Annual State of Phishing Report

In fact, in 2020 Cofense stood alone actively discouraging sending COVID-19 themed phishing simulations at the outbreak of the pandemic. The peanut gallery of information security experts grumbled on Twitter about the need for realism. While they were occupied retweeting, the Cofense customer community produced more REAL coronavirus/COVID-19 phishing email indicators than the entirety of the global cyber vendor landscape combined.*

Let that gel for a bit. The inventors of phishing simulations blocked COVID-19 themed PhishMe templates, yet our customers’ employees reported more real COVID-19 phish than anyone else.

A Cofense theme for 2020 was shining a light on the phishing tactics that evade secure email gateway (SEG) detection. We published a stream of SEG bypass samples on our blog prompting many organizations to ask for help testing their email environments.

This report explains how Cofense is in a unique position to report on this. In fact, most of this report is focused on the REAL phish we see that bypassed multiple layers of automation, only to be smoked out by real humans who are backed by organizations that encourage reporting.

What went wrong in 2020

Over 1.5 million simulated phishing emails leave our PhishMe infrastructure every Monday. Unfortunately, some non-Cofense customers did not heed our cautionary tale of avoiding certain emotionally charged lures. 2020 claimed new CISO victims whose “awareness programs” publicly blew up on social media when the promise of a bonus in a phishing simulation to an organization cutting budget was not well received. 2020 pwned a security awareness vendor, too. While they were busy creating naughty employee lists for their Computer Based Training upsell, it was clear in their Incident Response webinar they didn’t have a serious program in place to triage suspicious email reports.