Seventy-six percent of organizations experienced phishingattacks in 2017 and nearly half of information securityprofessionals said the attack rate increased from 2016. MeanwhileW-2 tax-scams are now in season.

Pittsburgh-based Wombat Security Technologies released itsannual “State of the Phish” research report. Among its findings:organizations in 2016 saw about an 80% increase in reports ofmalware infections, account compromise, and data loss related tophishing attacks.

Even so, Wombat customers showed positive trends and progresswithin their programs, with declining click rates and increases inthe number of suspicious emails identified and reported by endusers. Unfortunately, awareness of phishing and ransomware showedno signs of trickling down to the average technology user, asrevealed by the international third-party survey conducted as partof the phish research.

Other key findings:

• For the fourth consecutive year, Wombat saw an increased numberof organizations that assessed and trained users on phishingavoidance.
• Organizations using computer-based training jumped from 62% in2016 to 79% in 2017.
• Forty-five percent of infosec professionals reportedexperiencing phishing via phone calls (vishing) and SMS/textmessaging (smishing). Yet, globally, 67% of technology userssurveyed did not know what smishing is.
• Across all populations, adults aged 55 and older significantlyoutpace millennials in their recognition of phishing.

“The State of the Phish Report shows that simulated phishingattacks are certainly valuable tools in the battle against socialengineering attacks, but it also reinforces the need for CSOs,CISOs and their teams to take a broader view of cybersecurityeducation,” Joe Ferrara, President and CEO of Wombat Security said.“A cyclical approach to security awareness and training is the mosteffective. Organizations should employ a methodology that bothraises awareness of cybersecurity best practices and teaches usershow to employ these practices when they inevitably face a securitythreat.”

The phishing report assembled data from three main sources:analysis of tens of millions of simulated phishing attacks sentthrough Wombat's Security Education Platform over a 12-monthperiod; 10,000-plus responses collected from quarterly surveys ofWombat's database of infosec professionals from more than 16industries; and insights from a third-party survey of more than3,000 technology users in the U.S., U.K., and Germany.

Meanwhile not only is tax season underway, but so is W-2 spear phishing season. The privacy and dataprotection team at Cleveland-based law firm BakerHostetler warnedthat companies always need to guard against criminals attempting toobtain sensitive information through a variety of scams, but taxseason presents a time for extra vigilance.

In W-2 spear-phishing scams, criminals often send a spoofingemail that appears sent by a company's CEO or CFO to one or moreemployees in human resources or payroll. The employee thinks therequest is legitimate and sends the requested information, whichcriminals then use to file fraudulent tax returns for refunds.

BakerHostetler attorneys said in the alert, “We expect W-2 scamsto continue to rise because of the success attackers had in thepast several years; the increase in activity year over year; thetime and effort it takes to send targeted emails to employeesacross industries, which are significantly less than the effort ittakes to infiltrate a network; and the low cost to enter the marketas an entry-level criminal conducting W-2 scams.”

Although these scam target consumers individually, the biggerprize comes from targeting organizations. “According to the IRS,the number of businesses, public schools, universities, tribalgovernments and nonprofits victimized by W-2 scams increased to 200in 2017 from 50 in 2016. Those 200 victims translated into severalhundred thousand employees whose sensitive data was stolen,”BakerHostetler cautioned in the alert.

BakerHostetler also suggested companies need to take phishingscams seriously as a growing number of cases have found standingfor employees to sue for damages in data security incidents, andothers have recognized that the purchase of credit-monitoringservices and certain out-of-pocket costs associated with fraudulentactivity following the theft of personally identifiable informationconstituted cognizable injuries from W-2 phishing scams.