to adware installation and, if your computer starts to slow down or programs crash more often, a full virus scan can detect the problem and perhaps identify a phishing attack as the source.

Of greater concern: inadvertently disclosing your login credentials. In this case, it’s again important to immediately tell a person in authority or your IT team. Usernames and passwords can be changed quickly, and the disclosed login credentials retired, so the information you provided to the cybercriminal becomes of no value. When that happens, the cybercriminal may try to extract the new login credentials from you, but this time you’ll be better prepared.

Be Better Prepared before a Phishing Attack with Cofense

Of course, it’s better to identify a phishing attack before its malware payload is deployed. Cofense can help with that. We’ve developed an intelligence-driven, phishing defense solution that enhances awareness of phishing attacks. Our solution conditions users to be less susceptible to phishing and lets employees report suspicious emails with the click of a button. Your IT department can then prioritize alerts based on each user´s “conditioned rating,” that is, how well he or she has performed in simulations.

The Cofense platform integrates seamlessly with existing security and event management systems, or can be used as a stand-alone solution. The platform includes interactive phishing simulations which you can customize to your security needs, industry sector and compliance requirements. It also connects with a human-vetted threat intelligence service that helps your security team identify a phishing attack faster.

Train your employees to identify a phishing attack—before its malware payload is deployed.  Contact us and request a free Cofense demonstration. Cofense is proven to reduce susceptibility to phishing emails by up to 95% and protects more than 1,000 enterprises worldwide. Thanks to us, more than 24 million users know how to identify a phishing attack and respond effectively. Shouldn´t yours?

1:1 Demo
Powerful Solutions

We'll talk with you about your company'sspecific needs and providedemonstrations of ourrecommended solutions.



History of Phishing

A look at the history of phishing reveals that the first phishing email is thought to have originated sometime around the year 1995. The first many knew of the existence of phishing was five years later when the Love Bug struck. Fast forward almost twenty years and phishing is the number one attack vector for compromising an organization and stealing data. How did we get to this point? When did the bad guys get so savvy? Maybe there are some clues in the history of phishing.

The History of Phishing Started in the 1990s

Back in the early to mid-1990s, the only Internet option was ‘dial-up’ access for a fee. For those that were reluctant to pay for Internet access, the alternative was a thirty days free trial to access to the Internet via an AOL floppy disk. Rather than face life without the Internet after the trial period expired, some found a way to change their screen names to make it appear as if they were AOL administrators. Using these phony screen names, they would “phish” for log-in credentials to continue accessing the Internet for free.

As Internet use increased in popularity, scammers adapted these tactics to disguise themselves as administrators from an ISP, emailing the accounts of the ISP’s customers to elicit user login credentials. Having spoofed someone, the hacker could access the Internet from that user’s account with the bonus of sending spam from the user’s email address.

The Love Bug of 2000

A change in tactics saw the world fall victim to the Love Bug on May 4 2000. Starting in the Philippines, mailboxes around the globe were filled with a message titled “ILOVEYOU”. The message body simply said “Kindly check the attached LOVELETTER coming from me”.

Those who could not resist unearthing their secret crush, opened what they thought was a harmless .txt file, only to unleash a worm that did damage on the local machine. The worm overwrote image files and sent a copy of itself to all the user´s contacts in their Outlook address book.

‘LoveBug’ showed how to get spam to send itself and that, with a cleverly designed virus that preyed on human psychology and technical failings, malware could rack up enormous numbers of victims. In all about 45 million Windows PCs were thought to have been hit.

The history of phishing shows that, although delivery methods have evolved over two decades to evade detection by spam filters and other technology, the tactics employed by phishers have remained fairly consistent. It would seem logical that people should have learned to avoid the trap of surrendering login credentials, clicking links or even opening attachments. Yet this is still an effective tactic for hackers. Why?

Phishing Today

While the phishers tactics may not have changed, the stakes have. Now, instead of getting free Internet access, phishing scams can wreak havoc on the world economy. Why put in the work to break through a firewall, when a well-crafted phishing email can be just as effective in giving the hacker access to sensitive information.

One key development has been the rise of social media. As previously mentioned, just 10 years ago there was little to no information available over the Internet about organizations and the people who worked for them. Today, almost everyone at every organization has a LinkedIn, Facebook, or Twitter account, some will have all three.

See the Latest
Trends in Phishing Security

Get ahead of trending threats
with our insights and solutions
into phishing threats & attacks..


While a key business tool, these social media sites offer a veritable gold mine of personal information that criminals can, and do, use to personalize emails to specific recipients – a practice known as spear phishing.

Think about the amount of information a criminal can find about a company just through LinkedIn. Using that as a starting point, the hacker can then delve deeper into the personal lives of targets through Facebook and Twitter.

An email coming from a (seemingly) familiar or authoritative source, dealing with a relevant topic puts the recipient at ease. Personalized details only add to the authenticity and peace of mind the recipient experiences, making the likelihood of interaction with the links or attachments quite high.

The stakes, coupled with the minimal resources required to execute an attack, have made spear phishing the choice for criminals seeking access to the sensitive data stored on the networks of large organizations and corporations. Target, Home Depot and Anthem are just three of the latest high profile breaches that are believed to have started with an employee falling victim to spear phishing.

Activate Your Human Sensors

While it would seem logical that technological defenses will improve, the recent history of phishing implies it is unlikely technology will ever fully prevent spear phishing emails from reaching an employee’s inbox.  Therefore, it stands to reason that crowdsourcing phishing detection allows the first line of defense to report attacks as soon as they hit the network.

A good analogy is the fruit vendor who helped prevent a terrorist attack in Times Square back in 2010. In this instance, a vendor tipped off police after noticing that a car had been parked for several hours on a street in Times Square – an unusual occurrence in such a busy area. The car turned out to be loaded with explosives.

Although a crowded area like Times Square was equipped with expensive surveillance equipment and had a large police presence, the vendor’s knowledge of the streets made him the best person to identify suspicious activity. On a network, users are often the first to receive attacks, making their reports of suspicious email vital intelligence in preventing data breaches.

Here is a list of five phishing training tips to help set the workforce to stun:

  • Educate the workforce so that they view their inbox with suspicion. For example, what will the IT team do? What information will they ask for? This way users are less likely to fall for a phisher trying to unearth a user’s credentials.
  • Introduce a process that encourages users to report suspicious messages and emails, while also including feedback so they understand what it makes the message legitimate or a phishing threat.
  • Use this intelligence to help other users hone their detective skills, perhaps sharing ‘scams of the month’ via a security newsletter.
  • By collecting user reports of suspicious emails and analyzing TTP – such as email content, headers, and URLs, organizations can recognize patterns and take preventive action
  • Over time, organizations should track individual reporting trends and priorities reports from those users who have a strong history of positively identifying and reporting phishing emails.

The reason phishing continues to be effective remains the same – humans are attacking humans. Instead of leaving your workforce vulnerable, give them the power to shield the enterprise.

1:1 Demo
Powerful Solutions

We'll talk with you about your company's specific needs and provide demonstrations of our recommended solutions.