2024年网络钓鱼报告

REPORT

2024StateofthePhish

Riskyactions,real-worldthreatsanduserresilienceinanageofhuman-centriccybersecurity

2024STATEOFTHEPHISH\REPORT

INTRODUCTION

Imagineasuccessfulcyberattackagainstyourorganization.Whatdoesitlooklike?Maybeitinvolvesafiendishlycleverpieceofsocialengineering—aconvincinglurethatcatchestherecipientoffguard.Ormaybeitwouldtakeasmarttechnicalexploittogetpastyourdefenses.Butinreality,threatactorsdon’talwayshavetotrythathard.

Often,theeasiestwaytobreachsecurityistoexploitthehumanfactor.Peopleareakeypartofanygooddefense,buttheycanalsobethemostvulnerable.Theymaymakemistakes,fallforscamsorsimplyignoresecuritybestpractices.Accordingtothisyear’sStateofthePhishsurvey,71%ofworkingadultsadmittedtotakingariskyaction,suchasreusingorsharingapassword,clickingonlinksfromunknownsenders,orgivingcredentialstoanuntrustworthysource.And96%ofthemdidsoknowingthattheyweretakingarisk.

Whenobligedtochoosebetweenconvenienceandsecurity,userspicktheformeralmosteverytime.So,whatcanorganizationsdotochangethis?Inthisreportwe’lltakeacloserlookathowattitudestowardssecuritymanifestinreal-worldbehavior,andhowthreatactorsarefindingnewwaystotakeadvantageofourpreferenceforspeedandexpedience.We’llalsoexaminethecurrentstateofsecurityawarenessinitiatives,aswellasbenchmarkingtheresilienceofpeopleandorganizationsagainstattack.

Thefoundationofthisreportisasurveyof7,500endusersand1,050securityprofessionals,conductedacross15countries.ItalsoincludesProofpointdataderivedfromourproductsandthreatresearch,aswellasfindingsfrom183millionsimulatedphishingmessagessentbyourcustomersovera12-monthperiodandmorethan24millionemailsreportedbyourcustomers’endusersoverthesameperiod.

2

2024STATEOFTHEPHISH\REPORT

TABLEOFCONTENTS

4KeyFindings

6SecurityBehaviorsandAttitudes

6 End-userbehaviorandattitudes

10SecurityAwarenessTrends

10 Currentstateofsecurityawareness

12 Areasforimprovement

14TheThreatLandscape

Threatprevalence

Growingthreats:TOAD,MFA-Bypass,QRcodesandgenerativeAI

BECattacksbenefitfromAI

Microsoftremainsmost-abusedbrand

Ransomwarestillamajorconcern

Attackconsequences

20OrganizationalBenchmarks

21 Industryfailurerate

27Conclusion

3

2024STATEOFTHEPHISH\REPORT

KEYFINDINGS

Over1million

attacksarelaunchedwithMFA-bypassframeworkEvilProxyeverymonth,but89%ofsecurityprofessionalsstillbelieveMFAprovidescompleteprotectionagainstaccounttakeover.

71 and 96

ofuserstooka

riskyaction

ofthemknewtheywere

doingsomethingrisky

66million

BECattacksweredetectedandblockedonaveragepermonthbyProofpoint.

oforganizationswereinfectedbyransomware.

69

4

2024STATEOFTHEPHISH\REPORT

85

ofsecurityprofessionalssaidthatmostemployeesknowtheyareresponsibleforsecurity,but

10million

59

Microsoftcontinuestobethe

mostabusedbrand,with

68million

ofuserseitherweren’tsureorclaimedthatthey’renotresponsibleatall.

TOADmessagesaresenteverymonth.

maliciousmessagesassociatedwiththebrandoritsproducts.

58

ofuserswhotookriskyactionsengagedinbehaviorthatwouldhavemadethemvulnerabletocommonsocialengineeringtactics.

5

SecurityBehaviorsandAttitudes

Eventhebesttechnicaldefensescanbeunderminedifusersdon’tdothebasics,suchasavoidingsuspiciouslinks,verifyingthesender’sidentityandsettingastrongpasswordandkeepingittothemselves.However,manyusersfailtofollowthesesimplerules,puttingthemselvesandtheirorganizationsatrisk.

