Proofpoint's 2023 State of the Phish Report: Threat Actors Double Down on Emerging and Tried-and-Tested Tactics to Outwit Employees
SUNNYVALE, Calif., Feb. 28, 2023 (GLOBE NEWSWIRE) -- Proofpoint, Inc., a leading cybersecurity and compliance company, today released its ninth annual State of the Phish report, revealing attackers are using both emerging and tried-and-tested tactics to compromise organizations. Eight in 10 organizations (84%) experienced at least one successful email-based phishing attack in 2022, with direct financial losses as a result increasing by an astonishing 76% compared to 2021. And while brand impersonation, business email compromise (BEC), and ransomware remained popular tactics among threat actors, cyber criminals also scaled up their use of less familiar attack methods to infiltrate global organizations.
This year’s State of the Phish report provides an in-depth overview of the real-world threats, as sourced by Proofpoint’s telemetry encompassing more than 18 million end-user reported emails and 135 million simulated phishing attacks sent over a one-year period. The report also examines perceptions of 7,500 employees and 1,050 security professionals across 15 countries, revealing startling gaps in security awareness and cyber hygiene that propagate the real-world attack landscape.
“While conventional phishing remains successful, many threat actors have shifted to newer techniques, such as telephone-oriented attack delivery and adversary-in-the-middle (AitM) phishing proxies that bypass multifactor authentication. These techniques have been used in targeted attacks for years, but 2022 saw them deployed at scale,” said Ryan Kalember, executive vice president, cybersecurity strategy, Proofpoint. “We have also seen a marked increase in sophisticated, multi-touch phishing campaigns, engaging in longer conversations across multiple personas. Whether it’s a nation state-aligned group or a BEC actor, there are plenty of adversaries willing to play the long game.”
Some of this year’s key findings include:
Cyber Extortion Continues to Wreak Havoc
Most infected organizations paid up, and many did so more than once. Of the organizations impacted by ransomware, the overwhelming majority (90%) had a cyber insurance policy in place for ransomware attacks, and most insurers were willing to pay the ransom either partially or in full (82%). This also explains the high propensity to pay, with 64% of infected organizations paying at least one ransom—a six-point increase year-over-year.
End Users Fall Prey to Bogus “Microsoft” Emails
Considering the volume of brand impersonation attacks, it’s alarming that nearly half (44%) of employees indicate they think an email is safe when it contains familiar branding, and 63% think an email address always corresponds to the matching website of the brand. It’s no surprise to see that half of the 10 phishing simulation templates most used by Proofpoint customers were brand-impersonation related, which also tended to have high failure rates.
Business Email Compromise: Cyber Fraud Goes Global
Threat Actors Scale Up More Complex Email Threats
Cyber attackers now also have a range of methods to bypass MFA, with many phishing-as-a-service providers already including AitM tooling in their off-the-shelf phish kits.
Room for Improvement with Cyber Hygiene
In addition, only 56% of organizations with a security awareness program train their entire workforce, and only 35% conduct phishing simulations—both critical components to building an effective security awareness program.
“The awareness gaps and lax security behaviors demonstrated by employees create substantial risk for organizations and their data,” said Alan Lefort, senior vice president and general manager, security awareness training, Proofpoint. “As email remains the favored attack method for cyber criminals and they branch out to techniques much less familiar to employees, there is clear value in building a culture of security that spans the entire organization.”
To download the State of the Phish 2023 report and see a full list of global and regional comparisons, please visit: https://www.proofpoint.com/us/resources/threat-reports/state-of-phish.
For more information on cybersecurity awareness best practices and training, please visit: https://www.proofpoint.com/us/product-family/security-awareness-training.
About Proofpoint, Inc.
Connect with Proofpoint: Twitter | LinkedIn | Facebook | YouTube
Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.
PROOFPOINT MEDIA CONTACT: