Secure email gateway (SEG) vendors often position their solutions as blocking 99 percent of malware to arrest phishing emails but in many cases it’s a marketing claim, said Cofense, an email security specialist, in its newly released 2022 Annual State of Phishing Report.
The problem is that malware comprises less than three percent of phishing emails reported by employees, the company said. The 99 percent figure gives SEG developers an “insurance policy” when phishing emails make it past their layered defense. “If you know about the 1% that side-steps your filtering wouldn’t you block it to begin with?” Cofense said.
With that backdrop, Cofense said its study showed that phishing attacks containing malicious URLs were four times more likely to bypass secure email gateways than those with attachments. Accordingly, the company cautioned organizations not to rely too heavily on technology and not to undervalue human reporting to identify and combat phishing expeditions and attacks. Indeed, users well trained to help root out phishing is a key component of a strong defense.
Here are some additional findings from the study:
- Credential phishing continues to be the top threat facing organizations, increasing 10 percentage points since 2020.
- 67% of all phishing emails observed are credential phishing.
- 52% of all credential phish were branded as Microsoft.
- Cofense observed nearly 100 unique malware families, representing the complicated landscape of distinct threats organizations need to watch.
- The healthcare industry continues to be the top target of business email compromise (BEC) attacks.
- 16% of malicious emails found in healthcare environments were BEC attacks.
- Of the Indicators of Compromise analyzed by Cofense’s Phishing Defense Center, 80% contained malicious URLs found in the body of the email, while 20% utilized nefarious attachments.
- Organizations are increasingly aligning their employee simulation training with real threats known to be targeting their organization.
- Cofense saw a 7-point increase in simulations based on credential phishing in 2021.
“If there is anything I hope the industry takes away from Cofense’s 2022 Annual State of Phishing Report, it is that threat actors are innovating but secure email gateways are not, and well-conditioned users report real phish,” said Aaron Higbee, Cofense co-founder and chief technology officer. “I believe the number of real phish, reported by real users, found in all major SEG environments speaks for itself,” he said.