By Mikael Jarpenge, senior engineer, Nordics at Proofpoint
While conventional and well-known threats such as email phishing and ransomware remain successful, many threat actors are shifting to newer techniques, lesser known to employees to increase their chances of a successful cyberattack.
But whatever the tactic, most attacks shared a common trait – they were squarely targeted at people rather than infrastructure.
Ransomware attacks increased significantly across the globe last year, with email still commonly used as the point of entry. Meanwhile, another people-focused threat, email phishing, was the most common type of attack, with 84% of organisations experiencing at least one successful email-based phishing attack in 2022.
There were new threats too - such as telephone-oriented attack delivery (TOAD) and adversary-in-the-middle (AitM) phishing proxies that bypass multifactor authentication. These techniques have been used in targeted attacks for years, but 2022 saw them deployed at scale.
With so many common threats requiring human interaction, the modern cybercriminal no longer needs to hack into an organisation. Much of the time, once they’ve gained access to the data they require, they can simply log in.
With this in mind, let’s review some of the most prevalent types of people-focused attacks right now and what you can do to defend against them.
Ransomware Continues to Wreak Havoc
Seventy-six percent of global organisations experienced an attempted ransomware attack in the past year, with 64% suffering a successful infection; yet only half regained access to their data after making the initial ransomware payment. Alarmingly, over two-thirds of respondents said their organisation experienced multiple, separate ransomware infections.
Most infected organisations paid up, and many did so more than once - 64% of infected organisations paid at least one ransom. Of the organisations impacted by ransomware, the overwhelming majority (90%) had a cyber insurance policy in place for ransomware attacks, and most insurers were willing to pay the ransom either partially or in full (82%).
End Users Fall Prey to Bogus “Microsoft” Emails
In 2022, Proofpoint observed nearly 1,600 campaigns involving brand abuse across its global customer base. While Microsoft was the most abused brand name with over 30 million messages using its branding or featuring a product such as Office or OneDrive, other companies regularly impersonated by cyber criminals included Google, Amazon, DHL, Adobe, and DocuSign.
Considering the volume of brand impersonation attacks, it’s alarming that nearly half (44%) of employees indicate they think an email is safe when it contains familiar branding, and 63% think an email address always corresponds to the matching website of the brand.
Business Email Compromise: Cyber Fraud Goes Global
On average, three-quarters of global organisations reported an attempted BEC attack last year. While English is the most common language employed, some non-English-speaking countries are starting to see higher volumes of attacks in their own languages. BEC attacks were higher than the global average or experienced a notable increase compared to 2021:
- The Netherlands 92% (not featured in prior analysis)
- Sweden 92% (not featured in prior analysis)
- Spain 90% vs. 77% (13 percentage point increase)
- Germany 86% vs. 75% (11 percentage point increase)
- France 80% vs. 75% (5 percentage point increase)
Insider Threats
Pandemic-related job mobility, coupled with post-pandemic economic uncertainty, has resulted in large numbers of workers changing or leaving jobs to the tune of one in four employees in the past two years. This job market trend makes data protection more difficult for organisations, with 65% reporting they have experienced data loss due to an insider’s action. Among those who have changed jobs, nearly half (44%) admitted to taking data with them.
Threat Actors Scale Up More Complex Email Threats
Over the past year, hundreds of thousands of telephone-oriented attack delivery (TOAD) and multi-factor authentication (MFA) bypass phishing messages were sent each day—ubiquitous enough to threaten nearly all organisations. At its peak, Proofpoint tracked more than 600,000 TOAD attacks—emails that incite recipients to initiate a direct conversation with attackers over telephone via bogus ‘call centres’—per day, and the number has been steadily rising since the technique first appeared in late 2021.
Cyber attackers now also have a range of methods to bypass MFA, with many phishing-as-a-service providers already including AitM tooling in their off-the-shelf phish kits.
Room for Improvement with Cyber Hygiene
Threat actors always innovate, and once again this year’s report shows that most employees suffer security awareness gaps. Even basic cyber threats are still not well understood—more than a third of survey respondents cannot define “malware,” “phishing,” and “ransomware.”
In addition, only 56% of organisations with a security awareness program train their entire workforce, and only 35% conduct phishing simulations—both critical components to building an effective security awareness program.
The awareness gaps and risky security behaviours demonstrated by employees create substantial risk for organisations and their data.
Building a people-centric security culture
Just as people are at the heart of these increasingly common attacks, so too must they be at the centre of any effective defence. Today, a robust cyber security posture requires an approach that combines people, process, and technical controls.
Criminals are continually targeting humans to expose confidential data, compromise networks, and even wire money. Through a technical combination of email gateway rules, advanced threat analysis, email authentication, and visibility into cloud applications, we can block the majority of targeted attacks before they reach employees. But we can’t rely solely on technical controls because as we’ve seen, this is a people problem.
Security is a shared responsibility. We must empower people, at all levels within our organisations, to understand security and the risky behaviours that can lead to breaches. Training and awareness programs are crucial, but one size does not fit all. Make sure your program is from the perspective of the user – make it relevant to their work and personal lives.
Over 99% of cyber threats require human interaction to be successful. When your people are that vital to an attack, they need to be a vital part of your defence. Cybercriminals spend day and night trying to penetrate your networks, systems, and data. The least we can do is make them work a little harder.
To download the State of the Phish 2023 report please visit: https://www.proofpoint.com/us/resources/threat-reports/state-of-phish.