The number of phishing attacks increased 65% worldwide last year. However, while resiliency against phishing attacks is improving throughout major industries, including financial services, consumer scams in the workplace are growing.

Those are findings contained in Leesburg, Va.-based PhishMe’s “Enterprise Phishing Resiliency and Defense Report, 2017,” which examined controlled phishing activity and susceptibility at global organizations across 23 industries services, with 7 of 8 industries seeing resiliency harden. Financial industry showed a 12.2 susceptibility rate and a 31.7 reporter rate.

“For hackers, phishing is easy. And profitable. The average phishing attack costs a mid-sized company $1.6 million,” the report noted. The research added, for many years, organizations have invested in technology to keep them safe from malicious emails. Yet ransomware, CEO fraud/business email compromise, and breaches stemming from phishing emails inflict a heavy toll. According to the FBI, BEC alone cost businesses worldwide over $5 billion from 2013 to 2016.

Some other key findings:

  • Overall susceptibility dropped to as low as 5% (individual companies may have experienced greater changes). 
  • As reporting or engagement increased, susceptibility decreased.
  • Employees are most susceptible to phishing emails that target them as consumers.
  • Emails with malicious URLs are the most reported.
  • Almost 15% of the emails employees reported were malicious.


The report dove into topics such as active threats considered to be high-risk and vintage threats, or threats that have disappeared but are likely to return. “When a phishing type disappears for awhile, be afraid. Be very afraid. It will likely come back and you need to be ready. So be proactive. Baseline your risks before attackers do,” the report emphasized.

Some key findings specific to the financial industry include: 36.2% susceptibility to TrickBot attacks, which use customized redirection attacks to leverage HTML or JavaScript injections as a victim visits a financial institution online; and 30.6% susceptibility to Ursnif attacks, which deliver malware via Word docs and macros, to steal victim information, from banking and credit card credentials via man-in-the-browser attacks, keylogging, or screenshot capture.

The report stressed, “The tendency to fall for a phishing email, or susceptibility, is best addressed with conditioning employees to recognize and understand phishing emails. Repeated phishing simulations, including those based on relevant, emerging threats, have shown a shrinking susceptibility rate for three years running. It’s proof that a progressive, mature anti-phishing program keeps organizations safer.”

As Internet behavior changes, so do cyberattacks. In previous years, PhishMe reported that fear, urgency and curiosity were the top emotional motivators behind successful phishes. Now they’re closer to the bottom, replaced by entertainment, social media and reward/recognition.

The resiliency study acknowledged it’s possible mature anti-phishing programs have conditioned employees to spot work-related scams such as “Delivery Issue” or “Parking Ticket” (fear), “Urgent Order” or “Canceled Transaction” (urgency) and “Final Version of the Report” or “Refund for Purchase” (curiosity). But most programs don’t focus on consumer scams, which are cropping up more in the workplace, targeting employees with personal vs. business messages.

“Employees will always take a break to do personal business online, so you can expect work and home email to continue blurring,” the report asserted. Personal devices in the workplace often have multiple email accounts therefore the email source may not be as evident. However, to sustain morale, communication and collaboration, among other reasons, companies are unlikely to restrict BYOD or access to social media, news and entertainment sites.

PhishMe provided some tips: Understand the dynamics of entertainment or social phishing; stress vigilance when it comes to emails promising rewards; and take note of internal reward programs in danger of mimicking.

The data reflects experiences of some 1,400 PhishMe international customers, including Fortune 500 and public-sector organizations. In some instances, the data goes back to 2014 or 2015 to show longer-term trends or may focus on a specific time frame. In other cases, the data is from the past eight months, January through August 2017. The data’s foundation comes from 52.4 million simulation emails, written in numerous languages.