If you don’t know what it is, if you can’t identify it and if you can’t make sure you don’t topple into its traps, then you can’t fight it, suggests a new report by security provider Proofpoint in its eighth annual State of the Phish report.
The “it” is email-based malware attacks, the kingpin of all hacking methods, that victims often fall for out of a lack of awareness, inadequate training or risky behaviors, such as using a company mobile device for home use.
Proofpoint’s report takes an in-depth look at user phishing awareness, vulnerability and resilience and comes away with some startling numbers: More than three-quarters of organizations associated with the 4,100 IT security professionals and staffers in the worldwide study were hit by email-based ransomware attacks in 2021 and an equal number were victimized by business email compromise attacks, an 18 percent spike from 2020.
What explains the year-over-year climb? Answer: Cyber criminals continue to focus on compromising people, not necessarily systems, Proofpoint said. Email remains cyber criminals’ go-to attack strategy, said Alan Lefort, Proofpoint security awareness training senior vice president and general manager. “Infosec and IT survey participants experienced an increase in targeted attacks in 2021 compared to 2020, yet our analysis showed the recognition of key security terminology such as phishing, malware, smishing (text-based ruse), and vishing (telephone trickery) dropped significantly,” said Lefort. “The awareness gaps and lax security behaviors demonstrated by workers creates substantial risk for organizations and their bottom line."
Cyber attacks in 2021 had a much wider impact than in 2020 as 83 percent of survey respondents said their organization experienced at least one successful email-based phishing attack, up from 57 percent in 2020. And, nearly 70 percent of organizations said they suffered at least one ransomware infection stemming from a direct email payload, second-stage malware delivery or other exploit.
Here are the report's global findings:
- Almost 60% of those infected with ransomware paid a ransom.
- 32% paid additional ransom sums to regain access to data and systems.
- 54% regained access to data/systems after the first payment, while 4% never got access to data/systems, even after paying.
- 10% refused to pay additional ransom demand(s) and walked away without data.
- 42% said they took a dangerous action (clicked a malicious link, downloaded malware, or exposed their personal data or login credentials) in 2021.
- 56% of people who have access to an employer-issued device allowed friends and family to use those devices to do things like play games, stream media, and shop online.
- 53% of respondents were able to correctly identify the definition of the term ‘phishing’ in a multiple-choice array. This was down from last year’s 63% mark, a 16% year-over-year decrease.
- 63% recognized the definition of malware (down from 65% in 2020), just 23% identified the definition of smishing (down from 31% in 2020), and only 24% recognized the definition of vishing (down from 30% in 2020).
- Ransomware was the only term that saw a global increase in recognition, with correct answers rising from 33% in 2020 to 36% in 2021.
Here are the report’s U.S.-specific findings:
- 80%: Workers in the U.S. that use one or more of their own devices for work, the highest of any region surveyed.
- 64%: Workers using personal phones/smartphones. 30% use personal tablets.
- 73%: Global respondents who use employer-issued devices for work.
- 55%: U.S. workers who admitted to taking a risky action in 2021. 26% clicked an email link that led to a suspicious website, and 17% accidentally compromised their credentials.
- 52%: U.S. workers who dealt with a cyber attack or fraud in 2021. 19% were victims of identity theft, and 17% paid a ransom to regain access to a personal device or data.
- 84%: U.S. organizations that said security awareness training has reduced phishing failure rates, the highest of any country surveyed.
- 67%: U.S. organizations most likely to use phishing tests that mimic trending threats, compared to the 53% global average.