Today we’re excited to release our newest State of the Phish report. Now in its ninth year, State of the Phish is cybersecurity’s most detailed and wide-ranging look at user risk and resilience.
The report draws from two main data sources for a complete view of cyber risks that stem from people. To explore security awareness and beliefs, we surveyed 7,500 working adults and 1,050 security professionals across 15 countries. And to capture users’ real-world behaviour, we analyzed 135 million simulated phishing attacks sent by our customers along with 18 million emails reported by their end users.
Here are a few of our key global findings:
- Even basic concepts are still not understood – more than a third of users can’t define “malware,” “phishing” or “ransomware.”
- 44% of people think an email is safe when it contains familiar branding; but more than 30 million malicious messages sent in 2022 involved branding or products from Microsoft, one of the most familiar names in tech.
- Attackers made 300,000-400,000 telephone-based phishing attempts daily, with a peak of 600,000 per day in August 2022.
- Direct financial loss from successful phishing jumped 76%.
- More than 1 in 10 threats was first identified and reported by an end user.
For the first time, we are releasing regional summaries of our research alongside the global report. The Europe and Middle East edition of the report is meant to help organisations understand how local nuances can affect gaps in their end-user security awareness.
State of the Phish: Europe and the Middle East includes data from France, Germany, Italy, the Netherlands, Spain, Sweden, the United Kingdom, and the United Arab Emirates (UAE). It draws on surveys of 4,000 working adults and 650 security professionals.
Here’s a look at three key findings featured in our summary for this region.
1. Nearly three-quarters (71%) of EMEA organisations lost data to insiders in 2022
We expanded our latest State of the Phish survey to include insider threats—and learned that they are a major issue for organisations across the region. This category of threats includes malicious data theft, account compromise and data loss due to careless users.
Across EMEA, an average of 71% of organisations said they had lost data to insiders in the past year. That number was even higher for the United Kingdom and Netherlands, at around 85%. Also, we found that German businesses were the mostly likely to face frequent insider attacks (18%); UAE organisations were the least likely (4%).
2. Italian organisations were the least likely to experience successful phishing attacks, while Swedish organisations suffered the most
This is also the first year that we included Italy in our survey. The addition yielded some interesting results. For one, we learned that organisations in Italy—among all of the countries we surveyed across the globe—were the least likely to face successful phishing attacks. While this is a positive finding, other factors may be influencing this result, such as less strict security reporting rules.
We also found that organisations in Sweden were the most likely in the region to suffer successful phishing attacks (94%). It’s worth noting that Sweden has a low level of security awareness training. For example, only 18% of organisations in the country train their known targeted users.
3. Organisations in the Netherlands see the most cyber attacks from inside and outside
Our research shows that Dutch organisations are top targetsFor example, 86% of organisations in the Netherlands were targeted by insiders last year; the global average was 66%. And 84% of Dutch businesses reported that they faced outsider-driven attacks, compared with 68% of organisations globally.
A silver lining, perhaps, is that organisations in the Netherlands focus on security training for people more than those in the other 14 countries represented in our survey. That training is likely a key factor in our finding that Dutch employees are the least likely to give out personal information or passwords.
4. Ransomware is ubiquitous, but not everyone shows the same willingness to pay
Of the countries in the region, only organisations in Italy enjoyed a ransomware incidence rate of below 50%. Sweden faced the highest rate of infection at 82%. The other countries varied between 62-76%. Swedish organisations were also very likely to pay ransoms; 80% said they paid up after infection. Germany represents an interesting outlier here: despite a relatively low infection rate of 63%, German organisations were the most likely to pay.
Get your copy of State of the Phish: Europe and the Middle East
For a closer look at security awareness and threat landscape trends, download your copy of State of the Phish: Europe and the Middle East. You’ll get insight and guidance for building a security program tailored to real-life threats and user risks. The free report is available here.