《Proofpoint:2023年网络钓鱼状况报告(英文版)(35页).pdf》由会员分享,可在线阅读,更多相关《Proofpoint:2023年网络钓鱼状况报告(英文版)(35页).pdf(35页珍藏版)》请在三个皮匠报告上搜索。
1、An in-depth exploration of user awareness,vulnerability and resilienceREPORT State of the Phish2023A COMMISSIONED SURVEY OF:7,500working adults across 15 countries1,050IT security professionals across those countriesAND:135 millionsimulated phishing attacks sent by our customers over a 12-month peri
2、od18 millionemails reported by our customers end users over a 12-month period2022:Cyber Criminals Get Even More CreativeEvery year,threat actors look for new ways to outwit victims and bypass defenses.And 2022 was no different.As businesses rolled out new security controls,cyber criminals responded.
3、They scaled-up complex techniques like telephone-oriented attack delivery(TOAD)and multi-factor authentication(MFA)bypass.Unknown to most users,these techniques gave cyber attackers a new advantage.At their peak,TOAD and MFA bypass saw hundreds of thousands of attacks sent per dayubiquitous enough t
4、o threaten most organizations.And at the same time,proven tactics like brand abuse,business email compromise(BEC)and ransomware remained as popular as ever.With threat actors constantly upping their game,CISOs and Infosec teams had their work cut out.Now in its ninth year,our annual State of the Phi
5、sh report explores end-user security awareness,resilience and risk across 15 countries(eight more than in previous years).The report benchmarks understanding of common cyber threats and defensive tactics and reveals how potential gaps in knowledge and cyber hygiene enable the real-world attack lands
6、cape.Most attacks target people before they target systems.Thats why helping users build sustainable security habits is crucial.So,the last section of the report examines security awareness practices and outlines opportunities to build and reinforce a security-aware culture at every level of an orga
7、nization.The report draws on surveys of 7,500 working adults and 1,050 IT security professionals across 15 countries.It also includes findings sourced from 135 million simulated phishing attacks sent by our customers over a 12-month period and more than 18 million emails reported by our customers en
8、d users over that same time period.2TABLE OF CONTENTSKey Findings4 Security Habits and Knowledge GapsTerms and concepts:the same gaps remainSecurity habits:blurred linesSecurity habits:password hygieneSecurity habits:Wi-Fi woesSecurity habits:risky business6 6891011Benchmarks:Failure Rates,Reporting
9、 and ResilienceTemplate failure ratesFailure rates by industryFailure rates by departmentTemplate effectivenessReporting and resilience20 2021222426Security Awareness:Insights and OpportunitiesBuilding a security culture30 32Conclusions35Recognize RiskTOADs and multi-factor phishingBrand abuseBEC go
10、es globalRansomware remainsInsider threatCounting the cost8192023 STATE OF THE PHISH REPORT344%30 Millionmalicious messages sent in 2022 involved Microsoft branding or products Key Findingsof people think an email is safe when it contains familiar branding 1 in 10threats were blocked as a
11、 result of user reportingIncrease in direct financial loss from successful phishing76%56%ONLYof organizations with a security awareness program train all their employees vs.of employees say cybersecurity is not a top priority of theirs at work 33%of security professionals consider security a top pri
12、ority at their company90%of organizations infected with ransomware paid a ransom of organizations affected by ransomware held a cyber insurance policy of organizations reported at least one incident of insider data loss 64%90%65%Even basic concepts are misunderstoodof people took a risky action(such
13、 as clicking links or downloading malware)when faced with an attack1/3300-400Ktelephone-oriented attack delivery attempts daily,with a peak of 600k per day in August 2022600Kper day35%ONLYof organizations conduct phishing simulations 1/3+cant define“malware,”“phishing”and“ransomware”542023 STATE OF
14、THE PHISH REPORT2023 STATE OF THE PHISH REPORTSecurity Habits and Knowledge GapsLast years State of the Phish described 2021 as“the year of the new normal.”The pandemic started to recede,and many workplaces permanently adopted a hybrid model.Those macro trends have continued in 2022,cementing an exp
15、anded attack surface that cyber criminals can target both in and out of the office.The increased risks of a hybrid workplace are well understood by CISOs,and many told us in our 2022 Voice of the CISO report that they planned to take steps to enhance security awareness programs to meet this challeng
16、e.All of which begs the question:has the basic level of security awareness and understanding increased since last year?Unfortunately,the short answer is“no.”Terms and concepts:the same gaps remainCommon threats are still not well understood across organizations.Nearly a third of survey participants
17、were unable to correctly define terms like“phishing”and“malware.”For more advanced attacks like“ransomware,”“smishing”(SMS phishing)and“vishing”(voice phishing)around two-thirds answered incorrectly.Data from the past four years shows only modest gains or no gains at all.End-User Understanding Shows
