Survey Report

New data shows phishing attacks remain high and few are spared

New data shows phishing attacks remain high and few are spared
Userlevel 7
Badge +24
  • Sr. Security Analyst & Community Manager
  • 922 replies

A new collaboration between IDG and Carbonite + Webroot has found that phishing attacks remain high two years since the onset of the global COVID-19 pandemic. Phishing reached historic levels in February 2020, rising over 500% in just one month. But those increases had leveled off by the end of 2020 and it was unclear whether phishing’s highs were sustainable.


               So we spoke with 300 global IT executives, finding that 93% were still concerned about phishing with 61% highly concerned. It’s little wonder, given that 76% of respondents report that phishing is still up compared to the time before the pandemic.


                IT departments have taken the brunt of the assault, with sr. security analyst Tyler Moffitt saying “Even if malware targets someone with lower-level access, the attacker will move laterally to eventually find an IT administrator.” IT departments are targeted twice as often as the second highest target because attackers covet domain-level credentials that give them widespread access.


                Many executives say their companies provide trainings for their employees to combat phishing. But 25% don’t offer phishing simulations, and another 63% only offer trainings quarterly or yearly. Upping the frequency of trainings and offering simulations are both shown to reduce click-through rates in phishing attacks. In the report, Tyler Moffitt details more ways that companies can change their training methods to further combat phishing and malware.


Important findings include:

  • Attackers target IT departments
    57% of respondents say their IT group has been targeted in the previous year.
  • Gaps in protection linger
    45% of respondents cite ‘gaps in skills / expertise’ as a top challenge to tackling phishing attacks.
  • Malware attacks are top phishing tools
    44% of respondents confirmed that they were the victim of a malware attack that launch when a user downloads an email attachment.
  • Consequences of phishing remain high
    32% of respondents suffered lost productivity and another 37% suffered downtime lasting more than a day.

    Download the report and discover the best strategies for fighting back against phishing

38 replies

Userlevel 4

These reports keep demonstrating the necessity for education. Not only in cybersecurity but in technology in general.

Especially the decision makers and “power” users.

Userlevel 7
Badge +23

… What would be really good is if as Webroot Resellers/Partners that we did NOT have to sign up on online forms (per the links in the article) to access the full reports. ...

While I agree that having them available without signing in here would be useful for some, I for one like being notified through this system and reading the comments that Tyler adds to just reading a report. There is some perspective and content that is not necessarily obvious in some reports, which can often be “a little dry.” But additional and flagging by Tyler not only call my attention to these reports, but add some excellent background. 

So thanks for the excellent writeup Tyler, and access to the reports as well. 

Userlevel 3

Thank you and many people already said it well.

Userlevel 7
Badge +8

Im just here for ps2 mice from the early Naughtys.

Userlevel 5
Badge +1

Great article. I will share it with my colleagues.

Userlevel 4
Badge +2

Unless the staff take and act on fake phone calls from “Microsoft/Google/Amazon/ISP staff”,  phishing is the best way to get the criminals in to the network.  Its no surprise they want a privileged IT users account and that employees think that they don’t know really whats happening, they may be the targets but are not the fighting front line.  I can’t see any let up in phishing, with crypto and blockchain being further deployed. its going to get much worse.  All those gleaned credentials of people employees already know, get more valuable daily.

The more layered support from software can only help so far. Unfortunately it is the training that needs to keep up as well, as those users have a habit of becoming victims.

Great content. One of the many reasons I joined

Userlevel 4

Great article, thank you very much for sharing.

It seems that any Security Awareness Training really should begin within your own organisation before rolling it out to clients, especially with IT generally being such a large target.

Userlevel 4
Badge +1

No attacks for us but we’ve seen an uptake for customers. User awareness training is vital. Users will always be the weakest link no matter how advanced and secure businesses make their IT.

Monthly training at a minimum with business backing on training and reviews to make sure people get the message and understand the risk.

Userlevel 1

We have started seeing an increase in phishing scams during the lockdowns. User training has been an increasing concern as we have had more users email us with a phishing email asking if it was legit or not. It’s good that the users are asking us first instead of clicking, but we still don’t know if other users are clicking on those emails.


SAT would and has been great for finding out those click happy users so we can give them proper training.

Thanks for the article, its good to know that a large amount of people have experienced the rise in Phishing scams.

Userlevel 3

Good ready Tyler, thanks!

Userlevel 7
Badge +4

Not surprised IT departments are a target. We all know that MSPs are a target as well due to their client base.


We have actually put SAT in place as a standard service feature for our client base.

Userlevel 6
Badge +1

I can say from experience that proper SAT makes a difference. It may be hard to get buy in at first, but once the program is in place the results are undeniable. Phishing is a huge issue for most orgs and not addressing IT risks head on is a recipe for disaster. I am thankful to work for an org that listens to recommendations and doesn’t just think of IT as overhead.