End-userbehaviorandattitudes

Accordingtooursurvey,71%ofuserssaidtheytookariskyactionandalmostallofthem—96%—didsoknowingly.Amongthatgroup,73%saidthey’dtakentwoormoreriskyactions.Andmorethanathirdoftheriskstheytookwereratedbythoseusersaseither“extremelyrisky”or“veryrisky.”

RiskyActionsTaken

29%

26%

26%

24%

20%

19%

16%

13%

11%

10%

9%

29%

Useworkdeviceforpersonalactivities

Reuseorsharepassword

ConnectwithoutusingVPNatapublicplace

Respondtoamessage(emailorSMStext)fromsomeoneIdon’tknow

Accessinappropriatewebsite

ClickonlinksordownloadattachmentsfromsomeoneIdon’tknow

Shareworkdevicewithfriendsorfamily

Callanunfamiliarphonenumberinanurgentemail

Tailgating:allowotherstoentertheofficewithoutbadgingin

Uploadsensitivedatatounproventhird-partycloud

Givecredentialstountrustworthysource

Havenevertakenariskyaction

30% 25% 20% 15% 10% 5% 0%

Userstookriskyactionsforavarietyofreasons:convenience,timesavingandurgencybeingthemostcommonanswers.Butasmallcohortof2.5%tookriskyactionspurelyoutofcuriosity.Eitherway,themessageisclear:peoplearen’ttakingriskyactionsbecausetheylacksecurityawareness.Often,usersknowwhattheyaredoingwhentheytakerisksandarequitewillingtogamblewithorganizationalsecurity.

WhyRiskyActionisTaken

44%

Itisconvenient

24%

Tomeetanurgentdeadline

11%

Toachievearevenuetarget

5%

Other,pleasespecify

Tosavetime

19%

39%

Tosavemoney

10%

Tomeetotherperformanceobjectives

Nobodyknowsthisbetterthantheworld’scybercriminals.Theyunderstandthatpeoplecanbeexploited,eitherthroughnegligence,obliviousnessor—inrareinstances—malice.Socialengineeringisapartofalmosteveryemailthreatanalyzedbyourresearchers.And58%ofuserswhotookariskyactionsaid

theyengagedinbehaviorthatwouldputthematriskofbasicsocialengineeringtactics,suchasclickingonunknownlinks,respondingtounfamiliarsendersandsharingcredentialswithuntrustworthysources.Theseactionscanleadtoransomwareinfection,malware,databreachorfinancialloss.

Oneofthereasonsuserstaketheserisksisalackofconsensusaboutaccountabilityandresponsibility.Only41%ofuserssaidtheyknowthattheybearresponsibilityforcybersecurityattheirworkplace.About7%claimedthattheyaren’tresponsibleatall,whilethemajority(52%)weren’tsure.

PerceptiononSecurityResponsibility

41vs.85

7vs.13

52vs.2

Yes–Employeesthinktheyareresponsibleforsecurity

No–Employeesbelievesecurityisnottheirresponsibility

Notsure

Employees

SecurityProfessionals

63

ofsecurityprofessionals

rateduserswithaccesstocriticalbusinessdataasthetopcybersecurityrisk

Thiscontrastswiththeviewamongsecurityprofessionals,85%ofwhomsaythatmostemployeesknowtheyareresponsibleforsecurity.Thisgapbetweenperceptionandrealitysuggeststhatthereisaneedforclearercommunicationaboutsharedresponsibility,ratherthanjustmoretrainingonsecuritybestpracticesandpolicies.

Theprofessionalview

Securityprofessionalsunderstandablyhaveadifferentperspectiveonsecurityriskstoendusers.Theyaremoreawareofthethreatlandscapeandtheconsequencesofabreach.Andtheyhave

amorenuancedunderstandingofthechallengesthatgointosecuringcomplexanddynamicenvironments.Theyalsohavetheunenviabletaskoffindingwaystobalancetheneedforsecuritywiththeneedforunhinderedproductivityandefficiency.

