Successful phishing attacks decline but consequences get worse

A new report shows that 66 percent of organizations in the UK experienced at least one successful phishing attack in 2023 compared to 91 percent the previous year.

However, the study from Proofpoint shows the negative consequences of attacks have soared, with a 30 percent increase in reports of financial penalties, such as regulatory fines, and a 78 percent increase in reports of reputational damage.

The study, of 7,500 users and 1,500 security professionals worldwide, also shows that 71 percent of surveyed working adults admitted to taking risky actions, such as reusing or sharing a password, clicking on links from unknown senders, or handing over their credentials to an untrustworthy source. 96 percent of them did so knowing the inherent risks involved. The motivations behind risky actions are varied, with most employees citing convenience (48 percent), the desire to save time (40 percent), and a sense of urgency (22 percent) as their main reasons.

"Cybercriminals know that humans can be easily exploited, either through negligence, compromised identity or -- in some instances -- malicious intent," says Ryan Kalember, chief strategy officer, Proofpoint. "Individuals play a central role in an organization's security posture, with 74 percent of breaches still centering on the human element. While fostering security culture is important, training alone is not a silver bullet. Knowing what to do and doing it are two different things. The challenge is now not just awareness, but behavior change."

There's also a disconnect when it comes to responsibility. Globally while 85 percent of surveyed security professionals say that most employees know they are responsible for security, 59 percent of surveyed employees either weren’t sure, or claimed that they’re not responsible at all. Even though virtually all employees who took a risky action knew the inherent risks -- a clear indication security training is working to drive employee awareness -- there are clear disparities between what security professionals and employees think is effective to encourage real behavior change. Security pros believe that more training (83 percent) and tighter controls (81 percent) are the answer, but nearly all surveyed employees (94 percent) say they would prioritize security if controls were simplified and more user-friendly.

The full 2024 State of the Phish report is available from the Proofpoint site.

Image Credit: Maksim Kabakou / Shutterstock