Human-centric threats continue to impact organisations in the UK with reports of direct financial penalties due to phishing up 30% and reports of reputational damage up 78%

Proofpoint, Inc., a leading cybersecurity and compliance company, today released its tenth annual State of the Phish report, revealing that more than two-thirds (67%) of UK employees knowingly put their organisations at risk, potentially leading to ransomware or malware infections, data breaches, or financial loss.

And while the incidence of successful phishing attacks has declined (66% of surveyed organisations in the UK experienced at least one successful attack in 2023 versus 91% the previous year), the negative consequences have soared: a 30% increase in reports of financial penalties, such as regulatory fines, and a 78% increase in reports of reputational damage.

The findings from this year’s report notably challenge the traditional belief that people take risky actions due to a lack of cybersecurity knowledge and that security awareness training alone can fully prevent unsafe behaviors. The conundrum extends to security professionals’ belief that most employees know they are responsible for protecting an organisation, signalling a gap between the limitations of individual security technology and user education. 

“Cybercriminals know that humans can be easily exploited, either through negligence, compromised identity or—in some instances—malicious intent,” said Ryan Kalember, chief strategy officer, Proofpoint. “Individuals play a central role in an organisation’s security posture, with 74% of breaches still centering on the human element. While fostering security culture is important, training alone is not a silver bullet. Knowing what to do and doing it are two different things. The challenge is now not just awareness, but behaviour change.”

This year’s State of the Phish report provides an in-depth overview of the current threat landscape, where generative AI, QR codes and multifactor authentication (MFA) are abused by malicious actors, as sourced by Proofpoint’s telemetry of more than 2.8 trillion scanned emails across 230,000 organisations worldwide, as well as findings from 183 million simulated phishing attacks sent over a twelve-month period. The report also examines the perceptions of 7,500 employees and 1,050 security professionals across 15 countries, showing how attitudes towards security manifest in real-world behaviour and how threat actors are finding new ways to take advantage of our preference for speed and expedience, as well as the current state of security awareness initiatives. 

U.K specific findings show how cybersecurity practices can vary by region. Review the report for full details on our North American, EMEA and APAC discoveries:

Employees aren’t taking risky actions because they lack security awareness: 70% of surveyed working adults admitted to taking risky actions, such as reusing or sharing a password, clicking on links from unknown senders, or handing over their credentials to an untrustworthy source. 95% of them did so knowing the inherent risks involved, meaning that 67% of UK employees willingly undermined their organisation’s security. The motivations behind risky actions are varied, with most employees citing convenience (48%), the desire to save time (40%), and a sense of urgency (22%) as their main reasons.  

There’s a disconnect between IT teams and employees in driving real behaviour change: While 81% of surveyed security professionals said that most employees know they are responsible for security, 58% of surveyed employees either weren’t sure, or claimed that they’re not responsible at all. And even though virtually all employees who took a risky action knew the inherent risks (95%)—a clear indication security training is working to drive employee awareness—there are clear disparities between what security professionals and employees think is effective to encourage real behaviour change. Security pros believe that more training (85%) and tighter controls (89%) are the answer, but nearly all surveyed employees (94%) said they would prioritise security if controls were simplified and more user-friendly. 

MFA continues to provide a false sense of security, leaving businesses exposed: Over one million attacks are launched with the MFA-bypass framework EvilProxy every month, yet, worryingly, 92% of UK security professionals still believe MFA provides complete protection against account takeover. 

Business email compromise (BEC) attacks benefit from AI: In the UK, 74% of organisations were targeted by BEC attacks in 2023, compared to 86% in 2022. Overall, fewer organisations reported email fraud attempts globally, but attack volume grew in countries such as Japan (35% year-over-year increase), South Korea (+31%), and the UAE (+29%). These countries may have previously seen fewer BEC attacks due to cultural or language barriers, but generative AI allows attackers to create more convincing and personalized emails in multiple languages. Proofpoint detects an average of 66 million targeted BEC attacks every month. 

Cyber extortion persists as a lucrative form of attack: 64% of UK organisations experienced a successful ransomware infection in the past year (a 3-percentage point increase year-over-year); alarmingly, 77% of UK IT professionals said their organisation experienced multiple, separate ransomware infections. Of the organisations impacted by ransomware, 64% agreed to pay the attackers, which is 10% higher than the global average of 54%. However, only 34% of these organisations were able to regain access to their data after a single payment (up from 33% a year ago).

Telephone-oriented attack delivery (TOAD) continues to flourish: Although initially appearing as a benign message, containing nothing more than a phone number and some erroneous information, the attack chain is activated when an unsuspecting employee calls a fraudulent call centre, providing their credentials or granting remote access to malicious actors. Proofpoint detects 10 million TOAD attacks per month, on average, with a recent peak in August 2023, which drew 13 million incidents. 

Despite the growing prominence and sophistication of threats such as ransomware, TOAD and MFA bypass, many organisations are not adequately prepared or trained to deal with them. Only 23% of organisations educate their users on how to recognise and prevent TOAD attacks, and only 23% educate their users on generative AI safety.

Global findings from Proofpoint’s 2024 State of the Phish report underline lax security behaviors demonstrated by employees globally, creating substantial risk for organisations and their data.

Here are key global takeaways:

Employees aren’t taking risky actions because they lack security awareness: 71% of surveyed working adults admitted to taking risky actions, such as reusing or sharing a password, clicking on links from unknown senders, or handing over their credentials to an untrustworthy source. 96% of them did so knowing the inherent risks involved, meaning that 68% of employees willingly undermined their organisation’s security. The motivations behind risky actions are varied, with most employees citing convenience (44%), the desire to save time (39%), and a sense of urgency (24%) as their main reasons.  

There’s a disconnect between IT teams and employees in driving real behavior change: While 85% of surveyed security professionals said that most employees know they are responsible for security, 59% of surveyed employees either weren’t sure or claimed that they’re not responsible at all. Security pros believe that more training (83%) and tighter controls (81%) are the answer, but nearly all surveyed employees (94%) said they would prioritise security if controls were simplified and more user-friendly. 

MFA continues to provide a false sense of security, leaving businesses exposed: With over one million attacks launched with the MFA-bypass framework EvilProxy every month, worryingly, 89% of security professionals still believe MFA provides complete protection against account takeover. 

Cyber extortion persists as a lucrative form of attack: 69% of organisations experienced a successful ransomware infection in the past year (a 5-percentage point increase year-over-year); alarmingly, 60% of IT professionals said their organisation experienced multiple, separate ransomware infections. Of the organisations impacted by ransomware, 54% agreed to pay attackers (down from 64%), with only 41% regaining access to their data after a single payment (down from 52% a year ago).

Telephone-oriented attack delivery (TOAD) continues to flourish: Although initially appearing as a benign message, containing nothing more than a phone number and some erroneous information, the attack chain is activated when an unsuspecting employee calls a fraudulent call center, providing their credentials or granting remote access to malicious actors. Proofpoint detects 10 million TOAD attacks per month, on average, with a recent peak in August 2023, which drew 13 million incidents. 

To download the State of the Phish 2024 report and see a full list of global and regional comparisons, visit: https://www.proofpoint.com/us/resources/threat-reports/state-of-phish. 

For more information on how to drive behaviour change, visit: https://www.proofpoint.com/uk/product-family/security-awareness-training.  

### 

About Proofpoint, Inc. 

Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organisations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organisations of all sizes, including 85 percent of the Fortune 100, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at www.proofpoint.com. 

Connect with Proofpoint: X | LinkedIn | Facebook | YouTube 

Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.