Accordingtooursurveyofsecurityprofessionals,theyrateuserswithaccesstobusiness-criticaldataasthebiggestsecurityrisk(63%)—agroupthatisinevitablyhardtomanage,asmuchofthataccessisnecessary.Butclick-happy

usersandthosewhodon’tcompletesecurityawarenesstrainingareclosebehindinjointsecondplace(56%each).Thesecategoriesofuserwereallconsideredsignificantlymoreriskythanexecutives/VIPs(34%),despitethelattergroupoftenhavingbroadaccesstovaluabledata.

UsersWhoRepresentRisk

Userswhohavebusinessprivilegeandaccesstocriticaldata

Userswhoareclickhappy

Userswhoconsistentlyfailtocompletetrainingassignment

Suppliersorbusinesspartners

Peoplewhoareleaving

42%

VIPs,executives

34%

49%

56%

56%

63%

Unfortunately,oursurveyrevealssignificantoverlapbetweentheriskiestbehaviorsidentifiedbysecurityprofessionalsandthemostcommonriskyactionstakenbyendusers.Reusingpasswords,usingworkdevicesforpersonalactivitiesandaccessinginappropriatewebsitesareamongbehaviorsconsideredthemostunsafe;allofthemappearedinthetopactionstakenbyusers.

Rank

TopRisksConsideredbyInfosec

TopRiskyActionsTakenbyUsers

1

ClickonlinksordownloadattachmentsfromsomeoneIdon’tknow

Useworkdeviceforpersonalactivities

2

Reuseorsharepassword

Reuseorsharepassword

3

Accessinappropriatewebsite

ConnectwithoutusingVPNatapublicplace

4

Uploadsensitivedatatounproventhird-partycloud

Respondtoamessage(emailorSMStext)fromsomeoneIdon’tknow

5

Useworkdeviceforpersonalactivities

Accessinappropriatewebsite

Thisoverlapsuggeststhatusersmaybetakingsomeoftheseactionsbecausetheyareunawareofjusthowriskytheyareconsideredbysecurityteams.

SecurityAwarenessTrends

Whiletrainingaloneisn’tenoughtochangeunsafebehavior,teamsthatlackbasicsecurityawarenesstoolsandknowledgearestillmuchmorelikelytofallpreytocybercriminals.But

asnewsocialengineeringluresandtechniquesappearonthethreatlandscape,awarenessprogramsmustbeagileandbroad-basedtoremainrelevant.

Currentstateofsecurityawareness

Firstsomepositivenews:99%ofrespondentssaidtheyhaveasecurityawarenessprogramofsomesortupandrunning.Butwhilethebasicsmayalreadybeinplace,manyarestrugglingtodriverealbehavioralchange.Apossiblereasonforthisisthatonly53%saytheytraineveryoneintheorganization(downfrom56%lastyear).Thismeansthatsomeusersmaybeleftoutoftheloopormayreceiveinadequateoroutdatedtraining.

SecurityAwarenessActivitiesAssignment

Everyoneintheorganization

28%

Onlyspecificdepartmentsandroles

6%

Onlyspecificindividuals

Notsure 1%

1%

15%

41%

2023

53%

2022

56%

Anotherchallengeisthecoverageandrelevanceoftrainingtopics.Securityprofessionalsagreethatremotework,passwordhygieneandinternetsafetyarecritical,butlessthanathirdofsecurityawarenessprogramscoverallthese

topics.Thetoptrainingtopicscitedbyrespondentsweremalware,Wi-Fisecurity,ransomwareandemailphishing,whichareallimportant,butnotsufficient

toaddressthefullspectrumofrisks.Andaswe’llseelaterwhenweexaminethelatestcybercriminaltacticsandtechniques,emergingthreatscanquicklybecomecommonplace,takingunpreparedusersbysurprise.

41 from28

Thepercentageoforganizations

thattrainedspecificrolesjumpedyearoveryear

Onthepositiveside,thesurveyshowssomesignsofimprovementandinnovationinsecurityawarenesstactics.Yearoveryear,trainingofspecificrolesanddepartmentshasrisensignificantly(41%from28%),indicatingamoretailoredandtargetedapproach.Timeallocatedtousereducationhasalsoincreasedyearoveryear,withmorerespondentsdedicatingoverthreehoursperyeartoawarenesstraining.Overall,theaverageamountoftimededicatedtoawarenesstraininghasincreasedforthefirsttimeinthreeyears.

