Thank you for downloading 2024 State of the Phish from Proofpoint.
The report surveyed 7,500 end users and 1,050 security professionals working in 15 different countries, including eight in Europe and the Middle East. As well as looking at global trends, it also explores how local nuances affect user behavior and an individual’s awareness of their role in keeping their organization secure.
Here are five key takeaways we think you should keep in mind from the report:
Business email compromise (BEC) attacks continue to plague businesses
Over the course of 2023, Proofpoint detected and blocked 66 million BEC scams per month on average. While globally the number of attacks is falling, countries where English is not an official language have seen an increase in BEC attempts.
These scams are also increasing in sophistication, with attackers using tactics such as deepfakes and social engineering to circumvent traditional security measures.
Businesses can combat this risk by providing their staff with tools that encourage them to be more proactive in their security reporting, such as prominent email reporting buttons.
Humans are (still) the weakest link in the security chain
Despite advancements in technology and security awareness training, human error remains a significant factor in successful phishing attacks. The report found 76% of users in Europe and the Middle East had taken a ‘risky action’ and 95% of them knew they were doing something potentially dangerous.
While 85% of security professionals said most employees are aware of their responsibilities, 59% of users either weren’t sure or thought they weren’t responsible at all.
To mitigate this, users said making security easier (94%) and more training (88%) would make security more of a priority for them.
Time-saving efforts are hurting security postures
The root cause for many of these unsafe practices stems from time pressure, according to users. 41% of respondents from Europe and the Middle East said they took risky actions in order to save time, and a further 39% said they did so because it was convenient.
Time pressure is also a core strategy used by cyber criminals to pressure victims into acting hastily. Employees are often tricked by social engineering tactics or urgency ploys, leading them to bypass security protocols or click on malicious links. Organizations need to prioritize ongoing security awareness training programs that make employees think twice before acting.
Rise of multimodal phishing
Phishing attempts are no longer confined to emails and there are a number of blindspots in businesses that cyber criminals are exploiting.
The report highlights an alternative vector for phishing attacks: telephone oriented attack delivery (TOAD). 10 million TOAD messages are sent every month, and while most organizations reported being targeted by TOAD messages, less than a third train on the technique.
Europe and the Middle East saw slightly more TOAD attacks than the rest of the world, with 70% of organizations being affected by attacks using the technique, compared to the global average of 67%.
Sweden and Germany the top targets for ransomware attacks
Phishing attacks often serve as the initial entry point for more sophisticated cyberattacks, such as ransomware. Proofpoint found that 69% of organizations globally were infected by ransomware in 2023.
The distribution of these attacks is not even, however, with some countries being targeted more than others. Organizations in Sweden saw the highest frequency of attempted ransomware attacks, followed by those in Germany.
German businesses were the most common victims of successful ransomware attacks, however, with 85% of organizations based there reporting a ransomware infection in 2023.
The Proofpoint Email Rapid Risk Assessment provides you with comprehensive visibility and insights into attacks. Take the assessment now and discover who is being targeted by email-based threats, which include, ransomware and malware, business email compromise and credential phishing.
