Phishing is one of the longest-running cybersecurity threats, with the first iterations of this style of email fraud believed to have originated in 1995. It first gained widespread notoriety in 2000 with the ILOVEYOU virus, also known as Love Bug, spread to millions of Windows PCs via a corrupted email attachment. In 2024, the threat landscape might have evolved, but attachments can still be considered the biggest security risk.
As an analysis of 183 million phishing simulations conducted by customers of enterprise cybersecurity firm Proofpoint shows, almost one in six recipients of a phishing email containing a suspicious attachment failed the test set by their IT department. Attempts at link-based phishing, which can range from directing a user to a malicious website downloading malware or ransomware to a fake password reset request, were successful in 11 percent of all such cases analyzed. Data entry phishing, which can be used to gather personally identifiable information or login credentials to email or bank accounts, had the lowest success rate with three percent.
Not clicking on dubious links or downloading attachments and double-checking if the sender and the URL behind a link is legitimate are the best ways to protect oneself from financial and other damage caused by cyberattacks. However, reporting said attacks is also a crucial part in eliminating further threats according to cybersecurity experts. Out of the above-mentioned simulations, only 18 percent were reported to the corresponding team, according to Proofpoint's 2024 State of the Phish report.
Dave Alison, Senior Vice President of Products at cybersecurity firm Cofense, highlights the importance of reporting phishing attempts in a company blog post: "If all we focus on is recognizing suspicious or malicious emails, we are basically setting up an ineffective neighborhood watch program," says Alison. "What’s the point of seeing something suspicious if you don’t report it? As one of the most important lines of defense, employees must learn to not only identify but report questionable activity as it benefits their organization and all those around them.