2024年網絡釣魚報告-29正式版

REPORT2024StateofthePhishRiskyactions,real-worldthreatsanduserresilienceinanageofhuman-centriccybersecurity2024STATEOFTHEPHISH\REPORTINTRODUCTIONImagineasuccessfulcyberattackagainstyourorganization.Whatdoesitlooklike?Maybeitinvolvesa?endishlycleverpieceofsocialengineering—aconvincinglurethatcatchestherecipientoffguard.Ormaybeitwouldtakeasmarttechnicalexploittogetpastyourdefenses.Butinreality,threatactorsdon’talwayshavetotrythathard.Often,theeasiestwaytobreachsecurityistoexploitthehumanfactor.Peopleareakeypartofanygooddefense,buttheycanalsobethemostvulnerable.Theymaymakemistakes,fallforscamsorsimplyignoresecuritybestpractices.Accordingtothisyear’sStateofthePhishsurvey,71%ofworkingadultsadmittedtotakingariskyaction,suchasreusingorsharingapassword,clickingonlinksfromunknownsenders,orgivingcredentialstoanuntrustworthysource.And96%ofthemdidsoknowingthattheyweretakingarisk.Whenobligedtochoosebetweenconvenienceandsecurity,userspicktheformeralmosteverytime.So,whatcanorganizationsdotochangethis?Inthisreportwe’lltakeacloserlookathowattitudestowardssecuritymanifestinreal-worldbehavior,andhowthreatactorsare?ndingnewwaystotakeadvantageofourpreferenceforspeedandexpedience.We’llalsoexaminethecurrentstateofsecurityawarenessinitiatives,aswellasbenchmarkingtheresilienceofpeopleandorganizationsagainstattack.Thefoundationofthisreportisasurveyof7,500endusersand1,050securityprofessionals,conductedacross15countries.ItalsoincludesProofpointdataderivedfromourproductsandthreatresearch,aswellas?ndingsfrom183millionsimulatedphishingmessagessentbyourcustomersovera12-monthperiodandmorethan24millionemailsreportedbyourcustomers’endusersoverthesameperiod.22024STATEOFTHEPHISH\REPORTTABLEOFCONTENTS4KeyFindings20OrganizationalBenchmarks6SecurityBehaviorsandAttitudes21Industryfailurerate27Conclusion6End-userbehaviorandattitudes10SecurityAwarenessTrends10Currentstateofsecurityawareness12Areasforimprovement14TheThreatLandscape14Threatprevalence15Growingthreats:TOAD,MFA-Bypass,QRcodesandgenerativeAI16BECattacksbene?tfromAI16Microsoftremainsmost-abusedbrand17Ransomwarestillamajorconcern18Attackconsequences32024STATEOFTHEPHISH\REPORTKEYFINDINGSOver1millionattacksarelaunchedwithMFA-bypassframeworkEvilProxyeverymonth,but89%ofsecurityprofessionalsstillbelieveMFAprovidescompleteprotectionagainstaccounttakeover.71%96%andofuserstookariskyactionofthemknewtheyweredoingsomethingrisky66millionBECattacksweredetectedandblockedonaveragepermonthbyProofpoint.69%oforganizationswereinfectedbyransomware.42024STATEOFTHEPHISH\REPORTofsecurityofuserseitherweren’tsureorclaimedthatthey’renotresponsibleatall.professionalssaidthatmostemployeesknowtheyareresponsibleforsecurity,but85%59%10millionTOADmessagesaresenteverymonth.Microsoftcontinuestobethemostabusedbrand,with68millionmaliciousmessagesassociatedwiththebrandoritsproducts.58%ofuserswhotookriskyactionsengagedinbehaviorthatwouldhavemadethemvulnerabletocommonsocialengineeringtactics.52024STATEOFTHEPHISH\REPORTSecurityBehaviorsandAttitudesEventhebesttechnicaldefensescanbeunderminedifusersdon’tdothebasics,suchasavoidingsuspiciouslinks,verifyingthesender’sidentityandsettingastrongpasswordandkeepingittothemselves.However,manyusersfailtofollowthesesimplerules,puttingthemselvesandtheirorganizationsatrisk.End-userbehaviorandattitudesAccordingtooursurvey,71%ofuserssaidtheytookariskyactionandalmostallofthem—96%—didsoknowingly.Amongthatgroup,73%saidthey’dtakentwoormoreriskyactions.Andmorethanathirdoftheriskstheytookwereratedbythoseusersaseither“extremelyrisky”or“veryrisky.”RiskyActionsTaken29%aUcsteivwitioerskdeviceforpersonal26%Reuseorsharepassword26%ConnectwithoutusingVPNatapublicplace24%Respondtoamessage(emailorSMStext)fromsomeoneIdon’tknowAccessinappropriatewebsite20%19%ClickonlinksordownloadattachmentsfromsomeoneIdon’tknow16%oSrhfaarmeiwlyorkdevicewithfriends13%Callanunfamiliarphonenumberinanurgentemail11%Tailgating:allowotherstoentertheof?cewithoutbadgingin10%Uploadsensitivedatatounproventhird-partycloud9%Gsoivuercceredentialstountrustworthy29%Havenevertakenariskyaction30%25%20%15%10%5%0%62024STATEOFTHEPHISH\REPORTUserstookriskyactionsforavarietyofreasons:convenience,timesavingandurgencybeingthemostcommonanswers.Butasmallcohortof2.5%tookriskyactionspurelyoutofcuriosity.Eitherway,themessageisclear:peoplearen’ttakingriskyactionsbecausetheylacksecurityawareness.Often,usersknowwhattheyaredoingwhentheytakerisksandarequitewillingtogamblewithorganizationalsecurity.WhyRiskyActionisTaken44%39%ItisconvenientTosavetime24%11%5%TomeetanurgentdeadlineToachievearevenuetargetOther,pleasespecify19%10%TosavemoneyTomeetotherperformanceobjectivesNobodyknowsthisbetterthantheworld’scybercriminals.Theyunderstandthatpeoplecanbeexploited,eitherthroughnegligence,obliviousnessor—inrareinstances—malice.Socialengineeringisapartofalmosteveryemailthreatanalyzedbyourresearchers.And58%ofuserswhotookariskyactionsaidtheyengagedinbehaviorthatwouldputthematriskofbasicsocialengineeringtactics,suchasclickingonunknownlinks,respondingtounfamiliarsendersandsharingcredentialswithuntrustworthysources.Theseactionscanleadtoransomwareinfection,malware,databreachor?nancialloss.72024STATEOFTHEPHISH\REPORTOneofthereasonsuserstaketheserisksisalackofconsensusaboutaccountabilityandresponsibility.Only41%ofuserssaidtheyknowthattheybearresponsibilityforcybersecurityattheirworkplace.About7%claimedthattheyaren’tresponsibleatall,whilethemajority(52%)weren’tsure.PerceptiononSecurityResponsibility41%vs.85%7%vs.13%52%vs.2%Yes–EmployeesthinktheyareresponsibleforsecurityNo–EmployeesbelievesecurityisnottheirresponsibilityNotsureEmployeesSecurityProfessionalsThiscontrastswiththeviewamongsecurityprofessionals,85%ofwhomsaythatmostemployeesknowtheyareresponsibleforsecurity.Thisgapbetweenperceptionandrealitysuggeststhatthereisaneedforclearercommunicationaboutsharedresponsibility,ratherthanjustmoretrainingonsecuritybestpracticesandpolicies.63%TheprofessionalviewSecurityprofessionalsunderstandablyhaveadifferentperspectiveonsecurityriskstoendusers.Theyaremoreawareofthethreatlandscapeandtheconsequencesofabreach.Andtheyhaveamorenuancedunderstandingofthechallengesthatgointosecuringcomplexanddynamicenvironments.Theyalsohavetheunenviabletaskof?ndingwaystobalancetheneedforsecuritywiththeneedforunhinderedproductivityandef?ciency.ofsecurityprofessionalsrateduserswithaccesstocriticalbusinessdataasthetopcybersecurityriskAccordingtooursurveyofsecurityprofessionals,theyrateuserswithaccesstobusiness-criticaldataasthebiggestsecurityrisk(63