Proofpoint’s 2023 State of the Phish Report Reveals Email-Based Attacks Dominated the Threat Landscape in 2022; Cyber Extortion Continues to Wreak Havoc Globally
91% of UK companies experienced at least one successful email-based phishing attack in 2022, and 82% experienced an attempted ransomware attack
Proofpoint, Inc., a leading cybersecurity and compliance company, today released its ninth annual State of the Phish report, revealing that cyber extortion continues to wreak havoc globally. Findings reveal that more than eight out of ten UK organisations (82%) experienced an attempted ransomware attack in 2022, with 62% suffering a successful infection. Of those infected, just 33% of organisations were able to regain access to data after paying an initial ransom.
This year’s State of the Phish report provides an in-depth overview of the real-world threats, as sourced by Proofpoint’s telemetry encompassing more than 18 million end-user reported emails and 135 million simulated phishing attacks sent over a one-year period. The report also examines perceptions of 7,500 employees and 1,050 security professionals across 15 countries, including the United Kingdom, revealing startling gaps in security awareness and cyber hygiene that propagate the real-world attack landscape.
Global findings include the following key takeaways:
- Cyber extortion continues to wreak havoc – 76% of global organisations experienced a ransomware attack in 2022 with 64% suffering a successful infection. Only around half (52%) were able to regain access to data after making an initial ransomware payment – but this is considerably more than the third of UK businesses.
- Insider threats make data protection more difficult for organisations – Recent job market trends like The Great Resignation have presented security challenges for global organisations, with 65% reporting they have experienced data loss due to an insider’s action. Among those who have changed jobs, nearly half (44%) admitted to taking data with them.
- Many end users continue to fall prey to bogus emails – Nearly half (44%) of employees indicate they think an email is safe when it contains familiar branding, and 63% think an email address always corresponds to the matching website of the brand.
- Business Email Compromise cyber fraud goes global – On average, three-quarters of global organisations reported an attempted BEC attack last year. While English is the most common language employed, some non-English-speaking countries are starting to see higher volumes of attacks in their own languages.
- Threat actors are leveraging new techniques – Over the past year, hundreds of thousands of telephone-oriented attack delivery (TOAD) and multi-factor authentication (MFA) bypass phishing messages were sent each day—ubiquitous enough to threaten nearly all organisations. At its peak, Proofpoint tracked more than 600,000 TOAD attacks—emails that incite recipients to initiate a direct conversation with attackers over telephone via bogus ‘call centers’—per day, and the number has been steadily rising since the technique first appeared in late 2021.
- There’s room for improvement with cyber hygiene. Even basic cyber threats are still not well understood—more than a third of survey respondents cannot define “malware,” (32%) “phishing,” (42%) and “ransomware” (60%). In addition, only 56% of global organisations with a security awareness program train their entire workforce, and only 35% conduct phishing simulations—both critical components to building an effective security awareness program.
“While conventional phishing remains successful, many threat actors have shifted to newer techniques, such as telephone-oriented attack delivery and adversary-in-the-middle (AitM) phishing proxies that bypass multifactor authentication. These techniques have been used in targeted attacks for years, but 2022 saw them deployed at scale,” said Ryan Kalember, executive vice president, cybersecurity strategy, Proofpoint. “We have also seen a marked increase in sophisticated, multi-touch phishing campaigns, engaging in longer conversations across multiple personas. Whether it’s a nation state-aligned group or a BEC actor, there are plenty of adversaries willing to play the long game.”
Additional U.K specific findings show how cybersecurity practices can vary by region. Review the report for full details on our North American, EMEA and APAC discoveries:
- Phishing attacks continued to be incredibly successful in the UK – Among the organisations that experienced attempted email-based phishing attacks last year, 91% of UK organisations experienced at least one successful attack, with more than a quarter (26%) reporting direct financial losses as a result – less than reported in 2021 (29%).
- Most UK organisations have a cyber insurance policy in place. Of the organisations impacted by ransomware, the overwhelming majority (89%) had a cyber insurance policy in place for ransomware attacks, and most insurers were willing to pay the ransom either partially or in full (64%). This can explain the high propensity to pay, with 63% of infected organisations paying at least one ransom.
- However, UK organisations fare worse globally, with cyber insurance claims denied the most often and many companies unable to gain access to data after paying a ransom. Eight out of ten UK organisations (82%) experienced an attempted ransomware attack in 2022 with 62% suffering a successful infection, and of those infected, just 33% of organisations were able to regain access to data after paying a ransom.
- Insider risk is prevalent in the UK, with many attacks emerging from within organisations. Eight out of ten (85%) UK organisations reported they have experienced data loss due to an insider’s action, and 86% of UK organisations reported an attempted Business Email Compromise (BEC) attack last year. In addition, 27% of UK employees changed job last year, and 42% of them say they took data with them.
- UK organisations must be cautious of brand impersonation phishing attacks - 34% of employees indicate they think an email is safe when it contains familiar branding, and 49% think an email address always corresponds to the matching website of the brand.
- Investment in security awareness training can avoid costly attacks. Only 58% of UK organisations have a security awareness program to train their entire workforce, and only 39% conduct phishing simulations - both critical components to building an effective security awareness program.
“The awareness gaps and lax security behaviors demonstrated by employees create substantial risk for organisations and their data,” said Adenike Cosgrove, VP, Cybersecurity Strategy, EMEA Proofpoint. “As email remains the favoured attack method for cyber criminals and they branch out to techniques much less familiar to employees, there is clear value in building a culture of security that spans the entire organisation.”
To download the State of the Phish 2023 report and see a full list of global and regional comparisons, please visit: https://www.proofpoint.com/uk/resources/threat-reports/state-of-phish.
For more information on cybersecurity awareness best practices and training, please visit: https://www.proofpoint.com/uk/product-family/security-awareness-training.
About Proofpoint, Inc.
Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organizations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organizations of all sizes, including 75 percent of the Fortune 100, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at www.proofpoint.com.
Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.