State of the Phish 2024

FAQs from the 2024 State of the Phish Report, Part 1: The Threat Landscape

Share with your network!

In this two-part blog series, we will address many of the frequently asked questions submitted by attendees. In our first installment, we address questions related to the threat landscape.  

Understanding the threat landscape is paramount in crafting a human-centric security strategy. That's the goal behind our 10th annual State of the Phish reportWhen you know what threats are out there and how people are interacting with them, you can create a modern cybersecurity strategy that puts the complexity of human behavior and interaction at the forefront.

Our report was launched a month ago. Since then, we’ve followed up with a few webinars to discuss key findings from the report, including: 

Threat landscape findings: 

  • Over 1 million phishing threats involved EvilProxy, which bypasses multifactor authentication (MFA). Yet, 89% of security pros still believe that MFA provides complete protection against account takeover. 
  • BEC threat actors benefit from generative AI. Proofpoint detected and stopped over 66 million targeted business email compromise (BEC) attacks per month on average in 2023. 

User behavior and attitude findings: 

  • 71% of surveyed users took at least one risky action, and 96% of them knew that those actions were associated with risk. 
  • 58% of those risky actions were related to social engineering tactics. 
  • 85% of security pros believed that most employees know they are responsible for security. Yet nearly 60% of employees either weren’t sure or disagreed. 

These findings inspired hundreds of questions from audiences across the world. What follows are some of the questions that repeatedly came up.

Frequently asked questions 

What are the definitions of BEC and TOAD?  

Business email compromise (BEC) essentially means fraud perpetrated through email. It can take many forms, such as advance fee fraud, payroll redirection, fraudulent invoicing or even extortion. BEC typically involves a deception, such as the spoofing of a trusted third party’s domain or the impersonation of an executive (or literally anyone the recipient trusts).  

BEC is hard to detect because it is generally pure social engineering. In other words, there is often no credential harvesting portal or malicious payload involved. Threat actors most often use benign conversation to engage the victim. Once the victim is hooked, attackers then convince that person to act in favor of them, such as wiring money to a specified account. 

Similarly, telephone-oriented attack delivery (TOAD) attacks also use benign conversations. But, in this case, a threat actor’s goal is to motivate the victim to make a phone call. From there, they will walk their target through a set of steps, which usually involve tricking the victim into giving up their credentials or installing a piece of malware on their computer. 

TOAD attacks have been associated with high-profile malware families known to lead to ransomware, as well as with a wide variety of remote access tools like AnyDesk that provide the threat actors direct access to victims’ machines. The end goal might still be fraud; for example, there have been cases where payment was solicited for “IT services” or software (Norton LifeLock). But the key differentiator for TOAD, compared with BEC, is the pivot out of the email space to a phone call., is the pivot out of the email space to the phone. 

What is the difference between TOAD and vishing? 

TOAD often starts with an email and requires victims to call the fraudulent number within that email. Vishing, on the other hand, generally refers to fraudulent solicitation of personally identifiable information (PII) and may or may not involve email (it could result from a direct call). Some TOAD attempts may fall into this category, but most perpetrators focus on getting software installed on a victim’s machine.  

How do you see artificial intelligence (AI) affecting phishing? What are security best practices to help defend against these novel phishing attacks? 

AI allows threat actors to tighten up grammatical and syntax problems in the language of their social engineering lures and translate these messages more effectively into various languages. This increases their ability to target specific regions. These threats are not actually novel in any technical sense, meaning that AI hasn’t engendered any specific additional capability that wasn’t already present in the landscape. So, current best practices remain. No change! The threats are not fundamentally any different than any other phishing threat. A multilayered defense approach is still the best practice to address the constantly changing threat landscape. 

With the rise of large language models (LLM) and AI-generated phishing templates, how can these increasingly sophisticated threats be stopped? 

At this juncture, it is a mistake to think of these threats as increasingly sophisticated, as there is nothing that AI can do at this point that humans weren’t already doing. As for sophisticated actors, their manual efforts are still better than what AI can do. 

However, to reiterate, the origin of a threat is less important than the technical indicators and behaviors present with the threat itself. Whether it’s a human or AI-generated phishing template, we expect to see the same characteristics required for an attack. Credentials need to be entered in a form and transmitted somewhere, a landing page will be themed and hosted somewhere, and that domain will have reputation and registration information associated with it.  

Just because AI is involved in the process of writing social engineering content for a lure, it does not change any of the technical requirements. A robust email security tool should: 

  • Detect the characteristics of the sender 
  • Analyze the message body and the sender-recipient relationships 
  • Examine subsequent behaviors that a given phishing site (or malware) exhibits 

Keep in mind that AI is a tool for defenders, too. We can incorporate the same types of natural language and image processing into our detection stack. Proofpoint has been and will continue to use these technologies in our solutions. 

What are the best options for mitigating MFA bypass? 

The best option for mitigating this type of attack (and others, such as SocGholish fake update attacks) is to restrict JavaScript from running in the browser. Implementing security controls like browser isolation would be a good way to disable JavaScript. In addition, monitoring cloud logins or suspicious cloud account activities would allow you to detect potential account takeover in the event MFA is bypassed.  

At Proofpoint, we use our rich threat intelligence and behavioral analytics to provide these security controls and detect compromised email accounts. We can help you accelerate and unify email threat investigations of account takeover attacks and post-compromise cloud activities.  

No security technology is impenetrable. A layered defense will give you the best chance to address MFA bypass or account takeover

How can we reliably know the difference between a deepfake and the real thing?   

Unfortunately, there isn’t a good technical solution that exists at this time. Human judgment is the only reliable way to know the difference. Therefore, it is critical to educate your people about what deepfakes are, how they can be created, the risks associated with deepfakes and ways to mitigate those risks.  

Here are a few ways to help your people limit the potential damage of interacting with a deep fake: 

  • Check the source and confirm the authenticity of media across multiple legitimate sources 
  • Verify a call from a known contact that seems suspicious 
  • Follow the organization’s processes for handling payments or sensitive information, even if they receive voice instructions from someone they know directing them to do otherwise 
  • To reduce the chances of their likeness being used in a deep fake, limit the amount of personal information shared online, including preferences and professional details 
  • Check and update privacy settings for their social media accounts 

Learn more 

Want to learn more about today's threat landscape and what organizations like yours are most concerned about? Download our 2024 State of the Phish report.   

Proofpoint takes a holistic approach to help you protect your people from advanced threats. Check out our Threat Protection solution brief to learn more. 

And finally, stay tuned for the next installment of this two-part blog series, “FAQs from the 2024 State of the Phish Report, Part 2: User Attitudes and Behavior Toward Security.”