18、 Little Change from Year to Year25%66%30%31%61%24%63%23%36%53%30%65%31%33%63%30%69%29%40%58%2022202120202019COMING TO TERMS:Even basic concepts are still not fully understoodmore than a third cant define“malware,”“phishing”and“ransomware”40%of users know what ransomware is,a 9-point jump from 2019th
19、e biggest increase among the terms we asked about29%and 30%of users knew the relatively new terms smishing and vishing,respectively58%of users knew what phishing is,a 5-point increase from last year but 3 points below 2019VishingSmishingMalwareRansomwarePhishing62023 STATE OF THE PHISH REPORTMoving
20、on from terminology to security fundamentals,the story is more encouraging.Some 80%to 90%of respondents said they understood basic email security concepts.Numbers here have increased by 2 to 3 percentage points year over year.know to be cautious of unexpected emails89%know a familiar company brand d
21、oesnt make an email safe 56%know that files stored in the cloud are not always safe 39%know email attachments can have damaging software 84%know a link or attachment can affect computers beyond theirs51%know internal emails at work are not always safe 38%know an email can appear to come from someone
22、 other than the sender79%know their email provider cant automatically block all malicious emails42%know an email link might not match the website it goes to 37%know exchanging multiple emails doesnt mean a sender is safe42%know their company cant automatically block all malicious emails32%We saw a s
23、imilar degree of improvement for more advanced email security concepts,though overall understanding was lower at just 40%to 50%.Notably,people have become more aware that cyber criminals can send multiple emails to build trust.This evolution of this tactic has been a point of focus for our threat re
24、searchers this year,particularly with state-sponsored attacks.IMPOSTER SYNDROME:21%of users dont know that an email can appear to be from someone other than the sender44%of users dont know that a familiar brand doesnt make the email safe63%of users dont know that an email link text might not match t
25、he website it goes to72023 STATE OF THE PHISH REPORTTHE UNCERTAINTY PRINCIPLE:Nearly 30%of respondents said that they werent sure if files stored in the cloud are always safe.This was by far the highest percentage of“not sure”answers;others ranged between 8%and 20%.In security terms,“not sure”and“do
26、nt know”both describe a knowledge gap.Instead of just focusing on incorrect answers,training programs should also aim to address blind spots.Security habits:blurred lines In the last four years of tracking security habits both at home and at work,weve seen a noticeable shift.Its now the case that ov
27、er three-quarters of people use their work devices for personal activities,with almost the same proportion using personal devices for work.use work devices for personal activities 78%use personal devices for work devices72%let family and friends use their work devices48%Personal use of work devices
28、for social media and online shopping held steady from year to year.However,email,messaging and reading news all increased.Personal Use of Work Devices50%45%32%28%42%40%32%29%2022 2021Nearly half of respondents said they allowed friends and family to use their work devices.This number has fallen slig
29、htly year on year(from 56%to 48%),possibly because of people returning to offices for more days during the week.Most categories of use by friends and family remained static year on year,with email and messaging the most common activities.Emails and messagesShop onlineRead newsSocial mediaFriends&Fam
30、ily Use of Their Work Devices24%21%20%18%24%23%24%19%2022 2021Unfortunately,a small percentage of respondents(3%)said they didnt know what their friends or family did on their work device.This clearly represents an unacceptable level of risk.Emails&messagesShop onlineRead newsSocial media82023 STATE
31、 OF THE PHISH REPORTPASSWORD UNPROTECTED:28%of users reuse passwords for multiple work-related accounts,jeopardizing all of them if even just one is compromisedManually enter unique password for every accountSave login information in browserUse password manager appManually rotate 1-4 passwordsManual
32、ly rotate 5-10 passwordsManually rotate over 10 passwordsSecurity habits:password hygieneAnother area where behavior has remained disappointingly unchanged is password management.The most common method is the most secure:using a single unique password,entered manually per account.In second and third
33、 place,less-secure browser password managers are still more popular than dedicated apps.While the least secure options are to be found in the long tail of responses,more than a quarter of respondents admitted to reusing a limited number of passwords.Use of Home and Work Passwords31%27%26%30%18%17%16
34、%14%6%6%6%6%2022 work2022 personal92023 STATE OF THE PHISH REPORTPassword protect the networkChange default network nameChange default network passwordChange default admin passwordCheck router software updatesDont take any security measuresOver two-thirds of people password protect their home networ
35、k.But the number of people who change default wireless and administration passwords is much lower,at less than a third each.Most alarming of all,7%of respondents said they took no home Wi-Fi security measures at all.Percentage of Actions to Protect Home Wi-Fi20222021Security habits:Wi-Fi woesPasswor
