Proofpoint’s 2022 State of the Phish Report Reveals Email-Based Attacks Dominated the Threat Landscape in 2021

Employee at Organization Taking GDPR Overview Training

91% of UK companies experienced at least one successful email-based phishing attack in 2021, and 84% of organisations saw an email-based ransomware attack in 2021

LONDON, February 22, 2022 - Proofpoint, Inc., a leading cybersecurity and compliance company, today released its eighth annual State of the Phish report, which provides an in-depth look at user phishing awareness, vulnerability, and resilience. The report reveals that attackers were more active in 2021 than 2020, with findings uncovering that more than three-quarters (78%) of global organisations saw email-based ransomware attacks in 2021, while 77% faced business email compromise attacks (BEC) (18% YoY increase of BEC attacks from 2020), reflecting cybercriminals’ continued focus on compromising people, as opposed to gaining access to systems through technical vulnerabilities.

This year’s State of the Phish report examines responses from commissioned surveys of 600 information and IT security professionals and 3,500 workers in the U.S., Australia, France, Germany, Japan, Spain, and the UK. The report also analyses data from nearly 100 million simulated phishing attacks sent by Proofpoint customers to their employees over a one-year period, along with more than 15 million emails reported via the user-activated PhishAlarm reporting button.

The report includes regional, industry and departmental benchmarking data that emphasises the need for a people-centric approach to cybersecurity. It also highlights real-world phishing examples and illustrates the value of a training solution that accounts for changing conditions, like those experienced by organisations throughout the pandemic.

Attacks in 2021 also had a much wider impact than in 2020, with 83% of survey respondents revealing their organisation experienced at least one successful email-based phishing attack, up from 57% in 2020.  In line with this, more than two-thirds (68%) of organisations said they dealt with at least one ransomware infection stemming from a direct email payload, second-stage malware delivery, or other exploit. The year-over-year increase remains steady but representative of the challenges organisations faced as ransomware attacks surged in 2021.

“Where 2020 taught us about the need to be agile and responsive in the face of change, 2021 taught us about the need to better protect ourselves,” said Alan Lefort, SVP and GM of Security Awareness Training for Proofpoint. “As email remains the favoured attack method for cyber criminals, there is clear value in building a culture of security. In this evolving threat landscape and as work-from-anywhere becomes commonplace,’ it is critical that organisations empower their people and support their efforts to learn and apply new cyber skills, both at work and at home.”

The shift to hybrid working accelerated in 2021, with 81% of organisations saying that more than half of their employees are working remotely (either part or full time) due to the pandemic. However, only 37% educate workers about best practices for remote working, illustrating a worrying gap in security best practice knowledge for the “new normal” of working. For example, 97% of workers said they have a home Wi-Fi network, but only 60% said their network is password-protected, a major lapse in basic security hygiene. 

“A staggering amount of UK businesses experienced a phishing attack in 2021, and 91% of those attacks were successful,” said Adenike Cosgrove, Cybersecurity Strategist, International, Proofpoint. “Further, security professionals in the UK are the most likely to report that their organisations face high volumes of non-emailed-based social engineering attacks. This compounds the fact that the UK is facing threats from all angles, however the key to battling these threats starts with employees.  All of these attacks require human interaction to be successful, emphasising the need for increased employee security awareness and training. Compared to global counterparts, UK workers had the highest awareness of the term ‘phishing’ which is promising, but at only 62% we still have a way to go to ensure businesses remain secure.”

State of the Phish report global findings include the following key takeaways:

  • Almost 60% of those infected with ransomware paid a ransom. Many (32%) paid additional ransom sums to regain access to data and systems. 54% regained access to data/systems after the first payment, while 4% never got access to data/systems, even after paying. 10% refused to pay additional ransom demand(s) and walked away without data.
  • Many workers exhibit risky behaviours and fail to follow cybersecurity best practices. 42% said they took a dangerous action (clicked a malicious link, downloaded malware, or exposed their personal data or login credentials) in 2021. And 56% of people who have access to an employer-issued device (laptop, smartphone, tablet, etc.) allowed friends and family to use those devices to do things like play games, stream media, and shop online.
  • Awareness of key security terminology dropped (in some cases, significantly) year-over-year. Only 53% of respondents were able to correctly identify the definition of the term ‘phishing’ in a multiple-choice array. This was down from last year’s 63% mark, a 16% year-over-year decrease. Only 63% recognised the definition of malware (down from 65% in 2020), just 23% identified the definition of smishing (down from 31% in 2020), and only 24% recognised the definition of vishing (down from 30% in 2020). Ransomware was the only term that saw a global increase in recognition, with correct answers rising from 33% in 2020 to 36% 2021.
  • Proofpoint customers saw positive results in awareness and security behaviours, even with more testing and a more active threat climate. Our customers’ average failure rate on phishing simulations held steady at 11% year over year, even with the 50% increase in testing seen over our 12-month measurement period.
  • Employees were able to better report suspicious emails they receive in their inboxes. Over our one-year measurement period, users alerted their security teams to more than 350,000 credential phishing emails, nearly 40,000 emails with malware payloads, and more than 20,000 malicious spam emails.

Additional U.K. -specific findings show how cybersecurity practices can vary by region. Review the report for full details on our North American, EMEA, and APAC discoveries:

  • In 2021, phishing attacks were not only pervasive in the UK but were incredibly successful with 91% of UK survey respondents saying their organisation faced broad phishing attacks and a staggering 91% were successfully compromised by a phishing attack. 91% of UK survey respondents said their organisation experienced at least one successful phishing attack.
  • 84% of UK organisations faced at least one email-based ransomware attack and 81% faced one or more business email compromise (BEC) attack.
  • 78% of UK organisations said they dealt with at least one ransomware infection stemming from a direct email payload, second-stage malware delivery, or other exploit. Of these, 82% opted to pay at least one ransom. To break this down further, 69% paid a ransom and gained access, 28% paid an initial ransom and a follow-up ransom(s) and got access to data/systems and 3% paid an initial ransom, refused to pay more and did not get access to data.
  • UK organisations were most likely to face high volumes of non-email-based social engineering attacks in 2021. More than 20% faced 50+ smishing, social media, and vishing attacks, while 78% faced at least one malicious USB drop. To combat this, 37% of UK organisations simulate malicious USB drops, the most of any region surveyed.
  • Compared to global counterparts, UK workers had the highest awareness of the term ‘phishing’. 62% of UK respondents correctly identified the term phishing, however, this falls short of 69% in last year’s report. UK workers correctly identified the following terms: malware (71%), ransomware (47%), smishing (24%).
  • UK organisations are outperforming the global average when it comes to staff cybersecurity training. 59% of UK organisations provide security awareness training to everyone in their organisation (vs. the 57% global average). 53% train individuals they know are being targeted by specific types of attacks.
  • 77% of UK organisations punish employees who interact with real or simulated phishing attacks, a 28% increase from 2021. The UK were also most likely of all countries to incorporate more “severe” punishments, with 42% inflicting monetary penalties (vs. 26% global average) and 29% terminating employees based on their interactions with real and simulated attacks (vs. 18% global average).

To download the State of the Phish 2022 report, and see a full list of global and regional comparisons, please visit: For more information on cybersecurity awareness best practices and training, please visit:


About Proofpoint, Inc.

Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organisations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organisations of all sizes, including more than half of the Fortune 1000, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at

Connect with Proofpoint: Twitter | LinkedIn | Facebook | YouTube


Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.