Enterprise organizations appear to be falling even further behind in their battle against phishing threats despite heightened awareness of the problem and efforts to curb it.

A new study shows that in 2021 more organizations experienced at least one successful email-based phishing attack than the year before. There were also more opportunistic and targeted phishing attacks last year compared with 2020, as well as phishing attacks involving ransomware and business email compromise (BEC).

Researchers from Proofpoint recently analyzed data from a survey of 600 IT and security professionals and another survey of 3,500 employees from seven countries, including the US, UK, France, Germany, and Australia. The researchers also analyzed data gathered from some 100 million simulated phishing attacks and more than 15 million emails that end users at Proofpoint's customers reported as being suspicious.

The study shows that in 2021, 83% of organizations experienced a successful email-based phishing attack in which a user was tricked into risky action, such as clicking a bad link, downloading malware, providing credentials, and executing a wire transfer. That number is a startling 46% increase over 2020.

Seventy-eight percent of organizations experienced a ransomware attack in which a phishing email was the initial infection vector. Seventy-seven percent reported a phishing-related BEC incident — an 18-point increase from 2020. Overall, 12% more organizations reported being victims of an indiscriminate or opportunistic phishing attack, while organizations reporting more targeted spear-phishing and BEC attacks went up 20%.

"Cybercriminals continued to target people, rather than infrastructure, with social engineering efforts," says Gretel Egan, senior cybersecurity awareness training specialist at Proofpoint. "Attackers capitalized on global news cycles and trends to gain traction with those they were targeting."

As examples, she points to attackers using lures related to new strains of COVID-19, the popular Netflix show Squid Game, and one campaign in which Iranian threat actor TA456 used an alluring persona named "Marcella Flores" to infect the computer of a defense contractor employee. "And that’s just the tip of the iceberg. Attackers are continually pivoting to using topics that will get the most clicks," Egan says.

Proofpoint's study is further confirmation of what several others have reported on the severity of the phishing threat for enterprise organizations. A recent study that the Identity Theft Resource Center (ITRC) conducted shows phishing to be one of the primary data-breach causes at many organizations in 2021. According to the ITRC, 537 out of 1,613 publicly disclosed breaches in 2021 — or one-third — involved phishing, smishing, or BEC. In a survey that Dark Reading conducted last year, 69% of respondents said their organizations had experienced at least one phishing attack over the previous 12 months.

The accelerated shift to hybrid work environments that the COVID-19 pandemic triggered in 2020 played a big role in the increased phishing activity last year. Eighty-one percent of organizations in Proofpoint's survey had more than half their employees working out of their homes either full-time or on a part-time basis. Many of these workers relied heavily on collaboration and social media tools — including public, consumer-facing ones — to stay connected to and engaged with their co-workers.

These trends opened the door even wider to phishing, malware, and other threats, Egan says. In many campaigns, threat actors employed not just email-based phishing but also phishing lures sent via chat messages, phone calls, and direct messages, Egan adds.

Troubling Decline
Proofpoint's study shows what appears to be a somewhat troubling decline in awareness of phishing threats and how to respond to them among workers. Only 53% of respondents in Proofpoint's 2021 survey, compared with 61% the previous year, correctly identified the definition for phishing in a multiple-choice question; 23% in Proofpoint's 2021 survey knew what "smishing'" was, compared with 31% in 2020, and only 24% demonstrated knowledge of the term 'vishing," compared with 30% a year ago. Forty-two percent admitted to clicking on a malicious link or performing some action that exposed their personal data and login credentials or resulted in malware being downloaded on their system.

Employees were not the only ones at fault. Though more than eight in 10 organizations have most employees working out of home at least on a part-time basis, only 37% of them educated workers about best practices for working safely from home. Somewhat encouragingly, though, many US organizations (67%) used phishing tests that mimic trend threats, compared with 53% on average globally, Egan says.

Proofpoint observed continued focus on brand abuse and abuse of legitimate services. In the first half of 2021, for instance, there was a marked increase in the abuse of Microsoft and Google infrastructures, which were used to host and send threats across Microsoft 365, Microsoft Azure, Google Workspace, and Firebase storage environments, Egan notes.

Egan says infosec and IT professionals generally had a more positive view of employee commitment to cybersecurity than workers themselves. Employees, meanwhile, described cybersecurity as being a high priority for themselves but perceived it as being a low-priority item for their organization. "Here's a point we found borderline alarming: 35% of infosec and IT professionals surveyed did not classify cybersecurity as a high priority for their organization," Egan says.