A new collaboration between IDG and Carbonite + Webroot has found that phishing attacks remain high two years since the onset of the global COVID-19 pandemic. Phishing reached historic levels in February 2020, rising over 500% in just one month. But those increases had leveled off by the end of 2020 and it was unclear whether phishing’s highs were sustainable.
So we spoke with 300 global IT executives, finding that 93% were still concerned about phishing with 61% highly concerned. It’s little wonder, given that 76% of respondents report that phishing is still up compared to the time before the pandemic.
IT departments have taken the brunt of the assault, with sr. security analyst Tyler Moffitt saying “Even if malware targets someone with lower-level access, the attacker will move laterally to eventually find an IT administrator.” IT departments are targeted twice as often as the second highest target because attackers covet domain-level credentials that give them widespread access.
Many executives say their companies provide trainings for their employees to combat phishing. But 25% don’t offer phishing simulations, and another 63% only offer trainings quarterly or yearly. Upping the frequency of trainings and offering simulations are both shown to reduce click-through rates in phishing attacks. In the report, Tyler Moffitt details more ways that companies can change their training methods to further combat phishing and malware.
Important findings include:
- Attackers target IT departments
57% of respondents say their IT group has been targeted in the previous year.
- Gaps in protection linger
45% of respondents cite ‘gaps in skills / expertise’ as a top challenge to tackling phishing attacks.
- Malware attacks are top phishing tools
44% of respondents confirmed that they were the victim of a malware attack that launch when a user downloads an email attachment.
- Consequences of phishing remain high
32% of respondents suffered lost productivity and another 37% suffered downtime lasting more than a day.
I appreciate this. Excellent collateral as always. What would be really good is if as Webroot Resellers/Partners that we did NOT have to sign up on online forms (per the links in the article) to access the full reports. Can these be posted somewhere within the Luminaries site so there is a central repository for this type of information. If I’m missing something and this already exists, please correct me and let me know.
First, thanks for the material. It’s partly why I signed up for the Luminaries.
I was surprised to see IT being targeted so heavily. I’m seeing attempts targeted at accounting either directly or indirectly through another account (“Dear payroll, please change my direct deposit to...”)
Fortunately, those that were phished only had to deal with the embarrassment; no financial loss.
I agree with gmike, a repository of these that were can reference online would be very helpful. "White Label" versions as appropriate where revelers can drop in a nameplate would also be great. Case study and benefits types of collateral, not tech sheets.
I am curious to see how those attack numbers and targets change with the 2021 data as per Morrow’s post we are seeing a lot of attacks still targeting finance and payroll internally. An interesting insight in how phishing attacks are developing and the threat to our industry.
We haven’t seen any targeted internal attacks, but have had clients affected. Thankfully no one has fallen for it recently. We have also started utilizing SAT more than we did in the past to train up the clients having issues.
2022 looks like to be a record setter with phishing attacks. My company is seriously considering offering Webroot’s SAT offering. We started to test it about a year ago, but got side tracked. This will be a priority in 2022.
The content of Webroot is always flawless. This SAT is now, more than ever, something that businesses should get done. However said, there are still so many of our customers who do not see the value of this, and it is sad to say, that we have had 2 breaches in the pas month due to ignorant staff that fell victim to these phishing attacks.
We have once received a fake email to HR pretending to come from an employee, but it was detected by the user thanks to our training and simulations.
We will never be done with educating our employees, this is a continuous process.
We are trying to sell SAT from Webroot for a several month's now. More customars are now considering using this.
It’s a shame that so many SMBs we are involved with don’t see the value of Security Awareness Training. We’ve found Webroot SAT to be engaging and useful to uses and always receive positive responses from the small number that have. There’s a gulf between executives saying their companies provide training, and them actually following through and doing it properly and regularly.
As ever the end users are the weakest link, and continual training in this side of things is something that cannot be emphasised enough. The one thing I always make into a mantra is that I tell each user, if in doubt on any email, no matter how silly you may feel, always ask your IT person to check on it before doing anything. I have had Webroot protect a client recently when one users failed to heed this, three times… before they got the HR slap they needed to stop being foolish.
Good article. Always a tough one as there is a fair amount of reliance on users to do the right thing. Phishing has got so clever now that even I have to sometimes do a double take on an email as some are very convincing.
As said above, we have had to ask our clients to send in a support ticket with the header of any email users are not sure of so IT can check it over.
Brilliant, thank you for sharing TylerM, really interesting stuff!
Preventing phishing attacks are a collective effort from all of us.
Let’s help everyone, to help each other.
There’s an increase in very convincing phishing emails that are catching people out.
thanks for the info
We haven't seen any targeted internal attacks, but a few customers have reported suspicious emails.
In our opinion, no one has fallen into the trap.
Thanks a lot Tyler
Interesting information as always and thanks for sharing!
Great article. I’m not surprised that phishing attacks are still on the rise, and still successful. Targeting IT departments means targeting the individuals with the highest credentials. Security Awareness Training is the key to keeping the network secure. You have to educate the user if you want to reduce your risk of falling victim to a phishing attack.
First, thanks Tyler for the information!
I was surprised to see IT being targeted so heavily. I’m seeing attempts targeted at accounting either directly or indirectly through another account (“Dear payroll, please change my direct deposit to...”) and many CEO type of phishing attacks. None have been successful though as our team is being very diligent and careful as to what they click on and open.
We don’t see internal attacks but sure see folks trying hard from the outside. I get several each week.
Tyler, thank you for sharing . It is no surprise that phishing attacks are still so high. With the pandemic and remote workers can easily fall victim to a phishing attack. Do you think if companies took phishing more seriously with proper protection and training we would see a decrease?
I think many of us still have the attitude “it won’t happen to me, I would never open an email from a spam account”. It happens almost every single day.
@TylerM for your informative article.