More than nine in 10 (91%) UK organizations were successfully compromised by an email phishing attack last year, according to Proofpoint’s 2022 State of the Phish report.
The study observed a significant rise in email-based attacks globally in 2021 compared to 2020. Over three-quarters (78%) of organizations were targeted by email-based ransomware attacks last year and 77% faced business email compromise (BEC) attacks, the latter an 18% year-on-year increase from 2020.
The survey of 600 information and IT security professionals and 3500 workers in the US, Australia, France, Germany, Japan, Spain and the UK also found that attacks in 2021 were more likely to be successful than in 2020. More than four in five (83%) respondents said their organization experienced at least one successful email-based phishing attack last year, up from 57% in 2020. In addition, 68% of organizations admitted they had to deal with at least one ransomware infection stemming from a direct email payload, second-stage malware delivery or other exploit.
Worryingly, 60% of organizations infected with ransomware admitted to paying a ransom, with around a third (32%) paying additional sums to regain access to data and systems.
Proofpoint researchers believe the increased volume and success rate of these attacks are linked to the ongoing shift to hybrid working in 2021, continuing from the previous year. More than half of employees in 81% of organizations worked remotely last year. However, only 37% of organizations educate workers about best practices for remote working. This lack of training appears to be leading to significant security lapses; for example, only 60% of workers said their home network is password protected, while 42% admitted taking a dangerous action in 2021, such as clicking a malicious link or exposing their personal data or login credentials.
In addition, only around half (53%) of workers were able to correctly identify the definition of ‘phishing’ in a multiple-choice array, which is a significant fall from 63% in 2020.
UK-based organizations were particularly heavily targeted by email-based attacks, according to the report. For example, 84% faced at least one email-based ransomware attack, 81% experienced one or more BEC attacks and 78% dealt with at least one ransomware infection stemming from a direct email payload.
Alan Lefort, SVP and GM of security awareness training for Proofpoint, commented: “Where 2020 taught us about the need to be agile and responsive in the face of change, 2021 taught us about the need to better protect ourselves.
“As email remains the favored attack method for cyber-criminals, there is clear value in building a culture of security. In this evolving threat landscape and as work-from-anywhere becomes commonplace,’ it is critical that organizations empower their people and support their efforts to learn and apply new cyber skills, both at work and at home.”