Thanks for downloading State of phishing in 2024 Test Point.
The report surveyed 7,500 end users and 1,050 security professionals working in 15 different countries, including eight in Europe and the Middle East. In addition to analyzing global trends, it also explores how local nuances affect user behavior and an individual's awareness of their role in keeping their organization safe.
Here are five key takeaways we think you should take note of from the report:
Business Email Compromise (BEC) Attacks Continue to Impact Businesses
Throughout 2023, Proofpoint detected and blocked an average of 66 million BEC scams per month. While globally the number of attacks is decreasing, countries where English is not an official language have seen an increase in BEC attempts.
These scams are also becoming more sophisticated, with attackers using tactics like deepfakes and social engineering to bypass traditional security measures.
Companies can combat this risk by providing their staff with tools that encourage them to be more proactive in their security reporting, such as featured email reporting buttons.
Humans are (still) the weakest link in the security chain
Despite advances in security technology and training, human error remains a major factor in the success of phishing attacks. The report found that 76% of users in Europe and the Middle East had taken a “risky action” and 95% of them knew they were doing something potentially dangerous.
While 85% of security professionals said that most employees are aware of their responsibilities, 59% of users were not sure or thought they were not responsible at all.
To mitigate this, users said that making security easier (94%) and more training (88%) would make security a priority for them.
Efforts to save time are hurting security postures
According to users, the root cause of many of these unsafe practices comes from time pressure. 41% of respondents from Europe and the Middle East said they took risky steps to save time, and another 39% said they did it because it was convenient.
Time pressure is also a core strategy used by cybercriminals to pressure victims to act hastily. Employees are often tricked through social engineering tactics or rush strategies, leading them to bypass security protocols or click on malicious links. Organizations should prioritize ongoing security awareness training programs that make employees think twice before acting.
Rise of multimodal phishing
Phishing attempts are no longer limited to emails and there are a number of blind spots in businesses that cybercriminals are exploiting.
The report highlights an alternative vector for phishing attacks: Telephone Targeted Attack Delivery (TOAD). 10 million TOAD messages are sent each month, and while most organizations report being targeted by TOAD messages, less than a third are trained in the technique.
Europe and the Middle East suffered slightly more from TOAD attacks than the rest of the world: 70% of organizations were affected by attacks using this technique, compared to the global average of 67%.
Sweden and Germany, the main targets of ransomware attacks
Phishing attacks often serve as an initial entry point for more sophisticated cyberattacks, such as ransomware. Proofpoint found that 69% of organizations globally were infected by ransomware in 2023.
However, the distribution of these attacks is not uniform: some countries are attacked more than others. Organizations in Sweden experienced the highest frequency of attempted ransomware attacks, followed by those in Germany.
However, German companies were the most common victims of successful ransomware attacks: 85% of organizations based there reported a ransomware infection in 2023.
Proofpoint's rapid email risk assessment gives you complete visibility and insight into attacks. Take the assessment now and discover who is being targeted by email-based threats, including ransomware and malware, enterprise email compromise, and credential phishing.