State of the Phish 2015

Transcription

1

2 Introduction The threat is real Phishing continues to pose a growing threat to the security of industries of every kind from financial organizations to government contractors to healthcare firms. Though organizations have invested significant sums in such protective technology as spam filters, anti-virus, anti-malware, IDS, and web proxies, today s savvy attacker manages to evade safeguards through carefully planned, socially-engineered attacks. The result? Unsuspecting end users routinely click links, open attachments... and expose themselves and their organizations to far-reaching damage. According to Verizon * an estimated 95% of espionage attacks involved phishing of all malware attacks come Nearly80% from phishing attempts To provide a clearer idea of where and how organizations make themselves most vulnerable to phishing attacks, ThreatSim has prepared this 2015 report, which pools two sources of data: ThreatSim s anonymous data aggregated across our customer base, involving millions of simulated phishings conducted between January 2013 and December A survey of information technology executives, administrators, and information security professionals While not a scientific study, this report does offer important insight into what proactive organizations are doing to better train their end users to identify and avoid phishing messages. *Verizon Data Breach Investigations Reports, ThreatSim All Rights Reserved threatsim.com 1

3 ThreatSim Customer Statistics Who uses ThreatSim? Financial, B2B Services, Energy, and Manufacturing are leading the adoption of dynamic phishing training. Financial B2B Services Energy Manufacturing Education Technology Healthcare Retail Non-US Government Insurance State Government Consumer Non-Profit Defense Federal Government Media Transportation Hospitality Credit Union Other Legal City Government County Government Agriculture ThreatSim All Rights Reserved threatsim.com 2

4 ThreatSim Customer Statistics How many people open... and click? Given our extensive work with customers in a wide variety of industries, ThreatSim has a unique vantage point on the phishing epidemic. Through millions of simulated phishings, conducted between January 2013 and December 2014, we ve pulled together the data presented here to provide a clearer picture of what we see on the front lines. The number of targeted users who open a phishing , then fall for the scam depends on several factors including the phishing lure in the message, the sophistication of the , the date/time it was sent, and the target s technical acumen. According to Verizon s 2015 Data Breach Investigations Report, nearly 50% of recipients open s and click on phishing links within the first hour. The median timeto-first-click coming in at one minute, 22 seconds across all campaigns. 23% 11% average open rate of all campaigns in average click rate of all campaigns in ThreatSim All Rights Reserved threatsim.com 3

5 ThreatSim Customer Statistics Which platforms garner the most clicks? Windows, not surprisingly, was the platform that had the most clicks of all operating systems. To be fair, this is not necessarily saying that Windows users are more susceptible to phishing, rather in the business world, PCs are by far the most used platform. When we drill into the data, the percentage of Mac and Windows users who open is nearly the same at around 65%. Percentage of all clicks by platform in % 18% 1% 8% 71% PC Other ios Android Mac 2015 ThreatSim All Rights Reserved threatsim.com 4

6 ThreatSim Customer Statistics Which type is most likely to get clicked? Technical Corporate Commercial Cloud Consumer % Clicked 0% 5% 10% 15% 20% What do these s look like? 21.3% 15.3% 12.9% 8.7% 6.9% TECHNICAL s These are messages that look like common errors including mailbox is full, unknown user, etc. CORPORATE This could look like official office mail, spam quarantine, benefits enrollment notices, invoices, or an HR confidential document. COMMERCIAL Business-oriented but not company-related , this might be something like a shipping confirmation of an overnight package, fake wire transfer, or auto insurance renewal. CLOUD Cloud in this case means something simulating a cloud-based service, like a file sharing service. The might read: Dave wants to share a file with you, click here to accept. CONSUMER These are the types of s the general public gets on a daily basis that may try to replicate offers or accounts they already have. Examples include s about frequent flier accounts, potential account compromise, social networking notices, gift card notifications, and more ThreatSim All Rights Reserved threatsim.com 5

7 ThreatSim Customer Statistics Which mobile phone users are most at risk? It s no surprise that mobile use in the workplace has grown dramatically over the last few years and with it, users accessing their work on mobile devices. While both ios and Android use grew dramatically, Android use in the workplace outpaced ios by more than double. That being said, use of ios devices on the whole is still nearly 4x that of Android in the workplace according to our data. 405% growth for ios usage in the workplace from % growth for Android usage in the workplace from Interestingly, ios users are roughly 25% more likely to click on a phishing link after opening a phishing on their device than are Android users. While some would argue this means that ios users are more likely to fall for a phishing scam, others would argue that ios users naturally perceive their device to be more secure, so are more willing to test the waters on their device than are Android users. In 2014, more than Only 16% of ios device users who opened a phishing took the bait and clicked on it. 12% of Android users fell for the phish. The good news for organizations is, increasingly, users of mobile devices are becoming smarter about not taking the phishing bait. From 2013 to 2014, click rates for both ios and Android device users dropped an average of 35% after opening a phishing ThreatSim All Rights Reserved threatsim.com 6

