Dive Brief:
- Nearly one-third of companies lost money following a phishing attack in 2022, Proofpoint research found.
- The 76% year-over-year increase in phishing attacks resulting in a wire transfer or invoice fraud reflects threat actors’ resolve to narrow their scope and steal money more quickly, according to Proofpoint’s annual State of the Phish report released Tuesday.
- “We saw a significant jump in the direct financial loss,” said Sara Pan, team manager of product marketing at Proofpoint. “What that really implies is that we’re seeing attackers being more impatient and really wanting to claim their trophy right after a successful phishing attack.”
Dive Insight:
The financial losses linked to phishing attacks underscores threat actors’ ability to refine social engineering tactics to achieve their primary objective.
More than 4 in 5 organizations experienced at least one successful phishing attack in 2022, Proofpoint research found. More than half confronted at least three attacks.
The three most common consequences of phishing attacks in 2022 were data breaches, ransomware infections and account compromise.
Telephone-based phishing attacks, which involve direct interaction between the threat actor and target, were observed by Proofpoint at an average of 300,000 to 400,000 per day.
“That really tells us that attackers have skilled up complex techniques” to go beyond email and incorporate call centers or text messages, Pan said. “Attackers are getting more creative at their attack tactics.”
Proofpoint also highlighted a range of methods threat actors are using to bypass multifactor authentication, a security control often enabled by enterprises to prevent account takeover.
Newer off-the-shelf phishing kits with adversary-in-the-middle toolkits that use a reverse proxy allow threat actors to render MFA moot.
“Instead of directing users to a fake phishing website, they’re actually presenting the legit website to the end users but at the same time those toolkits can gather a lot of information, including all the credentials that bypass MFA,” Pan said.
Telephone-based and adversary-in-the-middle phishing attacks were deployed at scale in 2022 and at high enough levels to threaten most organizations, the report found.
Proofpoint’s report was drawn from surveys of 7,500 professionals and 1,050 security professionals across 15 countries in August.