Security researchers document a 76% year-over-year increase in financial losses from phishing attacks. Sophisticated tactics and gaps in user knowledge give threat actors an edge.
Proofpoint State of Fish in 2023 135 million simulated phishing attacks and over 18 million emails reported by customer end-users in the past year, as well as 7,500 consumers and 1,050 IT workers in 15 countries Reported from interviews with security experts.
It reveals that 84% have suffered at least one successful email phishing attack in 2022, and 54% have dealt with 3 or more attacks during that period.
Vendors highlighted phone-oriented attack delivery (TOAD) and multi-factor authentication (MFA) phishing as being particularly successful for threat actors.
“In TOAD attacks, targets receive messages containing fake invoices and alerts. The messages also include a customer service number for those with questions,” the report explains.
“When a victim calls that number, they answer a call with a cyber attacker. I have seen the steps of
Proofpoint says it saw over 600,000 TOAD attacks daily during peak hours. No figures were available for MFA bypass attacks, but the vendor notes that threat actors now have a variety of methods to carry out these attacks, and off-the-shelf phishing he may take advantage of features built into his kit. I warned you that you can.
“Traditional phishing remains successful, but many threat actors are moving to newer techniques such as telephony-oriented attack delivery and man-in-the-middle (AitM) phishing proxies that bypass multi-factor authentication. The technique has been used in targeted attacks for many years, but in 2022 it was deployed at scale,” said Ryan Kalember, EVP of Cybersecurity Strategy at Proofpoint.
“There has also been a marked increase in sophisticated multi-touch phishing campaigns, with longer conversations between multiple personas. There are many enemies out there.”
Cybercriminals also take advantage of low security awareness and lack of employee knowledge.
While over a third of users cannot define simple concepts such as “phishing,” “ransomware,” or “malware,” more than two-thirds (44%) say their emails are sent by a familiar brand. I don’t know what to do to be safe.
More than three-quarters (78%) use their work device for personal tasks, and 28% of employees reuse passwords for multiple work-related accounts. Proofpoint added that a third took risky behavior, such as clicking a link, when faced with an attack.
Organizations are also responsible. Only one-third (35%) said they run phishing simulation exercises, and about half (56%) run security awareness programs for all staff. I’m sorry.
Phishing can cause serious problems for your organization. Of the companies he responded to, 76% said they had experienced a ransomware attack in the last year, 64% were successfully infected, and only half were able to regain access to their data after paying the ransom.
Two-thirds (65%) of respondents say they have lost data due to insider actions.