36、d problems arent just limited to email and cloud accounts.We also found that numbers are low when it comes to Wi-Fi password best practices.69%60%26%26%29%25%20%21%21%18%7%11%WIRELESS WEAKNESSES:71%of users dont change the default network name on work WI-Fi routers80%of home and work Wi-Fi users did
37、nt change the default admin password for their routers in 2022worse than the previous year102023 STATE OF THE PHISH REPORTAs part of our survey,we asked people why they dont take these necessary steps to secure their home networks.The range of answers is revealing:Feel security is already in place(“
38、Thats what my network provider does.”)Think there is built-in safety(“(I thought it was safe enough.”)Never think about security(“I have never thought to change any of these things.”)Security handled by someone they know(“My spouse looks after this.”)Made security changes previously(“I made changes
39、when it was set up.”)Made some changes but not others(“I have modified the ones I thought appropriate.”)Dont know how to change settings(“I was worried I would mess it up.”)Security habits:risky businessWith these gaps in knowledge and best practices,its no surprise that many people continue to take
40、 risky actions when faced with a cyber attack.And with many risky actions not being recognized in the moment(or admitted to after the fact),these numbers are almost certainly lower than the reality.More than a third of respondents took at least one risky action during the year,with clicking on malic
41、ious links being the most frequent.With email overwhelmingly the most common vector for distributing phishing links and malware,training users on the correct action to take should remain a key part of ongoing security awareness initiatives.Any type of risk actionClicked phishing link to fake website
42、Downloaded malware from smishDownloaded malware from phishing link/siteGave personal information to a scammerGave password to untrustworthy sourceRisky Actions Taken by Working Adults in Threat Situations34%18%13%11%9%8%ACTIONS SPEAK VOLUMES:34%of users did something in 2022 that put themselves or t
43、heir organizations at risk63%of working adults think an email link always goes to the matching website brand11%of recipients fell for phishing simulations mentioning“DocuSign document for review”and“FedEx delivery failure”112023 STATE OF THE PHISH REPORTRecognizing RiskCyber criminals know that most
44、 people have gaps in their security awareness.Their own campaign dashboards provide the evidence,with phishing kits,botnets and malware-as-a-service often showing click rates,downloads and other common digital“success”metrics.Despite many techniques remaining effective,attackers arent standing still
45、.They have refined their social engineering tactics and introduced entirely novel attacks.When the threat landscape moves this quickly,security teamsand security awareness programsneed to be agile to keep up.The incidence of most attack types has remained constant year on year,with high levels acros
46、s the board.Threats arrive at an unrelenting pace and are almost as likely to appear from inside an organization as from an external attacker.In total,84%of survey respondents said that their organization had experienced at least one successful email-based phishing attack during 2022.And 54%said tha
47、t they had dealt with three or more attacks.Bulk PhishingSpear PhishingBECRansomwareSmishingVishingUSB DropSocial MediaSupply Chain*Data Loss:External*Data Loss:Insider*Prevalence of Attacks2022 202166%68%69%74%74%65%64%76%75%71%69%76%78%75%77%74%79%85%86%*New question for 2023 report84%of organizat
48、ions faced at least one successful phishing attack54%faced three or more attacks122023 STATE OF THE PHISH REPORTTOADs and MFA phishingThis year,telephone-oriented attack delivery(TOAD)and multi-factor authentication(MFA)phishing have made waves in the threat landscape.In a TOAD attack,targets receiv
49、e a message,often containing a fake invoice or alert.The message also contains a customer service number for anyone with questions.If the victim calls the number,they find themselves on the line with a cyber attacker.Our researchers have seen a range of next steps,including guiding victims to downlo
50、ad malware,transfer money or enable remote access.At peak,we see over 600,000 TOAD messages sent per day,and the number has been steadily rising since the technique first appeared in 2021.Multi-factor authentication(MFA)uses a second“factor”such as a phone or hardware key for added security when log
51、ging in to digital accounts.Enabling it is still a security best practice,but cyber attackers now have a range of methods to bypass MFA.While these are technically sophisticated attacks,some phishing-as-a-service providers already include MFA bypass in their off-the-shelf phishing kits.Brand abuseSo
52、cial engineering is integral to most cyber attacks.Using psychological manipulation,threat actors unsettle victims into making mistakes,ignoring warning signs or trusting malicious messages.Social engineerings power comes from the fact that people often rely on mental shortcuts when making decisions
53、.One of the clearest examples of social engineering is brand abuse.In these attacks,cyber criminals benefit from users familiarityand trustof well-known brands.The most obvious way to take advantage of a brand is to use their logo or styling in a malicious message.But its also worth considering that
