Security researchers have recorded a 76% year-on-year (YoY) increase in financial losses stemming from phishing attacks, as sophisticated tactics and user knowledge gaps give threat actors the upper hand.
Proofpoint compiled its 2023 State of the Phish report from interviews with 7500 consumers and 1050 IT security professionals across 15 counties, as well as 135 million simulated phishing attacks and over 18 million emails reported by customer end users over the past year.
It revealed that 84% had suffered at least one successful email phishing attack in 2022, and that 54% had dealt with three or more attacks during the period.
The vendor highlighted telephone-oriented attack delivery (TOAD) and multi-factor authentication (MFA) phishing as particularly successful for threat actors – recording hundreds of thousands of these attacks per day at points during the year.
“In a TOAD attack, targets receive a message, often containing a fake invoice or alert. The message also contains a customer service number for anyone with questions,” the report explained.
“If the victim calls the number, they find themselves on the line with a cyber-attacker. Our researchers have seen a range of next steps, including guiding victims to download malware, transfer money or enable remote access.”
Proofpoint said it saw over 600,000 daily TOAD attacks at its peak. There was no figure for MFA bypass attacks, but the vendor warned that threat actors now have a range of methods to carry out these attacks and can even make use of functionality built into off-the-shelf phishing kits.
“While conventional phishing remains successful, many threat actors have shifted to newer techniques, such as telephone-oriented attack delivery and adversary-in-the-middle (AitM) phishing proxies that bypass multi-factor authentication. These techniques have been used in targeted attacks for years, but 2022 saw them deployed at scale,” said Ryan Kalember, EVP of cybersecurity strategy at Proofpoint.
“We have also seen a marked increase in sophisticated, multi-touch phishing campaigns, engaging in longer conversations across multiple personas. Whether it’s a nation state-aligned group or a BEC actor, there are plenty of adversaries willing to play the long game.”
Cyber-criminals are also taking advantage of poor security awareness and worker knowledge gaps.
Over a third of users can’t define simple concepts like “phishing,” “ransomware” and “malware,” while over two-thirds (44%) don’t know that a familiar brand doesn’t make the email safe.
Over three-quarters (78%) use work devices for personal tasks, while 28% of employees reuse passwords for multiple work-related accounts. A third took a risky action such as clicking on a link when faced with an attack, Proofpoint added.
Organizations are partly to blame – just a third (35%) said they conduct phishing simulation exercises, while only around half (56%) run a security awareness program for all staff.
Phishing can create serious challenges for an organization. 76% of responding companies said they experienced a ransomware attack last year, with 64% suffering a successful infection and only half able to regain access to data after paying a ransom.
Two-thirds (65%) of respondents said they have experienced data loss due to an insider’s action – perhaps a reflection of the enhanced risks associated with a distributed, hybrid workforce.