TimeAllocatedforSecurityAwarenessActivities

6 25

17 37

15

30minutesorless31–59minutes

1–2hours

3–4hours

Morethan4hours

Cybersecurity-basedcontestsandprizes

33%

Smishingandvishingsimulations

33%

SimulatedUSBdrops

23%

Internalcybersecuritychatchannel

30%

Internalwiki

23%

Mycompanydoesnothaveasecurityawarenessprogram

1%

Thetypesoftacticsbeingusedareevolving,too,witha23%increaseintheuseofcontestsandprizestogamifyandincentivizeattention.Thischangecanhelpincreaseuserengagementandmotivation,whilealsocreatingapositiveandfunlearningenvironment.Computer-basedtrainingremainsthemostcommonformat(45%),butothermethodssuchassimulatedUSBdrops,videos,postersandnewslettersarealsobeingused.

In-persontrainingsessions

37%

Virtual,instructor-ledtraining

34%

Computer-basedtraining

45%

Simulatedphishingattacks

34%

Awarenesspostersandvideos

31%

Newslettersandemails

38%

However,only34%ofrespondentssaytheyperformsimulatedphishingattacks,despitethehighvolumeofmaliciousemailseeninthethreatlandscape.Thissuggeststhatthereisstillroomforimprovementinthecompositionofmostsecurityawarenesstrainingsyllabuses.

83

ofsurveyedsecurity

professionalsimplementmoretrainingtodrivebehaviorchange

81

implementmorecontrols

orrestrictions

Areasforimprovement

Securityisnotonlyatechnicalissue,butalsoaculturalandorganizationalone.Itrequiresthecollaborationandcommitmentofallstakeholders,fromsecurityprofessionalstoendusers.However,thereisoftenagapbetweenwhatsecurityprofessionalsthinkiseffectiveandwhatenduserssaywouldmotivatethemtoprioritizesecurity

Accordingtooursurvey,securityprofessionalsbelievethatmoretraining,tightercontrols,closerbusinessalignment,betterrewardsandstrongerchampioningofsecurityinitiativeswouldallbeeffectiveinimprovingsecurity.

However,fewerthanathirdoforganizationsrewardpositiveuserbehaviorsorchampionsecurityinitiatives.Theseareimportantwaystorecognizeandreinforcegoodsecuritypractices,andtoensurethatallemployeesareinvestedincreatingasecurity-awareculture.

Rank

ActionsTakenbySecurityPros

UserMotivation

1

Providemoretraining

Makingsecurityeasierforme

2

Implementmoresecuritycontrolsorrestrictions

Usingrewardsandrecognition

3

Alignsecurityinitiativeswithbusinesspriorities

Increasedengagementwithleadershipandsecurityteams

Incontrast,usersoverwhelminglysaythattheywantsecuritytobemadeeasier.Theywantprocessestobemoreuser-friendly,convenientandtransparent,andtheywanttohavemorecommunicationandfeedbackfromsecurityexperts.Usersoverwhelminglyagree(94%)thatimprovingeaseofusewouldmotivatethemtobemoreattentivetosecurity.Thesedisparitiesbetweensecurityteamactionsandusermotivationsclearlydemonstratetheneedforopencommunicationbetweensecurityteamsandendusers.