54、 in the digital workplace,malicious links hosted on cloud storage solutions like Microsoft OneDrive,Google Drive and Dropbox are also likely to benefit from positive brand associations,as are malicious files created with familiar Microsoft 365 software.132023 STATE OF THE PHISH REPORTSIMULATING REAL
55、ITY:Microsoft was also the most common brand template used by our customers in phishing simulations.Half of the ten most-used templates were brand-abuse related.And templates featuring familiar brands tended to have high failure rates.In 2022,we observed nearly 1,600 campaigns that involved brand ab
56、use,and the most abused brand in our data was Microsoft.During the year,we saw over 30 million messages that used Microsoft branding or featured a Microsoft product like Office or OneDrive.Perhaps not suprisingly,half of the 10 most-used templates by our customers in phishing simulations were brand-
57、abuse related.Templates featuring familiar brands tended to have high failure rates.Notably,44%of working adults in our survey said that they think an email is safe when it contains familiar branding.And Microsoft isnt the only brand experiencing regular abuse,with Amazon(6.5 million messages),DocuS
58、ign(3.6 million messages),Google(2.6 million messages),DHL(2 million messages)and Adobe(1.5 million messages)all regularly impersonated.AmazonMicrosoftDocuSignGoogleDHLAdobeCyber Attack Messages that Involved Brand Abuse in 20221.5M2M2.6M3.6M6.5M30M142023 STATE OF THE PHISH REPORTBoard members acros
59、s the globe rate BEC as their top concern(41%),followed by cloud account compromise(37%)and ransomware(32%),according to our Cybersecurity:The 2022 Board Perspective report.BEC Goes GlobalIn our recent Cybersecurity:The 2022 Board Perspective report,global board members rated business email compromi
60、se(BEC)as their top concern.English is the most common language used in BEC attacks,but some non-English-speaking countries are starting to see higher volumes of attacks in their own languages.Year over year,weve seen growth in the following countries:Globally,the average incidence of attempted BEC
61、is 75%,and some countries do still fall well below this level.Japan(52%),Italy(51%),Brazil(56%),Korea(58%)and UAE(66%)all have BEC rates below that average.While the reason for these countries seeing fewer BEC attacks is unclear,there may be cultural,linguistic or logistical challenges that prevent
62、attackers from effectively targeting and monetizing them.Or some organizations may lack visibility into the true number of attacks theyre facing.90%86%92%80%92%77%75%75%SpainGermanySwedenFranceThe Netherlandsup 13 pointsup 11 pointsup 5 points(no prior analysis)(no prior analysis)VSVSVS152023 STATE
63、OF THE PHISH REPORTRansomware remainsBEC might be the most lucrative form of cyber attack,but ransomware can inflict massive operational,reputational and financial damage.About 76%of organizations experienced an attempted ransomware attack,with 64%experiencing a successful infection.Alarmingly,over
64、two-thirds of respondents said their organizations experienced multiple separate incidents of infection.The FBIs latest Internet Crime Complaint Center(IC3)report shows that ransomware attacks have continued to rise,increasing by 51%year over year.The Bureau recommends that organizations refrain fro
65、m paying,as this only contributes to the threats growth.There is also no guarantee that payment will result in a positive outcome.About 52%of victimsslightly better odds than a coin flipregained access to their data after making a single ransomware payment.Nearly as many were obliged to make further
66、 payments,and some still never regained access to their data.Still,most infected organizations paid up,and many did so more than onceusually with the help of cyber insurance.The overwhelming majority of organizations that faced a ransomware attack had cyber insurance(90%),and most of those insurers
67、were willing to help(82%).This perhaps explains the high propensity to pay,with 64%of organizations infected with ransomware paying at least one ransoma six-point increase from last year.1-3 separate incidents4-6 separate incidents7-9 separate incidents10 or more separate incidentsUnsure of total64%
68、of orgs were infected by ransomware in 20220.5%6%33%37%23%Ransomware by the Numbers90%of organizations that were infected by ransomware had cyber insurance99%of ransomware victims in the U.S.had cyber insurance,the highest percentage among countries surveyed162023 STATE OF THE PHISH REPORTSome 41%sa
69、id they paid more than one ransom before regaining access to their data.The majority of companies taking out cyber insurance(73%)said that their insurer covered some or all the losses incurred.Regained access to data after first paymentPaid additional ransom demand(s)and eventually regained accessRe
70、fused to pay additional ransom demand(s)and walked away without dataNever got access to data even after paying ransom(s)64%of infected organizations agreed to pay ransom in 2022Up 6%from 20211%6%52%41%Insurer covered ALL losesInsurer covered PARTIAL lossesInsurer DENIED the claimRansomware attacks w
