Phishing statistics are useful. But they vary a lot.
In the 2006 edition of the “Information Security Management Handbook,” author Christopher Pilewski entitled a section of his chapter on computer crime “Lies, Darned Lies, and Phishing Statistics.” Pilewski gave examples of widely varying phishing attack statistics. He attributed the variation to companies being unwilling to disclose their security failings or the financial consequences.
Fast forward more than a decade and little has changed. The Wombat 2016 “State of the Phish” report reveals 85% of companies were the victim of a phishing attack in the previous year. At the other end of the scale, KnowBe4’s “Endpoint Protection Ransomware Effectiveness Report” claims 33% of companies experienced a phishing attack during the same period. These were not even the biggest discrepancies in that year´s phishing statistics.
One more example of conflicting phishing statistics: according to InfoSecurity Magazine, only 6% of U.S. companies who fell victim to a ransomware attack in 2016 paid a ransom to decrypt their data. The average amount paid was the Bitcoin equivalent of $5,040. By comparison, Symantec found 64% of U.S. companies were willing to pay a ransom to resolve a successful ransomware attack. However, the companies that responded to the Symantec survey to collect phishing attack statistics only paid an average of $1,077.
Why Phishing Attack Statistics Vary So Much
There is surely a reason for phishing statistics being so variable, other than the one suggested by Pilewski. The answer could be in the size of the sample. This would certainly appear to be the case in some of the headline data reported from Verizon´s 2016 “Data Breach Investigations Report.”
Based on data within the report, it was widely reported that email attachments had become the #1 delivery vehicle for malware, surpassing drive-by downloads and links within emails to malicious URLs. It may be that this is true. However, the data was compiled using 135 instances in which U.S. companies had experienced an adverse event due to a malware infection. 135 companies are a very small sample.
Arguably the most accurate phishing statistics come from the Anti-Phishing Working Group (APWG), a global data exchange, research and public awareness organization with more than 1,800 members. The APWG´s data is based on the number of phishing attacks reported to it. Assuming companies are more willing to “disclose their security failings” than they were in 2006, it is likely that trends identified by the APWG, rather than stand-alone phishing attack statistics, are more accurate.
Why Phishing Statistics Trends are More Important
Phishing statistics trends are more important than the numbers themselves because they provide metrics about where phishing attacks are heading. They also give companies the opportunity to implement adequate defenses. For example, Cofense’s Q3 2016 Malware Review identified three major phishing attack statistics trends:
- Locky ransomware continues to be the most common variant of malware delivered via phishing.
- The proportion of phishing emails now carrying ransomware has increased to 97.25%.
- There was an increase in the deployment of “quiet malware” such as remote access Trojans.
This would imply—if the APWG´s latest phishing statistics are an accurate reflection of the volume of phishing emails—that more than 90,000 ransomware-laden phishing emails per month were reported by the organization´s members in the last quarter of 2016. Considering the reluctance of some to share phishing attack statistics when their company has fallen victim and that some phishing emails may have escaped detection, companies are receiving more than one million ransomware attacks each year.
How to Prevent Your Business from Becoming a Phishing Statistic
The best way to avoid becoming a part of phishing statistics is not to avoid disclosing your company’s security failings but to be proactive in your phishing defenses. Cofense is the leading provider of phishing threat management for businesses with concerns about their phishing protection. Our intelligence-driven solutions have reduced employee susceptibility by up to 95%. We’ve helped hundreds of IT security teams contain the consequences of a successful phishing attack.
To learn more about defending your business, your data and employees against the threat from phishing, contact us now and request a free Cofense demo. Our team will be glad to answer any questions you have about phishing attacks and discuss any specific vulnerabilities. Make sure you’re not helping to feed the next set of phishing attack statistics. Act and be informed. Speak with Cofense today.