The ninth annual State of the Phish report by Proofpoint reveals that cybercriminals are exploiting both new and traditional tactics to target organizations. The report is based upon insights from 7,500 workers and 1,050 security professionals from 15 countries, and has been compiled from data involving 18 million real emails reported by end-users, plus 135 million simulated phishing campaigns over a 12-month period.
The report indicates that in 2022, 84 percent of organizations suffered from a successful attack via email phishing, resulting in a 76 percent increase in direct monetary losses compared to the previous year. Cybercriminals continued to employ established tactics such as brand imitation, BEC (business email compromise), and ransomware. However, they also increased their use of less common offensive strategies to target enterprises in various countries.
One particularly worrying trend highlighted by the report is the rise of cyber extortion. The study found that 76 percent of organizations had experienced an attempted ransomware attack in the past year, with 64 percent of them suffering a successful infection. Additionally, over two-thirds of those surveyed reported multiple ransomware infections. Although 90% of impacted organizations had cyber insurance policies, the majority of insurers agreed to pay at least some of the ransom (82 percent).
The report also shows that people are still susceptible to fake emails from companies they recognize. Nearly 1,600 incidents of brand misuse were observed by Proofpoint’s customers worldwide in 2022. Microsoft was the most targeted brand, with over 30 million emails attempting to pass off as Microsoft products like Office and OneDrive. Other major brands impersonated included Google, Amazon, DHL, Adobe, and DocuSign. A significant 44 percent of respondents claimed they felt more secure when they recognized the brand in the email.
BEC attacks were also found to be a significant concern. About three-quarters of global corporations reported an attempted BEC attack last year, with countries where English is not the primary language seeing an increase in such attacks. Due to the pandemic, there has been a substantial rise in job transfers and resignations, with one in four people changing or leaving jobs in the last two years, making data protection challenging for organizations. As a result, 65 percent have experienced data loss due to an inside job.
The report also highlights an increase in complex email threats. Hackers have developed a range of techniques to circumvent multi-factor authentication, and various phishing schemes now include AitM integrations. At its peak, Proofpoint registered more than 600,000 TOAD attempts each day. These malicious emails encourage recipients to contact cyber attackers through fake call centers.
The report underscores the need for improved cyber hygiene, as many survey participants were unable to identify key cyber threats like malware, phishing, and ransomware. Furthermore, less than half of businesses with security awareness programs educate their entire staff, and only about one-third of them conduct phishing simulations.
Given the evolving threat landscape and the increasing sophistication of cyber attacks, organizations must prioritize cybersecurity education and awareness for their employees. This includes training on basic cyber hygiene, recognizing phishing attacks, and reporting suspicious emails. It is also crucial to implement robust security controls, such as multi-factor authentication and endpoint protection, and to regularly review and update these controls. Finally, organizations should consider partnering with external security experts to develop a comprehensive cybersecurity defense that combines their expertise with in-house security best practices.