71、ere not covered by our insurerDont have cyber insuranceNot sure27%of infected organizations absorbed all losses to ranswomware attacks4%39%34%7%9%7%Ransomware Infections:What Happens After PaymentCyber Insurance Role172023 STATE OF THE PHISH REPORTThe insider threatAccording to 1,400 global CISOs su
72、rveyed in our 2022 Voice of the CISO report,insider threats are their biggest security concern.And todays job market has made data protection an even bigger challenge.Pandemic-related job mobility coupled with post-pandemic economic uncertainty has resulted in large numbers of people changing or lea
73、ving jobs.And data shows that people often take sensitive data and credentials with them when they go.In this years survey,we asked end users if they had changed jobs within the past two years.A quarter said that they had,and,of those who left their jobs,nearly half admitted to taking data with them
74、 when they left.We also added questions about insider data loss to our survey of security professionals.Nearly 65%reported that their organization had experienced data loss because of an insider.The number was even higher for the U.S.,the U.K.and the Netherlands at around 85%.The most common cause o
75、f data loss to insiders is the result of carelessness or negligence.But that isnt the only type of insider threat.In general,they fall into three main categories:A“careless user”might cause accidental harm,such as a Japanese city contractor who lost a USB stick with the personal data of almost half
76、a million residents.A“malicious user”takes actions for deliberate harm or personal gain,such as an outgoing Pfizer employee who allegedly uploaded over 12,000 confidential files to a Google Drive account.A“compromised user”is enticed by reward or coercion to infiltrate or exfiltrate data,such as a f
77、ormer SoftBank chief accepting 400,000 to leak confidential information to a Russian diplomat.report one to 10 data loss incident(s)via insider25%report 11 to 25 data loss incidents via insider17%report 26 to 50 data loss incidents via insider11%report over 50 data loss incidents via insider11%25%of
78、 users said they had changed jobs within the past two years44%of those who left a job took data with them182023 STATE OF THE PHISH REPORTBreach of customer/client dataRansomware infection(the malware was delivered via email)Credential/account compromiseLoss of data/intellectual propertyDirect financ
79、ial loss(wire transfer or invoice fraud)Other malware infection(s)Widespread network outage/downtimeAdvanced persistent threatZero-day exploitReputational damageFinancial penalty(regulatory fine)Im not sureCounting the costFor most threat actors,the goal of an attack is financial.And according to ou
80、r data,30%of organizations that endured a successful attack experienced a direct monetary loss,such as a fraudulent invoice,wire transfer or payroll redirection.This is an increase of 76%year over year.The three most common consequences of attack were data breach(44%),ransomware infection(43%)and ac
81、count compromise(36%).As all three of these actions can be readily monetized by cyber criminals,the financial incentives driving attacks are clear to see.20222021Results of Successful Phishing Attacks(Global Average)2%2%9%11%18%24%26%22%20%15%21%18%28%27%43%46%36%48%44%54%33%44%30%17%192023 STATE OF
82、 THE PHISH REPORTBenchmarks:Failure Rates,Reporting and ResilienceIn addition to surveys and threat research,State of the Phish also compiles data from our phishing simulation tool to help identify areas of risk and areas for improvement.The first headline to note is that users continue to display a
83、 major vulnerability to,well,headlines.Trending topics from news or social media are often engaging and can cause people to ignore red flags.Beyond regularly targeting seasonal events like holidays and the tax deadline,threat actors moved quickly to adopt the COVID-19 pandemic as a favored lure subj
84、ect.Cyber criminals are nimble and opportunisticso security awareness programs should use real-world threat intelligence and be modelled on real-world lures.Our researchers even saw a campaign making use of the death of Queen Elizabeth II to distribute malware.Template failure ratesAttackers are ada
85、ptive,so phishing simulations should cover a range of templates and themes to reflect the current landscape.In real-world terms,attacks using unsafe URL links are between three to four times as common as those containing attachments.So the current ratio of link and attachment templates needs rebalan
86、cing.Especially as attachments still have an appreciably higher failure rate than links(though this has fallen by 4%since last year).PHISHING SIMULATION BY THE NUMBERS:135 million+simulated phishing attacks sent by our customers in 2022.An increase of 39 million over the 2021 number(96 million).410
87、millionsimulated phishing messages have been sent since we started counting.Simulation type and frequencyAverage failure ratesLink-basedData entryAttachment66%65%27%26%8%9%Link-basedData entryAttachment12%11%4%4%16%20%2022 2021202023 STATE OF THE PHISH REPORTFAILURE RATE COMPARISON:Each industry rep
88、resented in our failure rate comparison includes data from at least 20 organizations and at least 300,000 simulated phishing attacks.Failure rates by industryBelow are the industry average failure rates for phishing simulations.The data is in aggregate and contains all template types.Legal has the l