Makingsecurityeasierforme

Usingrewardsorrecognition

Increasedengagementfromleadershiporsecurityteam

Moretrainingordifferent

stylesoftraining

Punishment,suchasreductioninpay,bonusremoval,jobtermination

WhatPoliciesMotivateUserstoPrioritizeCybersecurity

94%

6%

89%

11%

87%

13%

85%

15%

71%

29%

Motivating NotMotivating

Inkeepingwithtrendswe’veobservedoverthepastfewyears,punishingunwantedbehaviorwasconsideredtheleasteffectiveapproachbysecurityprofessionals.Fortunately,itwasalsotheleastimplemented.Punishmentcanhavenegativeeffects,suchascreatingfear,resentmentanddistrust,andreducingmotivationandmorale.Itcanalsodiscourageusersfromreportingincidentsorseekinghelp,whichcanseriouslyincreasetheriskofsecuritybreaches.Punishmentwasalsotheleastmotivatingresponseamongendusers,though71%stillagreedthatthiswouldbeanincentiveforthem.Thissuggeststhatsomeusersmaybewillingtocomplywithsecurityrulestoavoidnegativeconsequences,thoughitisunlikelythatcompelledparticipationwillleadtoenduringbehaviorchange.

2024STATEOFTHEPHISH\REPORT

TheThreatLandscape

Cybersecurityisaconstantlyevolvingfieldascybercriminalsdevisenewandsophisticatedwaystoattackpeopleandbreachorganizations.Userswhotakerisks,suchasclickingonsuspiciouslinks,openingunknownattachmentsorusingweakpasswords,faceanincreasingvarietyofreal-worldthreatsfromattackers.

Threatprevalence

Someofthemostcommonformsofattackreportedbysurveyparticipantswerephishing,businessemailcompromise(BEC)andransomware.Whileeachofthesetechniquesisdistinct,securityteamswilloftenencounterthemasindividualcomponentsofanextendedattackchain,withphishingleadingtoransomware,orasupplychainattackleadingtoBEC.

PrevalenceofAttacks

76%

BulkPhishing USBDrop

SpearPhishing

BEC

Ransomware

74%

74%

73%

75%

85%

SociaMedia

SupplyChainRisk

DataLossviaExternalAttacker

%

60%

65

72%

74%

69%

69%

Smishing

67%

71%

Vishing

77%

76%

75%

76%

DataLossviaInsider

TOAD(CallbackPhishing)

66%

68%

64%

66%

67%

2023 2022

However,thesearen’ttheonlythreatsthatusersandorganizationsneedtobeawareof.Accordingtoourowndata,manynovelattacktypesarebecomingincreasinglyprominent.

14

2024STATEOFTHEPHISH\REPORT

Growingthreats:

TOAD,MFA-Bypass,QRcodesandgenerativeAI

Intelephone-orientedattackdelivery(TOAD),themaliciousmessageoftenappearstobecompletelybenign,containingnothingmorethanaphonenumberandsomeerroneousinformation.Itisn’tuntiltheunsuspectingvictimcallsthelistednumberforhelpthattheattackchainisactivated.Cybercriminalcallcentersareoperatingaroundtheworld,guidingvictimsintograntingremoteaccess,revealingsensitiveinformationandcredentials,oreveninfectingthemselveswithmalware.Ourdatarevealsthatanaverageof10millionTOADmessagesaresenteverymonth.

13million

Proofpointsawover13M

TOADattacksatpeakinAugust2023

89

Anotherincreasinglypopularattackmethodinvolvesusingadvancedtechniquestobypassmultifactorauthentication(MFA),whichisnowastandardpartofcorporatecybersecurity.TheseattackstypicallyuseproxyserverstointerceptMFAtokens,allowingattackerstocircumventtheadditionallayerofsecurityprovidedbyone-timecodesandbiometrics.Severaloff-the-shelfphishkitsnowincludeMFAbypassfunctionality,allowingevenrelativelyunsophisticatedattackerstobenefit.Weseearound1millionphishingthreatsusingthepopularEvilProxyframeworkeverymonth.Thisisofparticularconcern,as89%ofsecurityprofessionalsstillconsiderMFAtobeasilverbulletforprotectionagainstaccounttakeover,with84%ofrespondentssayingtheirorganizationsuseMFAtopreventaccounttakeover.

DoesMFAProvideCompleteProtectionAgainstAccountTakeover?

