Some 10% of user-reported emails malicious

Anti-phishing firm Cofense analyses more than 3,000 reported emails every day, with more than 10% found to be malicious across key industries.

That 10%, which was nearer 20% in the legal and utilities sectors, has bypassed other security solutions such as email gateways to make it to users’ inboxes, according to the company’s 2018 State of phishing defence report.

More than 50% of reported malicious emails are tied to credential phishing, where a fraudulent email attempts to gather login and system information from users.

“Credential phishing is the runaway leader in user-reported malicious emails, and it is also the threat to which users are most susceptible during simulations,” the report said.

Credential phishing is also a common tactic used in business email compromise (BEC) attacks in which cyber criminals hijack legitimate accounts to send emails to trick employees into making money transfers into bank accounts under cyber criminal control.

In August, email management firm Mimecast reported a sharp increase in BEC attacks in the second quarter of 2018, while research by risk management and intelligence firm Digital Shadows revealed that poor security practices and access to hacking services are making it easy for cyber criminals to carry out such attacks.

Cofense sends over 10 million phishing simulations each month and enables over 45 million users to report malicious emails.

The report is based on the analysis 135 million phishing simulations, 800,000 reported emails and nearly 50,000 real phishing campaigns targeting 1,400 customer organisations in 50 countries across 23 industries ranging from healthcare and financial services to manufacturing.

According to the 2018 Verizon Data Breach Investigations Report (DBIR), email delivers 92% of malware, while the 2018 Symantec Internet security threat report shows that by the end of 2017, the average email user received 16 malicious emails per month.

“While it’s impossible to completely eliminate phishing and email-based threats, organisations look to minimise the risk associated with those threats,” the Cofense report said.

The report shows that 21% of reported crimeware emails contained malicious attachments, and that the term “invoice” is one of the top phishing subjects, which appeared in six of the 10 most effective phishing campaigns in 2018.

However, the overall resiliency rate of users has grown in the past four years, the report said, due in part to a big increase in the reporting rate of 21.6% up from just 14% three years ago. In that time, companies in the utilities and energy industries have built up the most resiliency to phishing, but the report said all critical infrastructure-related industries still have work to do.

“We founded Cofense on the principal that the human element, the users who are targeted, are a critical factor in defending against phishing threats,” said Aaron Higbee, co-founder and chief technology officer of Cofense. “We see phishing emails bypass technology controls every day and more and more users recognising and reporting these threats that slipped past million-pound defences.

“The results of our research detailed in the report show that resiliency is building across key industries thanks to those same people that were once deemed as the weakest links in an organisation. These trends are powerful and reinforce that humans are a key element to a successful security program.”