89、owest overall failure rate,and electronics has the highest.2022 2021Failure Rates by Industry11%9%Government10%9%Healthcare8%11%Legal9%12%Construction8%12%Agriculture10%11%Insurance10%10%Manufacturing12%10%Retail10%11%Transportation10%9%Financial Services8%10%Automotive10%10%Education10%11%Hospitali
90、ty/Leisure12%11%Telecommunications10%11%Energy/Utilities11%9%Engineering11%9%Entertainment/Media12%12%Business Services14%12%Consulting11%12%Food and Beverage12%12%Technology13%12%Mining13%12%Aerospace14%8%ElectronicsReal Estate12%11%212023 STATE OF THE PHISH REPORTFailure rates by departmentAttacke
91、rs are known to comb LinkedIn and other sources to find targets in departments with access to financial information and intellectual property.So,measuring failure rates by department is crucial to identifying and mitigating that risk.Among our customers,three-quarters of departments were involved in
92、 474 campaigns,receiving 6,000 messages or more in 2022 with almost 800 different templates.This is a substantial increase over 2021 usage.Unfortunately,the worst-performing functions were some of the most valuable:development,R&D,supply chain,legal and managerial groups shared the highest failure r
93、ates.Between them,these groups have access to valuable IP,contracts,invoicing and high-level credentials.TARGETS OF OPPORTUNITY:Development,R&D,supply chain,legal and managerial groups shared the highest failure rates.222023 STATE OF THE PHISH REPORTDevelopment*Research and DevelopmentSupply ChainMa
94、nagementLegalMarketingFacilitiesSalesFinanceHuman ResourcesLogisticsAdministrative ServicesProject ManagementOperationsAuditCommunicationsCustomer ServiceMaintenanceProductionQualityWarehouseAccountingEngineeringPurchasingSecurityInformation Technology*New question for 2023 report2022 2021Failure Ra
95、tes by Department13%12%10%11%10%11%10%11%9%9%11%9%9%8%11%8%10%9%10%9%11%8%12%8%12%8%8%7%6%9%8%8%12%9%6%11%10%10%9%10%8%10%10%10%10%10%9%10%9%9%11%232023 STATE OF THE PHISH REPORTTemplate effectivenessAs weve seen,newsworthy topics are highly effective,both as real-world threats and simulation templa
96、tes.Among the 10 most-used template themes in 2022,the failure rate for a COVID-19 lure was more than 50%higher than the next closest theme.COVID-19 was also represented twice in our list of“trickiest”themesthose with the highest failure rate regardless of how many times the template was used.Corpor
97、ate internal communications/HR comms also appeared on the list multiple times.This suggests that employees are particularly vulnerable to messages alluding to disciplinary or other work-related issues that raise anxiety and reduce attention.Also surprising was peoples tendency to fall for entertainm
98、ent-themed attacks,where messages related to personal interests in sport or television landed in their corporate inbox.This perhaps reflects the reality of how often work email is used to sign up for personal accounts.SubjectFailure Rate%Coronavirus:COVID Update17Cloud Services:DocuSign document for
99、 review11Shipping:FedEx delivery failure11Microsoft:OneDrive contract shared7Email Account Alert:Email disconnect7Email Account Alert:Undelivered email6Email Account Alert:Queued email4Shipping:Amazon shipment2E-commerce/Retail:Amazon mismatch1FAMILIAR FAKES:Microsoft was the most-used template cate
100、gory in phishing simulation campaigns in 2022,including subjects across Microsoft OneDrive,Teams,and O365 Auth.242023 STATE OF THE PHISH REPORTMost of the simulated campaigns our customers ran used two or three templates,with the average being 2.4.This is slightly higher than last year.Threat actors
101、 change their email lures from day to day,so using more templates reduces the chance of a simulation becoming widely discussed and increases the accuracy of the test.SubjectFailure Rate%E-commerce/Retail:E-Gift card 27Entertainment:Squid Games next season early access25Banking/Financial Services:Pur
102、chase problems and funds removed24Coronavirus:COVID data cases report23Travel:Room confirmation23Corporate Communications:Dress code22HR:Code of ConductReported incident21Coronavirus:COVIDList of infected users20Corporate Communications:Building evacuation plan20Entertainment:NBA Finals brackets2025
103、2023 STATE OF THE PHISH REPORTReporting and resilienceReporting suspicious email is key to both defending against cyber attacks and to evaluating the effectiveness of an organizations security awareness efforts.Overall,reporting rates for simulated phishing increased to 17%(vs.15%in 2021).Failure ra
104、tes for attacks remained at 10%.From these two numbers,we calculate a“resilience factor,”which provides a quick way to gauge how resistant industries and departments are to attack.Note:the failure rates below are a subset of totals used previously,limited to customers who use our PhishAlarm in-clien
105、t reporting tool.Last year the average resilience factor was 1.5,meaning that people have become slightly better at reporting and resisting attacks.This is reflected across all three template types:17%10%1.7average reporting rateaverage failure rateresilience factor=At industry level,there is a broa
106、d span of resilience scores,ranging from 3.4 in legal to 0.9 in education.While the relatively strong performance of high-stakes industries like financial services and energy is heartening,several critical pieces of infrastructure fall below average,including agriculture,healthcare and transportatio
107、n.As ransomware attacks on healthcare services over the past few years have shown,the consequences of low cyber resilience in these organizations can be severe.20222021Link-based17%16%Data entry19%17%Attachment19%18%262023 STATE OF THE PHISH REPORTINDUSTRY REPRESENTATION Each industry represented in
108、 our failure rate comparison includes data from at least 20 organizations and at least 300,000 simulated phishing attacks.LegalFinancial ServicesInsuranceEnergy/UtilitiesConstructionConsultingGovernmentEngineeringAgricultureManufacturingBusiness ServicesAerospaceTechnologyHealthcareAutomotiveTranspo
109、rtationTelecommunicationsRetailEntertainment/MediaReal EstateFood and BeverageElectronicsMiningHospitality/LeisureEducationReporting Rates by IndustryReporting RateFailure RateResilience Factor2473.416121.313101.313101.314111.312101.213111.213111.213121.112130.910110.99100.914141.026102.6221121691.8
110、20121.71591.718111.61381.615101.516111.518131.416121.321102.1272023 STATE OF THE PHISH REPORTOur PhishAlarm button is ultimately designed to let users report suspicious real-world messages,not just phishing simulations.Beyond giving security teams a way to measure user response,user-reported emails
111、are one of the signals that power our threat detection engines.In fact,we blocked an additional 75 million malicious messages in 2022 based on intelligence from user-reported attacks.Between them,those malicious messages contained:Of course,not every reported email turns out to be malicious.So we al
112、so benchmark real-world reporting accuracy for customers who use our PhishAlarm report button.Notably,while education had the lowest resilience among named industries,its real-world reporting accuracy is highest.47 million+credential phishing emails1.5 million+emails containing malware1.2 million+ba
113、nking Trojans600,000downloaders260,000+keyloggers and stealers that could lead to account compromise680,000+botnet malware75 millionmalicious messages were blocked by Proofpoint as a result of user-reported suspicious emails282023 STATE OF THE PHISH REPORTEducationLegalEngineeringGovernmentConstruct
114、ionBusiness ServicesInsuranceConsultingReal EstateManufacturingEntertainment/MediaFinancial ServicesElectronicsTechnologyTransportationHospitality/LeisureFood and BeverageAutomotiveTelecommunicationsAerospaceEnergy/UtilitiesRetailAgricultureHealthcareMiningAccuracy Rate by Industry42%38%37%32%31%30%
115、28%27%32%31%30%28%27%31%30%28%27%26%30%28%27%26%27%26%21%292023 STATE OF THE PHISH REPORTSecurity Awareness:Insights and OpportunitiesThe majority of organizations covered by our surveys have security awareness programs.But most struggle to make them effective.In fact,27%of respondents said that fai
116、lure rates had remained the same,even after introducing training.This is a big untapped opportunity.Time is already being dedicated to training,and,with a few key improvements,resilience and awareness could increase significantly.Almost every organization offers a training program of some sort,with
117、74%conducting formal security awareness training.So far,so good.But only 56%train everyone in the organizationa figure which hasnt improved much since last year.And while training is the foundation of security awareness,it can only do so much.As weve seen,the threat landscape moves fast.Threat actor
118、s are always innovating.An effective way to assess user vulnerability to new threats in a secure environment is to use phishing simulations drawn from real-world lures.But only 35%of organizations use simulationsdown from 41%in 2021.Times are hard,and budgets are shrinking,but the cost of a breach m
119、akes skimping on security a risky trade.98%of organizations had a training program of some sort but.Only 56%trained everyone in the organization and.Only 35%ran phishing simulations302023 STATE OF THE PHISH REPORTWe asked respondents about their use of a range of training options:Computer-based trai
120、ning44%Newsletter or informative emails34%Contests and prizes27%In-person training36%Awareness posters or videos29%Internal cybersecurity wiki24%Virtual,instructor-led training32%Smishing and/or vishing simulations32%Simulated USB drops22%Simulated phishing emails35%Internal chat channel31%In additi
121、on to regular,formal training,79%of organizations offered training for people who fell for real-world or simulated phishing attacks.This was a six-point drop from last year.Overall,time given to training was low,with 80%of respondents saying their organizations only offered two hours or less per yea
122、r.When it comes to training topics,malware,email-based phishing and Wi-Fi security were the most covered subjects,followed by ransomware.This aligns with the results of our end-user survey,which found that malware,phishing and ransomware were the terms users were most likely to correctly define.Most
123、 organizations say that they use threat intelligence to inform their training,though this wasnt something we found reflected in more specific questioning about content.And when it comes to aligning with top CISO concerns,only 23%of programs covered supplier risk.Likewise,only 31%cover BEC,despite th