Completelyagree

ofsecurityprosbelievethatMFA 9

canprotectagainstaccount 1

compromisecompletely 2

42

47

Somewhatagree

NeitheragreeordisagreeSomewhatdisagreeCompletelydisagree

Andwithintheparadigmoftraditionalphishing,attackersarefindingnewwaystoembedmaliciouscontent.Inrecentmonthswe’veseenanincreaseintheuseofQRcodesasanalternativetolinksorattachments.Thistechniqueisparticularlydangerous,asitbothattemptstoevadeautomateddetectionwhilepresentinguserswithafamiliarformatinacontexttheymaynothaveseenbefore.ItisalsoimpossibletotelljustbylookingifaQRcodeleadstoaphishingsiteormalwaredownload.UnfamiliarusersscanningaQRcodemaynotevenbeawarethatthey’veengagedwithapieceofmaliciouscontentuntilit’stoolate.

15

It’salsoworthnotingthateventheleastcommontypeofattack—USBdrop—wasstillreportedby60%ofrespondents.Thisshowsthatcybercriminalsarewillingtotryanytactic,oldornew,iftheythinkitwillgivethemachancetoexploitanunsuspectingvictim.

Despitethegrowingprominenceandsophisticationofthesethreats,manyorganizationsarenotadequatelypreparedortrainedtodealwiththem.Only23%oforganizationstraintheirusersonhowtorecognizeandpreventTOADattacks,andonly23%educatetheirusersongenerativeAIsafety.

GenerativeAIisatechnologythatcancreaterealisticandconvincingcontent—suchasimages,videosortext—basedonagivenpromptordatainput.Thistechnologypromisestoenhancesocialengineeringforallmessaging-basedattacks,asattackerscanuseittoimprovethequalityoftheirlure,particularlywhentargetingotherlanguages.Moreover,generativeAIalsoposesariskofdataloss,asthereiscurrentlylittletransparencyoverwhathappenstodatathatisuploadedtoservicessuchasChatGPTandGoogleBard.

BECattacksbenefitfromAI

BECattacksalsocontinuetoposeaseriousthreat,especiallyinnon-English-speakingcountries.FewerorganizationsreportedBECattemptsglobally,butattackscontinuetogrowinprevalenceamongcountriessuchasJapan(35%year-over-yearincrease),Korea(31%jump),andUAE(29%jump).These

countriesmayhavepreviouslyseenfewerBECattacksduetolanguagebarriers,culturaldifferencesorlackofvisibility.ButthereisnowalikelylinkbetweenBECandgenerativeAI,asattackerscanusethelattertocreatemoreconvincingandpersonalizedemailsinmultiplelanguages.Ourowndatashowsanaverageof66milliontargetedBECattackseverymonth.

68million

maliciousmessagesincluded

referencestoMicrosoftand/orMicrosoftproductsin2023,makingthesoftwaregianttheworld’smostabusedbrand

Microsoftremainsmost-abusedbrand

Brandabuseisafavoritetacticforphishingandmalwaredelivery,asattackersexploitthetrustandfamiliaritythatusershavewithcertainbrands.Morethan68millionmessageswereassociatedwithMicrosoftproductsandbrandin2023,makingitthemostabusedbrandbycybercriminals.AdobeandDHLroundedoutthetopthree,butatfewerthan10millionmessageseach.

68

9.4

8.8

6.1

BrandAbuseThreats(Millions)

20million

Office365wasthemostabused

Microsoftproductinmaliciousemail,withover20millionemailthreatsusingthebrand

4.4

3.5

3.1

Microsof

t

Adobe

DHL

Google

AOL

DocuSign

Amazon

Ransomwarestillamajorconcern

Thepercentageoforganizationsthatfacedaransomwareattackrose5percentagepointsto69%.Almost60%oforganizationsreportedfourormoreseparateransomwareincidentsinayear,indicatingthatransomwareisstillapersistentandlucrativeformofattack.

RansomwarebytheNumbers

39

3 38

5

15

1–3separateincidents

4–6separateincidents

7–9separateincidents

10ormoreseparateincidentsUnsure

Oneofthewaysthatorganizationstrytomitigatetheriskandimpactofcyberattacksisbypurchasingcyberinsurance,whichcoversthecostsanddamagesassociatedwithacybersecurityincident.Amongthosethathadexperiencedaransomwareincident,96%nowhavecyberinsurance.Mostinsurers(91%)helpedwithransompayments,upfrom82%theyearbefore.However,globally,therateofpaymenttoransomwareattackershasdeclinedfrom64%to54%.

