More than two-thirds of UK workers knowingly put their organisations at risk by taking unnecessary and inappropriate cyber risks, exposing their employers to data breaches, malware or ransomware infections, financial loss and reputational damage, according to Proofpoint’s 10th annual State of the phish report.
Proofpoint said that while the documented incidence of phishing attacks has declined – 66% of UK organisations experienced a successful phishing attack in 2023 compared with 91% in 2022 – the negative consequences are through the roof. It has observed a 30% uptick in reports of financial losses, including penalties such as regulatory fines, and a 78% increase in reports of reputational damage.
“Cyber criminals know that humans can be easily exploited, either through negligence, compromised identity or, in some instances, malicious intent,” said Ryan Kalember, chief strategy officer at Proofpoint.
“Individuals play a central role in an organisation’s security posture, with 74% of breaches still centring on the human element. While fostering security culture is important, training alone is not a silver bullet. Knowing what to do and doing it are two different things. The challenge is now not just awareness, but behaviour change.”
Proofpoint said its findings challenged long-held beliefs that people who indulge in risky behaviours only do so because they lack appropriate levels of cyber security knowledge and have not undergone security awareness training.
Proofpoint’s data found 70% of surveyed working adults have reused or shared credentials, clicked on a link from an unknown sender, or handed over credentials to an untrustworthy source, and 97% of them had done so knowing it wasn’t okay
Quizzed on this issue, security professionals said most people understand that cyber security is a collective responsibility, or to put it another way, people know they are doing the wrong thing but are not letting that stop them. It said this signals a worrying gap between the limitations of security technology and user education.
Based on the data collated by Proofpoint, the scale of the problem is indeed daunting. Some 70% of surveyed working adults said they had reused or shared credentials, clicked on a link from an unknown sender, or handed over credentials to an untrustworthy source, and 97% of them had done so knowing it wasn’t okay.
Their motivations for doing so were varied, but the majority of risk takers did so because it was more convenient (48%), they wanted to save time (40%), and they felt the matter was urgent enough to throw caution to the wind (22%).
Turning to the clear disconnect on driving behaviour change between cyber teams and ordinary employees, while 81% of surveyed security professionals said most employees know security is their responsibility, 58% of surveyed employees either weren’t sure where responsibility lay or outright denied they were responsible.
Furthermore, even though virtually everybody who did something silly knew the inherent risks – which would suggest security training is working to some extent – there were clearly disparities between what security teams and users felt was the most effective way to encourage behaviour change.
Defenders tended to believe that more training (85%) and tighter controls (89%) were the right way forward, but 94% of employees said they would feel more inclined to do the right thing if controls were simplified and more user-friendly.
Threat landscape
The report goes on to provide an overview of the current phishing threat landscape based on Proofpoint’s own telemetry, which draws on 2.8 trillion emails at 230,000 customer organisations using its services, and 183 million simulated phishing attacks.
Among some of the more concerning issues of the past 12 months are a surge in business email compromise (BEC) attacks benefiting from the newly acquired power of generative artificial intelligence (GenAI) – although the number of BEC attacks in the UK specifically were actually down by over 10%. Proofpoint reckons it now stops an average of 66 million BEC attacks every month. And it almost goes without saying that BEC attacks are now “benefiting” from GenAI, which cyber criminals are using to create ever-more convincing lures to spoof trusted figures within the target organisation, such as financial and human resources leaders.
Proofpoint also highlighted a flourishing “market” for telephone-oriented attack delivery (Toad) methods. These appear to recipients as benign messages containing a phone number and some erroneous information, but if the victim calls back in response, they are connected to a fraudulent call centre where cyber criminals can work on them to give up their credentials or grant remote access to their systems. Proofpoint’s telemetry currently detects 10 million Toad attacks every month, peaking in August 2023 when 13 million incidents were seen.
The report also highlighted the increasing use of advanced techniques to bypass multifactor authentication (MFA). MFA is held up by the security community as something of a silver bullet to prevent account takeover and has become a standard element of best practice to bolster basic resilience, but according to Proofpoint, we may now be beginning to reach its limitations.
The study highlighted a number of observed attacks using proxy servers to intercept legitimate MFA tokens on the way to their users, letting attackers bypass the additional layer of security provided by one-time codes and biometrics.
Concerningly, a not-insignificant number of off-the-shelf phishing kits – such as can be bought on underground cyber crime forums – now include MFA bypass capabilities as standard, which means that even relatively unsophisticated attackers can benefit. Proofpoint highlighted the EvilProxy framework, which generates around a million observed phishing threats on a monthly basis, as a particular source of concern.
Read more about phishing
Jack Chapman and James Dyer of Egress explore how phishing attacks are set to grow in their scope and sophistication this year, with generative AI playing a big role.
Guidance from US cyber agency CISA focuses on two primary goals of phishing attacks: obtaining login credentials, often via social engineering, and installing malware on target systems.
