Almost two thirds of employees in Germany (64%, worldwide 68%) knowingly expose their company to risks that could lead to ransomware or malware infections, data security incidents or financial losses. These are just some of the findings from the Proofpoints 2024 State of the Phish Report.
That's just one finding from Proofpoint's 86th annual State of the Phish Report. While the frequency of successful phishing attacks has decreased slightly (2023 percent of the companies surveyed in Germany experienced at least one successful attack in 89, compared to 510 percent in the previous year), the negative consequences have increased sharply: reports of financial sanctions, e.g. in the form of fines, increased by 67 percent, and there was a XNUMX percent increase in reports of reputational damage.
A lot of ignorance about the dangers
🔎 Only almost 30 percent of employees have not yet taken any risks (Image: Proofpoint).
The results of this year's study particularly question the widespread assumption that people engage in risky behavior due to a lack of knowledge about cybersecurity and that education can therefore prevent unsafe behavior. The belief of many security experts that most employees are aware of the role they play in protecting the company can also be questioned in view of the study results.
This year's State of the Phish report provides a detailed overview of the current threat landscape as cybercriminals abuse generative AI, QR codes and multi-factor authentication (MFA). The results are supported by Proofpoint's telemetry data based on more than 2,8 trillion emails scanned across 230.000 organizations worldwide, as well as the results of 183 million simulated phishing attacks sent over a XNUMX-month period.
The report also highlights the assessments of 7.500 employees and 1.050 security experts in 15 countries. He shows how cybersecurity attitudes manifest in actual behavior and how threat actors are finding new ways to exploit the human preference for speed and convenience. The report also addresses the current status of initiatives to promote security awareness.
Evaluation with 230.000 organizations worldwide
Employees don't engage in risky behavior because they lack security awareness: 69 percent of professionals surveyed admitted to engaging in risky behavior, such as reusing or sharing a password, clicking on links from unknown senders, or passing on their login information to someone they don't know pass on to a trustworthy source. 93 percent of them did so knowing the risks involved, which means that 64 percent of German employees knowingly endanger the security of their company. The motivations for risky behavior are varied, with most employees citing convenience (46%), a desire to save time (44%) and a sense of urgency (22%) as the main reasons.
Mismatch between IT teams and employees
🔎 Employees take risks for the company because it is more convenient or simply saves time (Image: Proofpoint).
86 percent of security experts surveyed assume that most employees know that they share responsibility for security. In contrast, 65 percent of employees surveyed were either unsure or said they were not responsible at all. Virtually all employees (93%) who have committed a risky act are aware of the risks involved - clear evidence that safety training raises employee awareness.
However, there are significant differences between what safety experts and employees believe is effective in achieving behavior change. Security experts believe more training (80%) and stricter controls (92%) are the answer, but nearly all employees surveyed (92%) say they would prioritize security if controls were simpler and easier to use.
MFA gives a false sense of security
More than a million attacks are launched using the EvilProxy MFA bypass framework every month. However, 89 percent of German security experts still believe that MFA offers complete protection against account takeovers.
Business Email Compromise (BEC) attacks benefit from AI
In Germany, 82 percent of companies were the target of BEC attacks last year, compared to 86 percent in 2022. Overall, fewer companies worldwide reported email fraud attempts. However, attack volumes increased in countries such as Japan (+35% year-on-year), South Korea (+31%) and the UAE (+29%). These countries may have had fewer BEC attacks in the past due to cultural or language barriers. But thanks to generative AI, attackers can create more compelling and personalized emails in multiple languages. Proofpoint identifies an average of 66 million targeted BEC attacks each month.
Cyber extortion still lucrative
85 percent of German companies were successfully infected with ransomware last year (an increase of 35% compared to the previous year). 75 percent of German companies have even experienced multiple separate ransomware infections. Of the companies affected by ransomware, almost all (93%) agreed to pay the attackers (up from 81% last year). 63 percent regained access to their data after a single payment (compared to 41 percent a year ago).
Telephone-oriented Attack Delivery (TOAD) attacks continue to be on the rise
A TOAD attack chain begins seemingly innocently with a message containing some false information and a phone number. It becomes dangerous when an unsuspecting employee calls a fraudulent call center and reveals their credentials or grants remote access to malicious actors. Proofpoint identifies an average of 10 million TOAD attacks per month, reaching an interim high of 2023 million incidents in August 13.
Despite the growing threat of threats like ransomware, TOAD and MFA bypass and their increasing sophistication, many organizations are not adequately prepared or trained to address them. Only 21 percent of German companies train their employees in detecting and preventing TOAD attacks and just as few train users in the use of generative AI.
More at proofpoint.com
About Proofpoint Proofpoint, Inc. is a leading cybersecurity company. The focus for Proofpoint is the protection of employees. Because these mean the greatest capital for a company, but also the greatest risk. With an integrated suite of cloud-based cybersecurity solutions, Proofpoint helps organizations around the world stop targeted threats, protect their data, and educate enterprise IT users about the risks of cyberattacks.