8 Honing the Spear Like phishing, spear phishing involves sending a malicious link or file. But while standard phishers take a mass approach, sending out millions of s in hopes of snagging valuable personal information from as many people as possible, spear phishers are more highly focused. They often go to great lengths to gather information on key people within an organization in order to craft a personalized and convincing . As social engineers, they aim to become someone you know and trust. In our experience at ThreatSim, spear phishers efforts to personalize their attacks make them more effective. Our data indicate that spear phishers are most successful when they employ a target s last name, company logo, or some other trust token designed to create a sense of familiarity. 11% average click rate of all campaigns across average click rate when just a user s last name is placed in the , 18% regardless of other personalized data ThreatSim All Rights Reserved threatsim.com 7

9 Honing the Spear After a year or more of training, users get smarter about personalization as it relates to phishing s. Click rates in s personalized with the user s first name have dropped from % to % 12.5% average click rate in 2013 average click rate in ThreatSim All Rights Reserved threatsim.com 8

10 Why is Training Important? Is there any correlation between frequency of testing/training and clicks? The figures below show the click rate improvements achieved by organizations based on how frequently they train their user base. Click rate at the end of 6 months if training is done monthly:14% Click rate at the end of 6 months if training is done quarterly:16% *Improvement of 12.5% if training is done monthly vs. quarterly Click rate at the end of 24 months 4% if training is done monthly: Click rate at the end of 24 months 8% if training is done quarterly: *Improvement of 50% if training is done monthly vs. quarterly 2015 ThreatSim All Rights Reserved threatsim.com 9

11 Why is Training Important? What is the click rate for first campaigns vs. the rate after training? 25% average click rate for all first campaigns average click rate for all campaigns after initiating phishing 11% simulation training average click rate for campaigns after 24 months of simulated 4% phishing training 2015 ThreatSim All Rights Reserved threatsim.com 10

12 Why is Training Important? Which browser plug-ins are most vulnerable? When end users fall for a ThreatSim simulation, we perform fingerprinting of the users browsers and plug-ins. The resulting data are useful in pinpointing who is at the greatest risk for a data breach. In tracking end user plug-ins, we note if the plug-in is outdated, as this increases the user s exposure to malware infection. This information provides our customers with a good indicator of the target s susceptibility to exploit, had the message that was clicked upon been a real phishing attack. In 2014, three plug-ins were found to be most commonly outdated, making them particularly vulnerable to attack: Adobe Flash outdated 40% of the time Java outdated 34% of the time Microsoft Silverlight outdated 32% of the time 2015 ThreatSim All Rights Reserved threatsim.com 11

13 ThreatSim Survey Results ThreatSim surveyed IT executives, administrators and security professionals. The results of this survey are summarized in the pages that follow. Overall, our findings support the premise that phishing poses a critical threat today to organizations of every kind. Though some organizations are taking steps to measure their susceptibility to phishing and any resulting damage, a significant percentage are simply ignoring the threat ThreatSim All Rights Reserved threatsim.com 12

14 ThreatSim Survey Results A growing problem The vast majority of organizations surveyed, 76.7%, report having experienced a phishing attack in the past year. The remaining respondents, 23.3%, are not aware of having been attacked. Since phishing attacks often go unnoticed and unreported, it s safe to assume that some in this group are compromised and don t even know it. Have you experienced a phishing attack in the last calendar year? 23.3% 76.7% Yes No 2015 ThreatSim All Rights Reserved threatsim.com 13

15 ThreatSim Survey Results A growing problem (cont.) Perhaps most alarmingly, nearly one third of organizations 32% reported experiencing more than 50 phishing attacks within the past year, with 9% of respondents experiencing more than 500 attacks. Approximately how many known phishing attacks have you experienced in the last year? 4% 5% 9% 41% 14% 20% 9% ,000 >1,000 Unsure 2015 ThreatSim All Rights Reserved threatsim.com 14

16 ThreatSim Survey Results A growing problem (cont.) Clearly, phishing poses a threat that isn t going away. In fact, many organizations report that it s on the rise. Of those surveyed, 40.6% report an increase in attacks over the past year, while 58.3% believe the level of attack is staying about the same as in past years. Is the rate of phishing attacks against your organization increasing? 40.6% 58.3% Increasing Decreasing Staying about the same as years past 1% 2015 ThreatSim All Rights Reserved threatsim.com 15