124、is being the most financially damaging form of cyber crime.312023 STATE OF THE PHISH REPORTCounseling from managerCounseling from information security teamDisciplinary actions by HR(warning,probation)Impact to yearly performance reviewRemoval of access to systemsMonetary penaltyTerminationBuilding a
125、 security cultureFinding the right balance between reinforcement and punishment is an perennial problem.Since last year,weve seen a few changes at both ends of the spectrum,with decreases in both the most lenient and the harshest actions for people who fail simulated or real-world attacks.Overall,52
126、%of organizations have formalized consequences in place for employees who interact with real or simulated attacks(55%in 2021).And 26%of those who dont have such a model in place say they are considering it or will implement one soon.About half of organizations say they wont discipline employees unti
127、l they have failed at least three phishing tests.Discipline Model for Employees49%53%50%46%36%24%14%60%59%45%52%35%26%18%20222021322023 STATE OF THE PHISH REPORTWeighing the impact of these consequence models,security professionals say theyve seen good results.On the other hand,employees take a less
128、 positive outlook:said consequences had increased end users overall phishing awareness68%complain about the consequence model 50%think security is considered a top priority for their company90%said cybersecurity is not a top priority of theirs at work 33%feel employees think security is a top priori
129、ty at work83%dont feel confident that their IT team will handle cybersecurity incidents43%report feeling positive about the security culture at their org83%dont think companys security tools will block all dangerous emails52%332023 STATE OF THE PHISH REPORTThe data shows an obvious discrepancy in pe
130、rception between security teams and end users,which possibly hints at lack of two-way communication.To build a strong,sustainable security culture,security teams need to do more than just measure how people respond to real and simulated threats.They also must understand how employees feel about the
131、companys security culture and their place within it.Taken together,the conflicting views of employees and security teams suggest that security culture is at a crossroads.But there is a way forward.With the right training and threat intelligence,employees can learn to understand the threat landscape
132、and the dangers it poses.With a fair and thoughtful consequence and reward model in place,security teams can encourage and direct employees to embody the right security behaviors.And with strong executive sponsorship,company culture can reinforce the importance of protecting people and defending dat
133、a.High priorityPrioritySomewhat priorityLow/No priorityTangled View of Cybersecurity Priority43%24%16%11%42%41%14%3%Employee viewInfosec belief of employee view342023 STATE OF THE PHISH REPORTConclusionsAs always,there is a lot to digest in this years State of the Phish.And,even as weve tried to giv
134、e benchmarks and show trends,the reality is that every company faces unique risks.Building a security awareness program tailored to the specific threats faced by your organization is a big challenge.But theres reason for optimism.67%of security pros said that phishing failure rates have gone down si
135、nce a security awareness program was implemented.And as our survey of end-user awareness shows,there is plenty of low-hanging fruit to push that number even higher.Our analysis suggests three distinct approaches that can help you seize the opportunity.Reduce complexity by asking the right questions
136、Who in my organization is being attacked?Where are the current defensive gaps?What are my priorities to mitigate human risk?Pair threat intelligence with organization-wide security awareness education Identify which users are most likely to be targeted and who is most likely to succumb.Match educati
137、on,including phishing simulation and training,to threats currently circulating.Tailor training and assessment for most attacked users based on the threats targeting them.Build a security culture that goes beyond training Training is crucial but not sufficient.A strong workplace security culture will
138、 motivate users to take security more seriously and help them build sustainable security habits that extend to their personal lives.Measure the behavioral metrics that matter,and respond with appropriate and fair remediation.352023 STATE OF THE PHISH REPORTABOUT PROOFPOINTProofpoint,Inc.is a leading
139、 cybersecurity and compliance company that protects organizations greatest assets and biggest risks:their people.With an integrated suite of cloud-based solutions,Proofpoint helps companies around the world stop targeted threats,safeguard their data,and make their users more resilient against cyber
140、attacks.Leading organizations of all sizes,including 75 percent of the Fortune 100,rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email,the cloud,social media,and the web.More information is available at .Proofpoint,Inc.Proofpoi
141、nt is a trademark of Proofpoint,Inc.in the United States and other countries.All other trademarks contained herein are property of their respective owners.LEARN MORETo learn more about how Proofpoint provides insight into your vulnerability-,attack-and privilege-based user risks and helps you mitigate them with a people-centric cybersecurity strategy,visit .0400-010-01-01