%)—agroupthatisinevitablyhardtomanage,asmuchofthataccessisnecessary.Butclick-happyusersandthosewhodon’tcompletesecurityawarenesstrainingareclosebehindinjointsecondplace(56%each).Thesecategoriesofuserwereallconsideredsigni?cantlymoreriskythanexecutives/VIPs(34%),despitethelattergroupoftenhavingbroadaccesstovaluabledata.82024STATEOFTHEPHISH\REPORTUsersWhoRepresentRiskUserswhohavebusinessprivilegeandaccesstocriticaldata63%Userswhoareclickhappy56%56%UserswhoconsistentlyfailtocompletetrainingassignmentSuppliersorbusinesspartners49%Peoplewhoareleaving42%VIPs,executives34%Unfortunately,oursurveyrevealssigni?cantoverlapbetweentheriskiestbehaviorsidenti?edbysecurityprofessionalsandthemostcommonriskyactionstakenbyendusers.Reusingpasswords,usingworkdevicesforpersonalactivitiesandaccessinginappropriatewebsitesareamongbehaviorsconsideredthemostunsafe;allofthemappearedinthetopactionstakenbyusers.RankTopRisksConsideredbyInfosecTopRiskyActionsTakenbyUsersClickonlinksordownloadattachmentsfromsomeoneIdon’tknow12345UseworkdeviceforpersonalactivitiesReuseorsharepasswordReuseorsharepasswordConnectwithoutusingVPNatapublicplaceAccessinappropriatewebsiteUploadsensitivedatatounproventhird-partycloudRespondtoamessage(emailorSMStext)fromsomeoneIdon’tknowUseworkdeviceforpersonalactivitiesAccessinappropriatewebsiteThisoverlapsuggeststhatusersmaybetakingsomeoftheseactionsbecausetheyareunawareofjusthowriskytheyareconsideredbysecurityteams.92024STATEOFTHEPHISH\REPORTSecurityAwarenessTrendsWhiletrainingaloneisn’tenoughtochangeunsafebehavior,teamsthatlackbasicsecurityawarenesstoolsandknowledgearestillmuchmorelikelytofallpreytocybercriminals.Butasnewsocialengineeringluresandtechniquesappearonthethreatlandscape,awarenessprogramsmustbeagileandbroad-basedtoremainrelevant.CurrentstateofsecurityawarenessFirstsomepositivenews:99%ofrespondentssaidtheyhaveasecurityawarenessprogramofsomesortupandrunning.Butwhilethebasicsmayalreadybeinplace,manyarestrugglingtodriverealbehavioralchange.Apossiblereasonforthisisthatonly53%saytheytraineveryoneintheorganization(downfrom56%lastyear).Thismeansthatsomeusersmaybeleftoutoftheloopormayreceiveinadequateoroutdatedtraining.SecurityAwarenessActivitiesAssignmentEveryoneintheorganization53%56%Onlyspeci?cdepartmentsandroles41%28%Onlyspeci?c6%individuals15%Notsure1%1%20232022Anotherchallengeisthecoverageandrelevanceoftrainingtopics.Securityprofessionalsagreethatremotework,passwordhygieneandinternetsafetyarecritical,butlessthanathirdofsecurityawarenessprogramscoverallthesetopics.Thetoptrainingtopicscitedbyrespondentsweremalware,Wi-Fisecurity,ransomwareandemailphishing,whichareallimportant,butnotsuf?cienttoaddressthefullspectrumofrisks.Andaswe’llseelaterwhenweexaminethelatestcybercriminaltacticsandtechniques,emergingthreatscanquicklybecomecommonplace,takingunpreparedusersbysurprise.102024STATEOFTHEPHISH\REPORT41%from28%ThepercentageoforganizationsthattrainedspecificrolesjumpedyearoveryearOnthepositiveside,thesurveyshowssomesignsofimprovementandinnovationinsecurityawarenesstactics.Yearoveryear,trainingofspeci?crolesanddepartmentshasrisensigni?cantly(41%from28%),indicatingamoretailoredandtargetedapproach.Timeallocatedtousereducationhasalsoincreasedyearoveryear,withmorerespondentsdedicatingoverthreehoursperyeartoawarenesstraining.Overall,theaverageamountoftimededicatedtoawarenesstraininghasincreasedforthe?rsttimeinthreeyears.TimeAllocatedforSecurityAwarenessActivities30minutesorless6%17%15%25%37%31–59minutes1–2hours3–4hoursMorethan4hoursThetypesoftacticsbeingusedareevolving,too,witha23%increaseintheuseofcontestsandprizestogamifyandincentivizeattention.Thischangecanhelpincreaseuserengagementandmotivation,whilealsocreatingapositiveandfunlearningenvironment.Computer-basedtrainingremainsthemostcommonformat(45%),butothermethodssuchassimulatedUSBdrops,videos,postersandnewslettersarealsobeingused.Cybersecurity-basedcontestsandprizesIn-persontrainingsessionsVirtual,instructor-ledtrainingComputer-basedtrainingSimulatedphishingattacksAwarenesspostersandvideosNewslettersandemails37%34%45%34%31%38%33%33%23%30%23%1%SmishingandvishingsimulationsSimulatedUSBdropsInternalcybersecuritychatchannelInternalwikiMycompanydoesnothaveasecurityawarenessprogramHowever,only34%ofrespondentssaytheyperformsimulatedphishingattacks,despitethehighvolumeofmaliciousemailseeninthethreatlandscape.Thissuggeststhatthereisstillroomforimprovementinthecompositionofmostsecurityawarenesstrainingsyllabuses.112024STATEOFTHEPHISH\REPORTAreasforimprovementSecurityisnotonlyatechnicalissue,butalsoaculturalandorganizationalone.Itrequiresthecollaborationandcommitmentofallstakeholders,fromsecurityprofessionalstoendusers.However,thereisoftenagapbetweenwhatsecurityprofessionalsthinkiseffectiveandwhatenduserssaywouldmotivatethemtoprioritizesecurity83%ofsurveyedsecurityprofessionalsimplementmoretrainingtodrivebehaviorchangeAccordingtooursurvey,securityprofessionalsbelievethatmoretraining,tightercontrols,closerbusinessalignment,betterrewardsandstrongerchampioningofsecurityinitiativeswouldallbeeffectiveinimprovingsecurity.However,fewerthanathirdoforganizationsrewardpositiveuserbehaviorsorchampionsecurityinitiatives.Theseareimportantwaystorecognizeandreinforcegoodsecuritypractices,andtoensurethatallemployeesareinvestedincreatingasecurity-awareculture.81%RankActionsTakenbySecurityProsUserMotivationimplementmorecontrols123ProvidemoretrainingMakingsecurityeasierformeUsingrewardsandrecognitionorrestrictionsImplementmoresecuritycontrolsorrestrictionsAlignsecurityinitiativeswithbusinessprioritiesIncreasedengagementwithleadershipandsecurityteamsIncontrast,usersoverwhelminglysaythattheywantsecuritytobemadeeasier.Theywantprocessestobemoreuser-friendly,convenientandtransparent,andtheywanttohavemorecommunicationandfeedbackfromsecurityexperts.Usersoverwhelminglyagree(94%)thatimprovingeaseofusewouldmotivatethemtobemoreattentivetosecurity.Thesedisparitiesbetweensecurityteamactionsandusermotivationsclearlydemonstratetheneedforopencommunicationbetweensecurityteamsandendusers.122024STATEOFTHEPHISH\REPORTWhatPoliciesMotivateUserstoPrioritizeCybersecurityMakingsecurityeasierformeUsingrewardsorrecognition94%89%87%85%71%6%11%13%15%29%IncreasedengagementfromleadershiporsecurityteamMoretrainingordifferentstylesoftrainingPunishment,suchasreductioninpay,bonusremoval,jobterminationMotivatingNotMotivatingInkeepingwithtrendswe’veobservedoverthepastfewyears,punishingunwantedbehaviorwasconsideredtheleasteffectiveapproachbysecurityprofessionals.Fortunately,itwasalsotheleastimplemented.Punishmentcanhavenegativeeffects,suchascreatingfear,resentmentanddistrust,andreducingmotivationandmorale.Itcanalsodiscourageusersfromreportingincidentsorseekinghelp,whichcanseriouslyincreasetheriskofsecuritybreaches.Punishmentwasalsotheleastmotivatingresponseamongendusers,though71%stillagreedthatthiswouldbeanincentiveforthem.Thissuggeststhatsomeusersmaybewillingtocomplywithsecurityrulestoavoidnegativeconsequences,thoughitisunlikelythatcompelledparticipationwillleadtoenduringbehaviorchange.132024STATEOFTHEPHISH\REPORTTheThreatLandscapeCybersecurityisaconstantlyevolving?eldascybercriminalsdevisenewandsophisticatedwaystoattackpeopleandbreachorganizations.Userswhotakerisks,suchasclickingonsuspiciouslinks,openingunknownattachmentsorusingweakpasswords,faceanincreasingvarietyofreal-worldthreatsfromattackers.ThreatprevalenceSomeofthemostcommonformsofattackreportedbysurveyparticipantswerephishing,businessemailcompromise(BEC)andransomware.Whileeachofthesetechniquesisdistinct,securityteamswilloftenencounterthemasindividualcomponentsofanextendedattackchain,withphishingleadingtoransomware,orasupplychainattackleadingtoBEC.PrevalenceofAttacksBulkPhishingSpearPhishingBECUSBDrop76%60%65%85%SociaMediaSupplyChainRisk74%74%72%74%73%75%69%69%RansomwareSmishingDataLossviaExternalAttackerDataLossviaInsider77%76%66%68%75%76%64%66%VishingTOAD(CallbackPhishing)67%71%67%20232022However,thesearen’ttheonlythreatsthatusersandorganizationsneedtobeawareof.Accordingtoourowndata,manynovelattacktypesarebecomingincreasinglyprominent.142024STATEOFTHEPHISH\REPORTGrowingthreats:TOAD,MFA-Bypass,QRcodesandgenerativeAIIntelephone-orientedattackdelivery(TOAD),themaliciousmessageoftenappearstobecompletelybenign,containingnothingmorethanaphonenumberandsomeerroneousinformation.Itisn’tuntiltheunsuspectingvictimcallsthelistednumberforhelpthattheattackchainisactivated.Cybercriminalcallcentersareoperatingaroundtheworld,guidingvictimsintograntingremoteaccess,revealingsensitiveinformationandcredentials,oreveninfectingthemselveswithmalware.Ourdatarevealsthatanaverageof10millionTOADmessagesaresenteverymonth.Anotherincreasinglypopularattackmethodinvolvesusingadvancedtechniquestobypassmultifactorauthentication(MFA),whichisnowastandardpartofcorporatecybersecurity.TheseattackstypicallyuseproxyserverstointerceptMFAtokens,allowingattackerstocircumventtheadditionallayerofsecurityprovidedbyone-timecodesandbiometrics.Severaloff-the-shelfphishkitsnowincludeMFAbypassfunctionality,allowingevenrelativelyunsophisticatedattackerstobene?t.Weseearound1millionphishingthreatsusingthepopularEvilProxyframeworkeverymonth.Thisisofparticularconcern,as89%ofsecurityprofessionalsstillconsiderMFAtobeasilverbulletforprotectionagainstaccounttakeover,with84%ofrespondentssayingtheirorganizationsuseMFAtopreventaccounttakeover.13millionProofpointsawover13MTOADattacksatpeakinAugust2023DoesMFAProvideCompleteProtectionAgainstAccountTakeover?89%ofsecurityprosbelievethatMFAcanprotectagainstaccountcompromisecompletelyCompletelyagree42%47%9%1%SomewhatagreeNeitheragreeordisagreeSomewhatdisagreeCompletelydisagree2%Andwithintheparadigmoftraditionalphishing,attackersare?ndingnewwaystoembedmaliciouscontent.Inrecentmonthswe’veseenanincreaseintheuseofQRcodesasanalternativetolinksorattachments.Thistechniqueisparticularlydangerous,asitbothattemptstoevadeautomateddetectionwhilepresentinguserswithafamiliarformatinacontexttheymaynothaveseenbefore.ItisalsoimpossibletotelljustbylookingifaQRcodeleadstoaphishingsiteormalwaredownload.UnfamiliarusersscanningaQRcodemaynotevenbeawarethatthey’veengagedwithapieceofmaliciouscontentuntilit’stoolate.152024STATEOFTHEPHISH\REPORTIt’salsoworthnotingthateventheleastcommontypeofattack—USBdrop—wasstillreportedby60%ofrespondents.Thisshowsthatcybercriminalsarewillingtotryanytactic,oldornew,iftheythinkitwillgivethemachancetoexploitanunsuspectingvictim.Despitethegrowingprominenceandsophisticationofthesethreats,manyorganizationsarenotadequatelypreparedortrainedtodealwiththem.Only23%oforganizationstraintheirusersonhowtorecognizeandpreventTOADattacks,andonly23%educatetheirusersongenerativeAIsafety.GenerativeAIisatechnologythatcancreaterealisticandconvincingcontent—suchasimages,videosortext—basedonagivenpromptordatainput.Thistechnologypromisestoenhancesocialengineeringforallmessaging-basedattacks,asattackerscanuseittoimprovethequalityoftheirlure,particularlywhentargetingotherlanguages.Moreover,generativeAIalsoposesariskofdataloss,asthereiscurrentlylittletransparencyoverwhathappenstodatathatisuploadedtoservicessuchasChatGPTandGoogleBard.BECattacksbenefitfromAIBECattacksalsocontinuetoposeaseriousthreat,especiallyinnon-English-speakingcountries.FewerorganizationsreportedBECattemptsglobally,butattackscontinuetogrowinprevalenceamongcountriessuchasJapan(35%year-over-yearincrease),Korea(31%jump),andUAE(29%jump).ThesecountriesmayhavepreviouslyseenfewerBECattacksduetolanguagebarriers,culturaldifferencesorlackofvisibility.ButthereisnowalikelylinkbetweenBECandgenerativeAI,asattackerscanusethelattertocreatemoreconvincingandpersonalizedemailsinmultiplelanguages.Ourowndatashowsanaverageof66milliontargetedBECattackseverymonth.Microsoftremainsmost-abusedbrand68millionmaliciousmessagesincludedreferencestoMicrosoftand/orMicrosoftproductsin2023,makingthesoftwaregianttheworld’smostabusedbrandBrandabuseisafavoritetacticforphishingandmalwaredelivery,asattackersexploitthetrustandfamiliaritythatusershavewithcertainbrands.Morethan68millionmessageswereassociatedwithMicrosoftproductsandbrandin2023,makingitthemostabusedbrandbycybercriminals.AdobeandDHLroundedoutthetopthree,butatfewerthan10millionmessageseach.162024STATEOFTHEPHISH\REPORTBrandAbuseThreats(Millions)6820millionOffice365wasthemostabusedMicrosoftproductinmaliciousemail,withover20millionemailthreatsusingthebrand9.48.86.14.43.53.1MicrosoftAdobeDHLGoogleAOLDocuSignAmazonRansomwarestillamajorconcernThepercentageoforganizationsthatfacedaransomwareattackrose5percentagepointsto69%.Almost60%oforganizationsreportedfourormoreseparateransomwareincidentsinayear,indicatingthatransomwareisstillapersistentandlucrativeformofattack.RansomwarebytheNumbers1–3separateincidents39%38%4–6separateincidents7–9separateincidents10ormoreseparateincidentsUnsure3%5%15%Oneofthewaysthatorganizationstrytomitigatetheriskandimpactofcyberattacksisbypurchasingcyberinsurance,whichcoversthecostsanddamagesassociatedwithacybersecurityincident.Amongthosethathadexperiencedaransomwareincident,96%nowhavecyberinsurance.Mostinsurers(91%)helpedwithransompayments,upfrom82%theyearbefore.However,globally,therateofpaymenttoransomwareattackershasdeclinedfrom64%to54%.InfectedOrganizationsThatAgreedtoPayRansom54%64%58%202320222021172024STATEOFTHEPHISH\REPORTThenumberofrespondentswhoregainedaccesstotheirdataafterpayingalsodeclined,withthenumberwhoregainedaccessafterasinglepaymentseeingthelargestdecline.Thismaybeoneexplanationforthedropinpayments.Anotherpossiblereasonisthatorganizationsarebecomingmoreawareofthedrawbacksandrisksofpayingransoms,suchasencouragingmoreattacks,fundingcriminalactivitiesorreceivingcorruptedorincompletedata.15%RansomwareInfections:WhatHappensAfterPaymentRegainedaccesstodataafter?rstpaymentoforganizationsrefusedtopaymorethanoneransomaftertheirfirstpaymentdidn’tgettheirdataback,upfromjust6%in202241%52%Paidadditionalransomdemand(s)andeventually43%41%Refusedtopayaddtionalransomdemand(s)andwalked15%6%Nevergotaccesstodataevenafterpayingransoms1%1%20232022AttackconsequencesTheimpactofphishingattacksonorganizationscanbedevastating,both?nanciallyandreputationally.71%oforganizationsexperiencedatleastonesuccessfulphishingattackin2023,downfrom84%in2022.However,whiletheincidenceofsuccessfulphishingattackshasdeclined,someofthenegativeconsequenceshavesoared.Yearonyear,wesawa144%increaseinreportsof?nancialpenalties,suchasregulatory?nes,anda50%increaseinreportsofreputationaldamageduetophishingincidents.182024STATEOFTHEPHISH\REPORTResultsofSuccessfulPhishingAttacks73%Lossofdata/intellectualpropertyAdvancedpersistentthreat32%33%23%21%oforganizationsreportedRansomwareinfection*Direct?nancialloss**aBECattack,butonly32%43%22%30%29%Breachofcustomer/clientdataFinancialpenalty***29%44%22%9%teachusersaboutCredential/accountcompromiseOthermalwareinfection(s)BECattacks27%36%22%28%ReputationaldamageZero-dayexploit27%18%20%20%Widespreadnetworkoutage/downtimeI’mnotsure25%26%0%2%*malwarewasdeliveredviaemail**wiretransferorinvoicefraud***regulatory?ne20232022Thethreatlandscapeisconstantlyevolving,ascybercriminalsemploynewtacticsandtechniquesintheirquesttogainanadvantage.Thisiswhyit’skeytoequippeoplewiththeknowledgetheyneedtoidentifyandresistattacks;afterall,assophisticatedasthesetechniquesarebecoming,peopleremaintheirprimarytarget.Mostorganizationssaytheyusereal-worldthreatintelligencetoshapetheirsecurityawarenessprogram,howevertherearesomemajordisparities.Forexample,73%oforganizationsexperiencedaBECattack,butonly29%trainusersspeci?callyonBECthreats.Similarly,only23%oforganizationsprovidetrainingonTOADattacks,despitetheirubiquity.Thethreatlandscapemovesprettyfast;ifyoudon’tstopandupdateyourprogramonceinawhileyoucouldmisssomething.192024STATEOFTHEPHISH\REPORTOrganizationalBenchmarksOneofthewaysthatorganizationscanmeasureandimprovetheircybersecurityawarenessandresilienceisbyconductingphishingsimulations.Proofpointphishingsimulationsmimicreal-worldphishingscenariosandassesshowusersrespondtothem.Ourcustomersconducted183millionphishingsimulationsovera12-monthperiod.Ofthese,link-basedtestswerethemostcommon,accountingfor59%ofallsimulations,followedbydata-entrytests(30%)andattachment-basedtests(10%).However,attachment-basedtestshadthehighestfailurerateoverall,at17%.Failureratesforalltypesofsimulationswerewithin1percentagepointofl