17 ThreatSim Survey Results The impact is far-reaching For organizations beset by phishing attacks, the impact was far from benign. Of those who were attacked in our survey, 40.6% experienced a malware infection, 21.9% saw their accounts compromised, and 8.3% lost data. What, if any, of the following impacted your organization? 8.3% 49% 40.6% Loss of data Malware infections Compromised accounts Other 21.9% 2015 ThreatSim All Rights Reserved threatsim.com 16

18 ThreatSim Survey Results The impact is far-reaching (cont.) Phishing s impact is both damaging and disruptive for those who have been attacked. In addition to the unfortunate outcomes reported here, the security managers within the survey routinely lament how much time is lost in responding (endpoint forensics) and employee downtime (account rest, system restoration). Nearly half of our respondents who were attacked (47.9%) reported lost productivity for their employees. But the problems didn t end there. More than a quarter of those attacked (28%) experienced damage to their organization s reputation, and nearly a quarter more (24%) lost proprietary information. How do you measure the cost of phishing incidents? 24% 28.1% 47.9% Lost productivity for employees Damage to reputation Business impacts through loss of proprietary information 2015 ThreatSim All Rights Reserved threatsim.com 17

19 ThreatSim Survey Results Means of attack Response to our survey indicates that spear phishing, a mode of attack that is finely targeted and thus more effective, poses a serious threat to businesses. The majority of respondents, 54.3%, report that their organization experienced targeted spear phishing attacks over the past year. Do you experience actual spear phishing (aka targeted) attacks? 45.7% 54.3% Yes No 2015 ThreatSim All Rights Reserved threatsim.com 18

20 ThreatSim Survey Results Measuring exposure to phishing We found it concerning that though three-quarters of organizations we surveyed have experienced phishing attacks over the past year, close to 40% of those surveyed have not taken appropriate steps to measure their organization s susceptibility to such attacks. Considering the far-reaching damage caused by phishing (to brand credibility, productivity and the bottom line), it only makes good business sense to know your exposure and thus take steps to measure your risk. Do you measure your organization s susceptibility to phishing? 39.1% 60.9% Yes No 2015 ThreatSim All Rights Reserved threatsim.com 19

21 ThreatSim Survey Results Measuring exposure to phishing (cont.) Everyone who responded to our survey, a full 100%, reported using /spam filters to reduce the risk of phishing attacks in their organizations. More than half of respondents, 57.6%, use outbound proxy protection, and 40.2% have employed advanced malware analysis (such as FireEye). Only 18.5% of respondents employ URL wrapping. Which of the following technologies are utilized by your organization to reduce the risk from phishing attacks? 100% 100% 80% 60% 40% 20% 57.6% 40.2% 18.5% 0% / Spam filters Outbound proxy protection Advanced malware analysis (e.g. FireEye) URL Wrapping 2015 ThreatSim All Rights Reserved threatsim.com 20

22 ThreatSim Survey Results Training and prevention Most organizations appear to be employing multiple training efforts. By far the most commonly used training is phishing simulation exercises, employed by 83.3% of organizations. Other commonly used methods are annual security awareness training (using computer-based training), 60.3%, and monthly notifications or newsletters, 50%. Which of the following activities are used in training your end users on how to identify and avoid phishing messages, in addition to phishing simulation exercises? 100% 80% 60% 40% 20% 60.3% 50% 28.2% 11.5% 0% Annual security awareness training using CBT (computer-based training) Monthly notifications or newsletters Annual security awareness training (in-person, classroom style) Other 2015 ThreatSim All Rights Reserved threatsim.com 21

23 ThreatSim Survey Results Training and prevention (cont.) Of those organizations that proactively measure the impact of phishing prevention activities like training, the results are impressively reassuring. A full one third, 33%, of those respondents report that the steps they took reduced their phishing susceptibility by %, and close to half of those respondents, 47%, report their level of reduction in susceptibility between 1% 50%. What percentage reduction have you achieved? 19% 19% 14% 25% 22% % 51 75% 26 50% 1 25% Unsure/ Still Testing 2015 ThreatSim All Rights Reserved threatsim.com 22

24 ThreatSim Survey Results Training and prevention (cont.) Even more impressively, a full 70% of respondents show these reductions in phishing susceptibility occurring in less than 12 months after implementing activities like phishing simulated exercises, with a staggering 41% showing positive results in under six months. In what time frame did you see reductions achieved (number of months)? 9% 9% 21% 41% 6 months or less 7 to 12 months 12 to 24 months >24 months Not sure 29% These figures make it clear that phishing remains a critical threat, and prevention activities such as phishing simulation exercises are important for even the most proactive organizations ThreatSim All Rights Reserved threatsim.com 23

25 threatsim.com Coppermine Rd. Suite 302 Herndon, VA ThreatSim All Rights Reserved