pink and blue colorful banner

Risky and They Know It: 98% of Risk-Taking Users in the APJ Region Aware of the Dangers but Do It Anyway, 2024 State of the Phish Survey Finds

Share with your network!

What if you knew that your users were aware of risks relating to cybersecurity but took risky actions anyway? Would you adjust your security awareness program? How would you change your cybersecurity strategy? And how would you motivate your users to prioritise cybersecurity?  

For our 10th annual State of the Phish report, Proofpoint gathered new data and expanded the scope of our research to shine a spotlight on how risky behaviours enable the current threat landscape.  

There were significant differences among the 15 countries that we surveyed, including the four countries in the Asia-Pacific and Japan (APJ) region—Australia, Japan, South Korea and Singapore. We hope that the insights we gathered from this region can help you to answer some of the above questions and more. We’ve summarised some key findings here. 

How we compiled the report 

The global 2024 State of the Phish report features data derived from Proofpoint Threat Protection products and research, as well as from additional sources that include:  

  • A commissioned global survey of 7,500 working adults and 1,050 IT professionals across 15 countries  
  • 183 million simulated phishing attacks sent by Proofpoint customers  
  • More than 24 million suspicious emails reported by our customers’ end users  

Now, let’s take a sneak peek at some highlights from the 2024 State of the Phish: Asia Pacific and Japan report. 

Phishing trends have a few outliers 

Several countries in the APJ are outliers when it comes to phishing attacks. South Korea had the highest incidence of successful spear-phishing attacks out of all other APJ countries (82% vs 63% APJ average). And those attacks rose fast—the rate was 28% higher than in 2022.   

Australian organisations were targeted by spear-phishing attacks at a higher rate than any other APJ country. However, in 2023, Australian organisations saw a dramatic decrease in the number of successful attacks (56% vs 88% in 2022). This might be due to an increase in user training on these attacks, which was 52% higher than in 2022. 

Users take risky actions knowingly  

On average, users in the APJ region take far fewer risks than the global average (63% vs 71%). This may be due, in part, to users being unsure about their responsibility for security (57% vs 54% global average). This uncertainty may have an impact on how they behave.  

When users do take risks, however, they’re more likely to know their action comes with risks. Our research shows that users in the APJ region are more likely to take a risky action knowingly (98% vs 96% global average).  

Notably, APJ users engage in four of the top five behaviours that security professionals in the region rank as the riskiest. This may mean that users don’t understand what’s risky and what’s not. Risky actions include sharing passwords, connecting to the internet without using a VPN in public, and responding to messages from someone they don’t know. 

TOAD attacks vary by country 

Telephone-oriented attack delivery (TOAD) attacks have rightly gotten a lot of attention in recent years. These attacks are phishing attacks that use an initial lure to direct the user to make further contact via the telephone. In general, non-native English-speaking countries are less targeted by TOAD attacks, which often require threat actors to speak directly to their victims.  However, they are not immune. 

Last year, APJ organisations saw fewer TOAD attacks than the global average (62% vs 67%). Still, Singapore and South Korea were on par with the global average (66% and 68% respectively) and Australia exceeded it (71%).  

Ransomware attacks are up 

Ransomware remains a serious threat in the APJ region. Threat actors use email-based ransomware attacks more than any other email-based tactic in this region. On average, these attacks went up slightly—76% of APJ organisations were targeted (vs 75% in 2022). Ransomware infections also slightly increased from year to year across the APJ, from 61% in 2022 to 62% in 2023. 

This trend played out differently in each country, and there were several outliers in our survey. One was South Korea. Organisations there reported a huge increase in ransomware infections (72% in 2023 vs 48% in 2022). This is not surprising given that out of the 120 countries that faced cyberattacks last year, South Korea was near the top of the list. 

BEC attacks are rising 

For many years now, business email compromise (BEC) scams have been one of the costliest threats to organisations globally. Overall, our survey results showed that fewer organisations experienced a BEC attack in 2023. However, non-English-speaking countries saw an increase.  

This could be linked to the rise of generative AI tools such as ChatGPT, which can be used to write convincing email lures in multiple languages. That likely explains why South Korea saw a sharp rise in these attacks, with 76% of organisations being targeted—up from 58% in 2022.  

Japan also saw a 35% increase year over year in the number of organisations that experienced this type of attack.  

Security awareness training changed slightly 

When it comes to training users on critical security basics, the good news is that 94% of APJ organisations say that they use threat intelligence to inform their security awareness program, which was not a major change from 2022 and 2023.  

However, applying intelligence may still be a challenge. For example, business email compromise (BEC) is spreading rapidly across the region—at least 70% of respondents report being targeted. Yet only 18% of organizations in Singapore and 24% in South Korea train on the technique. 

Find out more  

Download 2024 State of the Phish: Asia Pacific and Japan to learn about the biggest regional cyberthreats and how to make your users your best defence. To read about all the countries, read the global 2024 State of the Phish report. 

Watch our webinar  

Join us for a deeper discussion in our “Transform Users to Defenders” Power Series webinar on 28 March 2024 at 9:30 AM SGT / 12:30 PM AEDT.