InfectedOrganizationsThatAgreedtoPayRansom

54%

58%

64%

2023 2022 2021

Thenumberofrespondentswhoregainedaccesstotheirdataafterpayingalsodeclined,withthenumberwhoregainedaccessafterasinglepaymentseeingthelargestdecline.Thismaybeoneexplanationforthedropinpayments.Anotherpossiblereasonisthatorganizationsarebecomingmoreawareofthedrawbacksandrisksofpayingransoms,suchasencouragingmoreattacks,fundingcriminalactivitiesorreceivingcorruptedorincompletedata.

15

oforganizationsrefusedtopay

morethanoneransomaftertheirfirstpaymentdidn’tgettheirdataback,upfromjust6%in2022

RansomwareInfections:WhatHappensAfterPayment

41%

Regainedaccesstodataafterfirstpayment

41%

Paidadditionalransomdemand(s)andeventually

Refusedtopayaddtionalransomdemand(s)andwalked

6%

15%

43%

52%

Nevergotaccesstodataevenafterpayingransoms

1%

1% 2023

2022

Attackconsequences

Theimpactofphishingattacksonorganizationscanbedevastating,bothfinanciallyandreputationally.71%oforganizationsexperiencedatleastonesuccessfulphishingattackin2023,downfrom84%in2022.However,whiletheincidenceofsuccessfulphishingattackshasdeclined,someofthenegativeconsequenceshavesoared.Yearonyear,wesawa144%increaseinreportsoffinancialpenalties,suchasregulatoryfines,anda50%increaseinreportsofreputationaldamageduetophishingincidents.

73

oforganizationsreported

aBECattack,butonly

29

teachusersabout

BECattacks

ResultsofSuccessfulPhishingAttacks

Lossofdata/intellectualproperty

32%

33%

32%

Ransomwareinfection*

43%

29%

Breachofcustomer/clientdata

44%

27%

Credential/accountcompromise

Advancedpersistentthreat

23%

21%

22%

Directfinancialloss**

30%

Financialpenalty***

9%

22%

22%

Othermalwareinfection(s)

Reputationaldamage

18%

27%

36%

Zero-dayexploit

20%

20%

28%

Widespreadnetworkoutage/downtime

25%

26%

I’mnotsure

0%

2%

*malwarewasdeliveredviaemail

**wiretransferorinvoicefraud

***regulatoryfine

2023

2022

Thethreatlandscapeisconstantlyevolving,ascybercriminalsemploynewtacticsandtechniquesintheirquesttogainanadvantage.Thisiswhyit’skeytoequippeoplewiththeknowledgetheyneedtoidentifyandresistattacks;afterall,assophisticatedasthesetechniquesarebecoming,peopleremaintheirprimarytarget.Mostorganizationssaytheyusereal-worldthreatintelligencetoshapetheirsecurityawarenessprogram,howeverthereare

somemajordisparities.Forexample,73%oforganizationsexperiencedaBECattack,butonly29%trainusersspecificallyonBECthreats.Similarly,only23%oforganizationsprovidetrainingonTOADattacks,despitetheirubiquity.Thethreatlandscapemovesprettyfast;ifyoudon’tstopandupdateyourprogramonceinawhileyoucouldmisssomething.

2024STATEOFTHEPHISH\REPORT

OrganizationalBenchmarks

Oneofthewaysthatorganizationscanmeasureandimprovetheircybersecurityawarenessandresilienceisbyconductingphishingsimulations.Proofpointphishingsimulationsmimicreal-worldphishingscenariosandassesshowusersrespondtothem.Ourcustomersconducted183millionphishingsimulationsovera12-monthperiod.Ofthese,link-basedtestswerethemostcommon,accountingfor59%ofallsimulations,followedbydata-entrytests(30%)andattachment-basedtests(10%).However,attachment-basedtestshadthehighestfailurerateoverall,at17%.Failureratesforalltypesofsimulationswerewithin1percentagepointoflastyear’sresults.

SimulationTypeandFailureRate

66%

59%

2023frequenc