Employees still too gullible, falling for phishing lures: Report

Employees continue to fall for phishing lures that endanger their organizations, according to Proofpoint’s latest annual international survey of IT/infosec managers and employees.

Eighty-four per cent of 1,050 survey respondents in 15 countries said that their organization had experienced at least one successful email-based phishing attack during 2022. Canadian respondents were in line, with 82 per cent saying their organization had been breached at least once last year due to phishing.

Of those that had been successfully attacked, 30 per cent globally (23 per cent of Canadians) said their organizations had suffered a direct monetary loss, such as a fraudulent invoice, wire transfer, or payroll redirection. Globally this represented a 76 per cent increase in the percentage suffering financial loss over 2021.

The numbers are in Proofpoint’s latest State of the Phish report. The full report is available here. Registration is required.

Among the other significant findings:

— nearly 65 per cent of respondents said their organization had experienced data loss last year because of an insider. The number was even higher for the U.S., the U.K. and the Netherlands, at around 85 per cent. The most common cause of data loss to insiders was carelessness or negligence;

— about 76 per cent of organizations experienced an attempted ransomware attack, with 64 per cent experiencing a successful infection. Over two-thirds of respondents said their organizations experienced multiple separate incidents of infection;

— 64 per cent of infected organizations agreed to pay ransom. Of those, 90 per cent got help from their cyber insurance;

— about 52 per cent of ransomware victims — slightly better odds than a coin flip — regained access to their data after making a single ransomware payment. Nearly as many were obliged to make further payments, and some still never regained access to their data;

— only 35 per cent of respondents said their organizations conduct phishing simulation, down from 41 per cent in 2021.

In addition to the survey of IT and infosec pros, the report questioned 7,500 working adults. Among the results the report’s authors found:

• basic security concepts are still not understood — more than a third of survey respondents couldn’t define “malware,” “phishing” or “ransomware;”
• 44 per cent of respondents think an email is safe when it contains familiar branding (such as a recognized company name). Unfortunately, brand abuse remains one of the most common attack tactics;
• regarding insider loss, among the end users who changed jobs within the past two years, nearly half admitted to taking data with them when they left. The survey doesn’t say if that was sensitive data;
• there is a disconnect between what infosec pros think and what employees feel. While 83 per cent of infosec respondents said they feel employees think security is a top priority at work, 33 per cent of working adults said security is not a top priority for them.

“Building a security awareness program tailored to the specific threats faced by your
organization is a big challenge,” the report’s authors admit. “But,” they add, “there’s reason for optimism. Sixty-seven per cent of security pros said that phishing failure rates have gone down since a security awareness program was implemented.”

Training is crucial, but not sufficient, the report adds. “A strong workplace security culture will motivate users to take security more seriously and help them build sustainable security
habits that extend to their personal lives.”

Also vital is measuring the behavioral metrics that matter, says the report. Management should respond with “appropriate and fair remediation.”

“While conventional phishing remains successful,” said Ryan Kalember, Proofpoint’s executive vice-president for cybersecurity strategy, “many threat actors have shifted to newer techniques, such as telephone-oriented attack delivery and adversary-in-the-middle (AitM) phishing proxies that bypass multifactor authentication. These techniques have been used in targeted attacks for years, but 2022 saw them deployed at scale. We have also seen a marked increase in sophisticated, multi-touch phishing campaigns, engaging in longer conversations across multiple personas.

“Whether it’s a nation-state-aligned group or a BEC actor, there are plenty of adversaries willing to play the long game.”

Among the Canadian responses filtered out from the surveys:

— two-thirds (66 per cent) of Canadian organizations reported an attempted business email compromise attack last year (BEC attacks try to convince employees into transferring money to an account controlled by a threat actor, seemingly at the request of an executive);

— 66 per cent of Canadian organizations experienced an attempted ransomware attack in the past year, with half suffering a successful infection. Only 56 per cent regained access to their data after making the initial ransomware payment.

— 40 per cent of Canadian respondents said their organization experienced multiple, separate ransomware infections.

— more than one in three infected organizations in Canada paid ransoms, and many (33 per cent) did so more than once.