New Research: In Asia-Pacific Region, Willingness to Pay Ransomware Attackers Varies by Country

Share with your network!

Today we’re excited to release our newest State of the Phish report. Now in its ninth year, State of the Phish is cybersecurity’s most detailed and wide-ranging look at user risk and resilience.

The report draws from two main data sources for a complete view of cyber risks that stem from people. To explore security awareness and beliefs, we surveyed 7,500 working adults and 1,050 security professionals across 15 countries. And to capture users’ real-world behaviour, we analyzed 135 million simulated phishing attacks sent by our customers along with 18 million emails reported by their end users.

Here are a few of our key global findings:

  • Even basic concepts are still not understood—more than a third of users can’t define “malware,” “phishing” or “ransomware.” 
  • 44% of people think an email is safe when it contains familiar branding; but more than 30 million malicious messages sent in 2022 involved branding or products from Microsoft, one of the most familiar names in tech.
  • Attackers made 300,000-400,000 telephone-based phishing attempts daily, with a peak of 600,000 per day in August 2022.
  • Direct financial loss from successful phishing jumped 76%. 
  • More than 1 in 10 threats was first identified and reported by an end user.

For the first time, we are releasing regional summaries of our research alongside the global report. The Asia-Pacific edition of the report is meant to help reveal how local nuances can affect gaps in user awareness. 

Here’s a look at two key findings in State of the Phish: Asia Pacific.

1. Japanese organisations were least likely to face successful phishing attacks, while Australian organisations suffered the most

The Asia-Pacific region is home to multiple financial centers and a hotbed for innovation. As a result, organisations  in this region are also prime targets for cyber criminals. For now, the success of bad actors seems to hinge on their ability to overcome cultural and language barriers in certain countries.

For example, we found that Japanese organisations were the least likely to suffer a successful phishing attack—just 64% compared with 84% of businesses globally. Our hypothesis? Many cyber criminals targeting organisations in this region may not be fluent in Japanese, making their phishing attempts more obvious to native speakers.

In contrast, our survey also shows that Australian organisations were the most likely to face successful phishing attacks (94% vs. the 84% global average). Language is probably not the only factor working here. But English is the language most used in phishing attacks, and most Australians speak it.

2. Ransomware attacks are a significant threat for organisations in the Asia-Pacific region—but the willingness to pay ransoms varies by country

All Asia-Pacific countries included in our survey were highly likely to be targeted with ransomware. But their infection rates, willingness to pay—and who picked up the tab—varied.

For infection rates, South Korean organisations saw the lowest among those attacked in the region.

Meanwhile, organisations in Japan were the least likely in our global survey to pay ransomware attackers. A likely reason for this stance: Japanese law bars companies from giving money to organised crime; often, cyber crime falls into that category.

Most organisations infected by ransomware in Singapore had cyber insurance; 95% of those said their insurance paid some or all of the ransom amount, the highest in the region.

Meanwhile, 90% of Australian organisations that fell victim to a ransomware attack in 2022 also paid the ransom. But watch this space: the Australian government, like others around the world, are mulling laws that would bar such payments.

Get your copy of State of the Phish: Asia Pacific

For a closer look at security awareness and threat landscape trends, download your copy of State of the Phish: Asia Pacific. You’ll get insight and guidance for building a security program tailored to real-life threats and user risks. The free report is available here.