Surprise! Phishing tests using file attachments have highest rate of failure

October 21, 2020

New research by Proofpoint is out, and the results are eye-opening. Their annual report, “State of the Phish,“ highlights that malicious file attachments are a highly effective form of malware delivery that is often underestimated by information security teams worldwide.

Malicious file attachments are evading notice

88% of organizations surveyed reported experiencing a spear phishing lure attack in 2019. Three types of phishing schemes abound – those that lure users into clicking on links, opening attachments, and performing data entry. For the past two years, organizations focused the lion’s share of their efforts (68%) on raising awareness about link-based attacks, 22% of their efforts on data entry requests, and only 10% of their efforts on attachments.

Interestingly, while phishing tests for attachment-based scams were not prioritized in 2019, attachments proved the most effective in tripping up their victims. According to the report, in simulated phishing tests deployed by organizations to test their employees, most phishing tests with the highest failure rates (65%) were attachment-based. It seems employees are already somewhat vigilant about the other types of phishing methods and techniques—there was a 35% failure rate for link-based tests and a 0% failure rate for data entry requests.

What got these users to drop their guard was that nearly 90% of the tests were designed to look like they came from a recognizable internal account or alias, like a supervisor or HR department. Some of the sneakiest subject lines that have been notoriously successful at evading notice were: “Updated Building Evacuation Plan,” “Confidential Document” and even the more personal “Lost Watch.” These phishing emails were successful because they tapped into the employee’s natural curiosity.

Prominent file-borne phishing schemes in 2020

Earlier this year, the Votiro research team reported on a series of file-borne phishing emails that appeared to be from UPS, FedEx, and DHL, but delivered a Dridex trojan payload hidden in attached Microsoft Excel spreadsheets. This particular phishing attack method was especially challenging to detect as it used a sophisticated spoofing technique on the sending domain and included zero-day malware that evaded anti-virus email protection software.

Phishing Email that appears to be from UPS

Summary

In Q3 2019, more than 4,000 end-users reported receiving emails that contained malware payloads, including keyloggers and advanced persistent threat (APT) malware. Clearly, file-borne malware attacks are on the rise and have been, unfortunately, more successful than many organizations realize. The time has come for organizations and their information security teams to focus more of their testing efforts on preventing attachment-based phishing attack methods. To learn how Votiro’s Secure File Gateway can protect your organization from file-borne attacks, click here to watch a 2 minute video on how the technology works.