top of page

Nearly Nine-in-Ten Organizations Experienced Spear Phishing Attacks; Over Half Fell Victim in 2019

According to a survey of over 600 IT security professionals across seven countries, 88 percent of organizations saw spear phishing attacks, 55 percent fell victim to at least one phishing attack, 86 percent experienced business email compromise attacks and nearly two-thirds experienced a ransomware attack.

Last year I spoke at the Florida Institute of Certified Public Accountants’ (FICPA) Conference for Not-for-Profit Organizations on the topic of risk management for NPOs. The majority of the presentation, and an overwhelming majority of the questions from the attending audience, was centered on credential compromise and spear phishing attacks. As big of an issue as phishing and spear phishing have been for organizations of all types, the problem seems to only be growing.

The burgeoning issue and financial fallout from spear phishing is evidenced by the sheer number of organizations that experience and fall victim to such attacks. In their 6th annual State of the Phish report, cybersecurity firm ProofPoint surveyed IT security professionals across the US, UK, Germany, France, Spain, Japan and Australia. This survey along with surveys of over 3,500 adults across the same seven countries plus the results of over 50 million simulated phishing emails provided eye-opening results in this multifaceted study. Here’s a quick overview of some of these survey results highlighted in ProofPoint’s State of the Phish 2020 report:

The Good:

  • Although 88 percent of organizations experienced a spear phishing attack, a much smaller percentage, 55 percent, fell victim to one or more phishing attacks in 2019.

  • 95 percent of organizations employ some form of phishing awareness training and/or phishing simulations services.

  • The results from baiting, or simulated phishing attacks, show encouraging signs. Just 12 percent of organizations and 9 percent of all users failed simulated phishing attack tests. Among those who opened the phishing email the failure rate was 29 percent at the individual level and 35 percent at the organizational level.

The Bad:

  • Working adults surveyed continue to show lackadaisical security practices, especially when it comes to using employer devices at home. 90 percent admit to using employer devices for personal activities, half do not password-protect their home Wi-Fi networks and one-third do not know what a VPN (virtual private network) is.

  • Nearly half of those surveyed, 45 percent, admit to reusing passwords across accounts.

  • While many assume younger persons have an innate understanding of technology and cybersecurity, Millennials were the group least likely to correctly define Phishing or Ransomware.

The Ugly:

  • 65 percent of organizations experienced a ransomware attack in 2019. Nearly 50 percent of successful phishing attacks resulted in a ransomware infection, the third most likely outcome after loss of data and credential or account compromise. One-third of organizations decided to pay the ransom, but not all were given back their data after making payment.

  • 86 percent of organizations experienced at least one business email compromise attack in 2019. 56 percent saw more than 10 attacks while 16 percent saw more than 50 and 5 percent experienced more than 100.

  • A whopping 88 percent of organizations were on the receiving end of spear phishing attacks in 2019. 54 percent experienced 11 or more such attacks while 19 percent experienced at least 50.

Spear phishing and business email compromise continues to increase in activity from already high levels. While there is little that can be done to stop the attacks, organizations can take measures to reduce the likelihood of falling victim. This includes using firewalls and email security measures that keep phishing emails out of inboxes, employing simulated phishing campaigns to identify the most vulnerable employees and investing in training for your workforce. The Fraud Practice’s online training course How to Detect and Mitigate Phishing Threats is a deep-dive into methods and best practices related to reducing phishing and spear phishing risks.

For more information:


bottom of page