- Nearly three-quarters of U.S.-based companies said they were victims of a successful phishing attack in 2020, up 14% year over year, according to Proofpoint's 2021 State of the Phish report released Sunday. About 3,500 employed adults and 600 IT security professionals globally participated in a third-party survey for the report.
- Sixty-eight percent of U.S. companies paid a ransom, which is twice as many as the global average. Thirty-two percent of global companies agreed to pay additional ransom demands last year, an increase from only 2% in 2019.
- Following a successful phishing attack, the primary consequence for 61% of respondents was mandated counseling with an information security team member, followed by counseling with their manager (54%) and impacting the end-of-year employee review (52%).
Cybercriminals leverage crises and emotion in phishing campaigns. The pandemic, vaccines, social injustice and the presidential election, all provided hackers an endless supply of phishing material last year.
Almost half of companies which reported phishing attacks experienced a ransomware infection, according to Proofpoint.
The National Cyber Investigative Joint Task Force (NCIJTF) advises companies to keep their routine backups offline and use multifactor authentication for combating ransomware. The task force also discourages organizations from paying ransoms as there's no guarantee on the return of data.
Cybercriminals asking for additional ransom payments skyrocketed 320% in 2020, but those who paid an additional demand were also less likely to regain access to their data, according to Proofpoint.
Dissuading organizations from paying a ransom by threatening potential sanctions, "may be just vague enough to help organizations justify the idea of making a payment," said Gretel Egan, senior security awareness and training strategist for Proofpoint. Though it "will be interesting to see how the advisory might influence responses from U.S. infosec professionals in our next survey."
The reason so many more companies chose to pay ransoms last year is up to speculation, said Egan, however the threat of extortion, leaked data or lack of preparedness all factor into the decision to pay a ransom.
Employee training will take precedence in avoiding successful phishing schemes. The majority of U.S. workers (63%) are familiar with the term "phishing," however 34% of U.S. respondents perceive emails with "familiar logos" as safe.
The most common themes in phishing tests include Microsoft Teams requests, COVID-19 advisory alerts and expired Office 365 password notifications.
Employees that fall victim to a real or simulated scheme, or who are "repeat offenders," are punished by more than half of the surveyed companies. In the U.S., 82% of respondents say they punish repeat offenders.
"Company culture and even regional culture are likely to factor heavily in an organization's approach … When it comes to this topic, we don't feel there is necessarily a typical approach," said Egan.
However, because BEC attacks focus on fewer and more privileged users, they are harder to detect. At least 65% of companies experienced BEC attempts last year, according to Proofpoint. Users subject to BEC attacks require extra attention and training.