Proofpoint’s 2023 State of the Phish Report: Threat Actors Double Down on Emerging and Tried-and-Tested Tactics to Outwit Employees
Singapore organisations saw more ransomware attacks than global average; nearly 8 in 10 experienced ransomware attempts, while 68% succumbed to a successful attack
SINGAPORE, March 6, 2023 – Proofpoint, Inc., a leading cybersecurity and compliance company, today launched the first-ever Singapore edition of its State of the Phish report, revealing that attackers are using both emerging and tried-and-tested tactics to compromise Singapore organisations. This is the ninth year Proofpoint is releasing this report overall.
According to the inaugural report, 72% of Singaporean organisations experienced at least one successful attack, with almost half (46%) reporting direct financial losses as a result. And while brand impersonation, business email compromise (BEC), and ransomware remained popular tactics among threat actors, cyber criminals also scaled up their use of less familiar attack methods to infiltrate global organisations.
This year’s State of the Phish report provides an in-depth overview of the real-world threats, as sourced by Proofpoint’s telemetry encompassing more than 18 million end-user reported emails and 135 million simulated phishing attacks sent over a one-year period. The report also examines perceptions of 7,500 employees and 1,050 security professionals across 15 countries, including Singapore, revealing startling gaps in security awareness and cyber hygiene that propagate the real-world attack landscape.
“While conventional phishing remains successful, many threat actors have shifted to newer techniques, such as telephone-oriented attack delivery and adversary-in-the-middle (AitM) phishing proxies that bypass multifactor authentication. These techniques have been used in targeted attacks for years, but 2022 saw them deployed at scale,” said Ryan Kalember, executive vice president, cybersecurity strategy, Proofpoint. “We have also seen a marked increase in sophisticated, multi-touch phishing campaigns, engaging in longer conversations across multiple personas. Whether it’s a nation state-aligned group or a BEC actor, there are plenty of adversaries willing to play the long game.”
Some of this year’s key findings include:
Cyber Extortion Continues to Wreak Havoc
78% of Singaporean organisations experienced an attempted ransomware attack in the past year, with 68% suffering a successful infection. The figures in Singapore are higher than the global average, with 76% of organisations seeing a ransomware attempt and 64% succumbing to a successful attack.
Most infected organisations paid up, and many did so more than once — with 58% of Singapore organisations regaining access to data after making the initial ransomware payment. Of the organisations impacted by ransomware, the overwhelming majority (84%) had a cyber insurance policy in place for ransomware attacks, and nearly all (95%) cyber insurance companies were willing to pay the ransom either partially or in full. This is much higher than the global average, which saw 82% of cyber insurance companies willing to pay the ransom, and may also explain the high propensity to pay, with 71% of infected Singapore organisations choosing to pay at least one ransom.
End Users Fall Prey to Bogus “Microsoft” Emails
In 2022, Proofpoint observed nearly 1,600 campaigns involving brand abuse across its global customer base. While Microsoft was the most abused brand name with over 30 million messages using its branding or featuring a product such as Office or OneDrive, other companies regularly impersonated by cyber criminals included Google, Amazon, DHL, Adobe, and DocuSign. It’s worth noting that AitM attacks will display the organisation’s real login page to the user, which in many cases will be Microsoft 365.
Considering the volume of brand impersonation attacks, it’s alarming that 39% of employees in Singapore indicate they think an email is safe when it contains familiar branding, and 58% think an email address always corresponds to the matching website of the brand. It is not surprising that in phishing simulation tests run by Proofpoint customers, employees tended to fall for templates that were brand-impersonation related.
Business Email Compromise: Cyber Fraud Goes Global
On average, 72% of Singaporean organisations reported an attempted BEC attack last year. While English is the most common language employed, some non-English-speaking countries are starting to see higher volumes of attacks in their own languages. BEC attacks were higher than the global average or experienced a notable increase compared to 2021:
- The Netherlands 92% (not featured in prior analysis)
- Sweden 92% (not featured in prior analysis)
- Spain 90% vs. 77% (13 percentage point increase)
- Germany 86% vs. 75% (11 percentage point increase)
- France 80% vs. 75% (5 percentage point increase)
Pandemic-related job mobility, coupled with post-pandemic economic uncertainty, has resulted in 32% of Singaporean employees changing their job in the last year. This job market trend makes data protection more difficult for organisations, with 3 in 5 Singaporean organisations reporting they have experienced data loss due to an insider’s action. Among those who have changed jobs, 52% admitted to taking data with them, higher than the global average of 44%.
Threat Actors Scale Up More Complex Email Threats
Over the past year, hundreds of thousands of telephone-oriented attack delivery (TOAD) and multi-factor authentication (MFA) bypass phishing messages were sent each day—ubiquitous enough to threaten nearly all organisations. At its peak, Proofpoint tracked more than 600,000 TOAD attacks—emails that incite recipients to initiate a direct conversation with attackers over telephone via bogus ‘call centres’—per day, and the number has been steadily rising since the technique first appeared in late 2021.
Cyber attackers now also have a range of methods to bypass MFA, with many phishing-as-a-service providers already including AitM tooling in their off-the-shelf phish kits.
Room for Improvement with Cyber Hygiene
Threat actors always innovate, and once again this year’s report shows that most employees suffer security awareness gaps. Even basic cyber threats are still not well understood—more than a third of survey respondents cannot define “malware,” “phishing,” and “ransomware.”
Only 54% of Singaporean organisations with a security awareness program train their entire workforce, and only 2 in 5 organisations conduct phishing simulations — both critical components to building an effective security awareness program.
“The awareness gaps and lax security behaviours demonstrated by employees create substantial risk for organisations and their data,” said Jennifer Cheng, director of cybersecurity strategy for Asia Pacific and Japan, Proofpoint. “While email remains the favoured attack method for cyber criminals, we’ve also seen them become more creative — using techniques much less familiar such as smishing and vishing to fool Singaporeans. Since the human element continues to play a crucial role in safeguarding companies, there is clear value in building a culture of security that spans the entire organisation.”
To download the State of the Phish 2023 report and see a full list of global and regional comparisons, please visit: https://www.proofpoint.com/au/resources/threat-reports/state-of-phish.
For more information on cybersecurity awareness best practices and training, please visit: https://www.proofpoint.com/au/products/security-awareness-training.
About Proofpoint, Inc.
Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organizations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organizations of all sizes, including 75 percent of the Fortune 100, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at www.proofpoint.com.
Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.