Organisations in Singapore have invested hundreds of millions of dollars in cybersecurity and work hard to keep up with changing regulations. Despite these efforts, some of the best-known brands have succumbed to phishing attacks.
A new survey conducted by Proofpoint for The 2022 Singapore User Risk Report reveals that phishing attacks are deluging Singaporeans. We surveyed 600 working adults based in Singapore and learned that 76% of Singaporeans receive scam calls, texts, and emails at least once a week and 14% receive scam communications more than five times a week.
The pandemic-driven increase in working from home and overall digital engagement expanded the attack surface to cyber criminals and offered new opportunities. The continued anxiety around COVID-19, combined with a rapid increase in online banking and shopping, has enabled cyber criminals to exploit the emotions of their victims and a lack of awareness around sophisticated phishing schemes.
The recent spate of phishing attacks on the customers of major banks has been in the headlines and most Singaporeans have had firsthand experience. Despite an increase in public awareness of phishing attacks, organisations' ability to detect and stop them still needs to improve.
Less than half of working Singaporeans can identify a scam call
Phishing, as we know it today, is often a toxic blend of voice, email and SMS engagement (known as "smishing"). These types of attacks are becoming more sophisticated and, to many, seem genuine, effectively bridging the physical and online worlds. Our report reveals that less than half (44%) of working Singaporeans can determine whether or not a call from an unknown caller is a scam.
Nearly half of working Singaporeans can't verify links from cloud providers
Today, users commonly access documents via links to public cloud apps such as Google Drive, Microsoft OneDrive and Dropbox. Cyber criminals often use fake links purporting to be from these companies and other cloud providers to lure victims into downloading malware and/or sharing sensitive data.
In fact, even real links from these sites are used to host malware and disseminate email phishing attacks. In 2021 alone, Proofpoint found that over 45 million threats were sent to Proofpoint customers with malicious content hosted by Microsoft. People tend to trust these links implicitly, so the probability of attackers' success is high.
In Singapore, nearly half of the working population doesn't know how to verify links or isn't aware that there is a way to verify links from cloud service providers. This is an enormous people-centred vulnerability, and companies can mitigate risks with security awareness programs.
28% of working Singaporeans will share OTPs
Despite instructions to not share one-time passwords (OTPs), our research shows that 28% of working Singaporeans are likely or very likely to share their OTP with a friend or acquaintance over an email or messaging platform, if requested. That means messages that appear to come from friends can expect to obtain an OTP more than 25% of the time.
This is an extremely concerning finding, as the actions of a few individuals can put an entire company at risk. Even more concerning is that a staggering 66% of managing directors and 75% of regional leaders are likely or very likely to share OTPs that they believe have been wrongly delivered.
This is particularly worrying, as high-privilege users are targeted disproportionately in attacks across organisations. The Human Factor 2022 report from Proofpoint shows that while 10% of users are classified as managers, directors or executives, this group represents almost 50% of the most severe risk of attack.
In our most recent report, Cybersecurity: 2022 Board Perspective, just over half - 56% of Singaporean board members (vs. 67%, the global average) believe human error is their biggest cyber vulnerability, despite the World Economic Forum finding that human error leads to 95% of all cybersecurity incidents.
So, what does this mean for Singaporean companies? It highlights that, in most cases, human factors matter more than the technical specifics of an attack. Cyber criminals are looking for relationships that can be leveraged, trust they can abuse and access they can exploit.
Multi-vector, multi-stage phishing attacks are inevitable, but with the right mindset, tools, and policies, they can be a manageable threat. Security leaders and boards need to understand that investing in more controls, perimeter defences and technology is not enough – people need to be at the centre of their strategy.
Visit https://www.proofpoint.com/au/resources/e-books/singapore-user-risk-report to read the complete findings from the 2022 Singapore User Risk Report.