Proofpoint has released its eighth annual State of the Phish Report. The report provides a detailed overview of the topic of phishing and provides information on the susceptibility and awareness of users.
According to the report, criminals were more active in 2021 than in the previous year. The results also show that more than three quarters (78%) of all businesses were affected by ransomware attacks via email in 2021. At the same time, 77 percent of organizations faced BEC (business email compromise, also known as boss scams) attacks—an 18 percent increase from 2020. This shows once again that cybercriminals remain focused on identifying people as a vulnerability to exploit instead of gaining access to systems via technical security gaps.
This year’s “State of the Phish Report” is based on the analysis of a survey commissioned by Proofpoint, in which 600 IT security and information security professionals and 3,500 employees in the USA, Australia, France, Germany, Japan, Spain and Great Britain were surveyed. It also analyzes data from almost 100 million simulated phishing attacks carried out by Proofpoint customers over a one-year period and asked their employees to test. The report also included analysis of more than 15 million emails reported by users using the PhishAlarm feature.
The report also includes regional, industry and departmental benchmarking data that underscores the need for a people-centric approach to cybersecurity. Real-world examples also illustrate the value of a training solution that addresses the changing threat landscape organizations are facing, not just in the wake of the pandemic.
As noted by the State of the Phish report, cyberattacks had a much larger impact in 2021 than the year before: 83 percent of survey respondents said their organization had suffered at least one successful email-based phishing attack. In the previous year, only 57 percent were affected. Similarly, more than two-thirds (68%) of organizations said they had encountered at least one ransomware infection stemming from a direct email payload, a multi-step attack malware, or some other exploit. The increase is consistent year-over-year, but is representative of the challenges organizations have faced as ransomware attacks surge in 2021.
“While 2020 has shown the importance of being flexible and responsive to change, the past year provides evidence that we need to protect ourselves better,” said Michael Heuer, Vice President DACH at Proofpoint. “With email continuing to be the attack vector of choice for cybercriminals, building a culture of security is critical. With an evolving threat landscape and the fact that working from anywhere has become a part of everyday life, organizations need to ensure their employees learn and apply new cybersecurity skills. This applies both to the workplace in the office and at home.”
The trend towards hybrid forms of work accelerated in 2021. 81 percent of companies say more than half of their employees are working remotely (either partially or fully) because of the pandemic. However, only 37 percent also train their employees on best practices for working from home. This number provides worrying evidence that there is a huge gap in the knowledge of many employees when it comes to security best practices for the new normal of work. So it is not surprising that, for example, 97 percent of employees stated that they have a WLAN network at home, but only 60 percent protect their network with a password – a serious lack of fundamental security measures.
“Compared to the previous year, survey participants experienced a significant increase in targeted attacks in 2021, but our analysis also shows that knowledge of important cybersecurity terms such as phishing, malware, smishing and vishing has decreased significantly,” says Heuer. “This lack of security awareness, along with the lax behavior of many employees, poses a great risk to companies and their success in the marketplace. Our report this year therefore provides easy-to-implement advice aimed at increasing user security awareness, reducing risk and protecting employees.”
Other international findings from this year’s State of the Phish Report:
- Almost 60 percent of companies whose systems were infected with ransomware paid a ransom. Some of them (32%) paid additional ransoms to regain access to data and systems. 54 percent regained access to data and systems after the first payment, while 4 percent did not gain access to their data and systems even after the payment. 10 percent refused to pay additional ransom demands and lost their data.
- Many workers engage in risky behaviors and do not follow cybersecurity best practices. 42 percent of respondents said they performed a dangerous action in 2021, such as clicking on a malicious link, downloading malware, or revealing their personal information or login credentials. And 56 percent of employees who have access to an employer-provided device (laptop, smartphone, tablet, etc.) allowed friends and family members to use those devices, for example to play games, stream music and movies, or go online to shop
- Awareness of the most important terms from the field of cybersecurity has fallen (in some cases significantly) compared to the previous year. Only 53 percent of those surveyed were able to assign the correct definition for the term “phishing” in a multiple-choice procedure. This marks a decrease of 10 percentage points (16 percent relative decrease) from the previous year’s figure of 63 percent. Only 63 percent provided the appropriate definition for malware (vs. 65% in 2020) and only 23 percent knew what smishing meant (vs. 31% in 2020). Only 24 percent were able to correctly assign the definition of vishing (compared to 30% in 2020).Ransomware was the only term that was increasingly correctly classified worldwide. There was an increase in correct answers from 33 percent in 2020 to 36 percent in 2021.
- Proofpoint customers were able to achieve positive effects in the awareness and safety behavior of their employees, despite increased testing and a more active threat situation. The average customer error rate for phishing simulations remained constant at 11 percent year-over-year, with the number of tests increasing by 50 percent over the 12-month comparison period.
- Employees were able to more easily report suspicious emails that reached their inboxes. During the one-year measurement period, users alerted their security teams to more than 350,000 credential phishing emails, nearly 40,000 emails containing malware payloads, and more than 20,000 malicious spam emails.
The following Germany-specific findings from the study show how much cybersecurity practices and behaviors vary by region:
- Email-based attacks dominate the threat landscape in Germany in 2021: 85 percent of the survey participants in Germany stated that their company was confronted with extensive phishing attacks in the past year. In addition, 80 percent had at least one email-based ransomware attack and 75 percent had one or more BEC attacks.
- Cyber criminals were not only more active in 2021, but also more successful: 80 percent of survey participants in Germany stated that their organization had suffered at least one successful phishing attack.
- 54 percent of German companies were affected by at least one ransomware infection, resulting from a direct email payload, multi-stage attack malware, or other exploit. 65 percent decided to pay at least one ransom demand. To break this down further, 54 percent paid a ransom and then gained access again, 37 percent paid an initial ransom and one or more additional ransoms and then gained access to data and systems. And 9 percent paid an initial ransom but refused to pay more and were subsequently denied access to their data.
- The knowledge of the most important security terms among German employees has decreased (in some cases significantly) compared to the previous year. Only 26 percent of German workers were able to correctly match the definition of ransomware in a multiple-choice process, below the global average of 36 percent. When correctly assigning other important terms, German employees scored as follows: phishing (54%), malware (56%), smishing (25%).
- A wrong behavior in case of real or simulated phishing attacks entails consequences for employees in 42 percent of German companies, and another 19 percent are considering or planning to pursue this approach.