22 very bad stats on the growth of phishing, ransomware

Email-based phishing attacks became a lot more successful in 2021 — and so did ransomware attacks, in terms of getting victims to pay the ransom demand, according to new stats from email security vendor Proofpoint.

The vendor’s new report — the 2022 State of the Phish — provides insights into what’s been happening with phishing, the sneaky email-borne attacks that often serve as the starting point for a ransomware incident. The report has new details to add on ransomware, too.

During 2021, “cybercriminals continued to target people, rather than infrastructure, with social engineering efforts,” said Adenike Cosgrove, cybersecurity strategist at Proofpoint, in an email to VentureBeat.

And notably, “cybercriminals were not only more active in 2021 compared to 2020, they were also more successful,” Cosgrove said.

Worsening trends

The report comes after a number of major cybersecurity firms have released data on just how bad things got last year when it came to cyberattacks.

For instance, SonicWall reported that the total number of ransomware attacks more than doubled in 2021 — jumping 105% during the year compared to 2020. CrowdStrike, meanwhile, disclosed that data leaks related to ransomware surged 82% in 2021, while the average ransom demand grew 36% to $6.1 million.

Today, it’s Proofpoint’s turn. The company’s findings are based on a survey of 600 security professionals and 3,500 workers in Australia, France, Germany, Japan, Spain, the United Kingdom and the U.S. — as well as data from simulated phishing attacks sent by Proofpoint and from customer reporting.

Below are 22 statistics from the report that stand out to me as the most significant for businesses.

The results of the survey on phishing and ransomware come as “employees are feeling burned out, emotionally drained and distracted,” Proofpoint says in the report. “Meanwhile, cyber attackers are as adept as ever. And they continue to use tactics and lures that resonate with employees and consumers alike.”

What follows are 22 troubling stats on the growth of phishing and ransomware, via Proofpoint’s 2022 State of the Phish report.

Phishing

• 1. Email-based phishing: 83% of organizations said they experienced a successful email-based phishing attack in 2021, versus 57% in 2020. That equates to a 46% increase in organizations hit with a successful phishing attack last year.
• 2. Bulk phishing: 86% of organizations faced bulk phishing attacks last year, up from 77% the year before. Bulk phishing is “indiscriminate, ‘commodity’ attacks in which the same email is sent to many people within an organization,” Proofpoint says.
• 3. BEC attacks: 77% of organizations faced business email compromise attacks in 2021, up from 65% in 2020. That represented an 18% increase in BEC attacks.
• 4. Spearphishing attacks: 79% of organizations saw spearfishing attacks — i.e., attacks targeting specific users — in 2021. That’s up from 66% the year before.

“Whether it’s ransomware, business email compromise, or a variety of other threat types, email remains the No. 1 channel for cybercriminals to steal data and siphon billions each year,” Cosgrove said. “Over 90% of targeted attacks start with email, and nearly all rely on human interaction to work — making people the new enterprise perimeter to defend.”

The focus on securing digital systems over the past several years means that attackers “have moved to combining social engineering lures via email with a variety of attack methods delivered via attachment or URL,” she said. “Many corporate users require email to do their job — and all it takes is one human to click a link in an office document that contains a malicious macro, and a downloader or other malware can be implanted on the target system.”

Smishing/vishing/social

• 5. Smishing: 74% of organizations faced smishing attacks in 2021, versus 61% in 2020. Smishing refers to attacks that primarily use SMS text messages as the communication method.
• 6. Vishing: 69% of organizations faced vishing attacks — which use phone calls or voice messages — in 2021. That’s up from 54% in 2020.
• 7. Social attacks: 74% of organizations experienced attacks via social media in 2021, compared to 61% in 2020.

These findings show that “while email remains a vector of choice for cybercriminals, they continue to use a multitude of methods to target employees,” Cosgrove said.

In particular, attackers capitalized on global news cycles and trends “to gain traction with those they were targeting,” she said.

As examples, Proofpoint researchers saw attackers using lures relating to new strains of COVID-19, the Netflix show “Squid Game,” popular social media profiles and movie streaming services. “Attackers are continually pivoting to using topics that will get the most clicks,” Cosgrove said.

Successful phishing attacks

Here are some of the consequences that organizations experienced in connection with successful phishing attacks (stats number 8-18 for this list):

• 54% experienced a breach of customer or client data
• 48% saw credential/account compromise
• 46% experienced ransomware infection
• 44% saw loss of data/intellectual property
• 27% were hit with malware other than ransomware
• 24% reported reputational damage
• 22% reported a widespread network outage/downtime
• 18% reported that an advanced persistent threat resulted
• 17% reported financial loss/wire transfer or invoice fraud
• 15% saw a zero day exploit
• 11% paid a financial penalty/regulatory fine

Ransomware

• 19. Email-based ransomware: 78% of organizations experienced email-based ransomware attacks in 2021. (Proofpoint didn’t disclose a comparable statistic for 2020.)
• 20. Ransomware infections: 68% of organizations were infected by ransomware in 2021, up from 66% in 2020. Nearly two-thirds of those organizations were hit by three separate ransomware infections, while nearly 15% of those experienced more than 10 separate ransomware infections.
• 21. Ransom payments: 58% of organizations infected with ransomware agreed to pay a ransom in 2021 — well above the 34% that did so in 2020. Of those, 32% had to make an additional ransom payment to regain access to their data/systems. And 4% of those who paid never were able to get access to their data and systems.

Awareness

• 22. When asked, “what is phishing?” — 53% of workers answered correctly in 2021, down from 63% the year before. The same question about smishing yielded correct answers 23% of the time (down from 31% in 2020), and vishing was answered correctly 24% of the time in 2021 (down from 30% the year before).

U.S. findings

In the U.S., Proofpoint data shows that workers are displaying behaviors in their day-to-day lives that could lead to attacks, Cosgrove said. Fifty-five percent of U.S. workers surveyed admitted to taking a risky action in 2021, including 26% that clicked an email link that led to a suspicious website, and 17% that accidentally compromised their credentials, she noted.

Additionally, 49% believe that their organization will automatically block all suspicious or dangerous emails — “illustrating a disconnect in the responsibility employees have on the overall security posture of their organization,” Cosgrove said.

However, the good news in the U.S. is that many organizations are tailoring their cybersecurity awareness training to keep pace with the threat landscape, according to Cosgrove. Sixty-seven percent of U.S. organizations are using phishing tests that mimic trending threats, compared to the global average of 53%, she said.

“While attackers are increasingly active – and successful – in their attacks, organizations are taking steps in shoring up their cyber defenses and keeping their people at the heart of this,” Cosgrove said.

Training ‘is working’

All 100% of U.S. organizations surveyed said they run a cybersecurity training program, and 64% say they assign cybersecurity training to all employees in the business, she said.

And crucially, “this approach is working, with 84% of U.S. organizations saying security awareness training has reduced phishing failure rates, the highest of any country surveyed,” Cosgrove said.

As another indicator, 40% of U.S. organizations reported a ransomware infection as a result of a successful phishing attack, less than the global average of 46%. And, 79% of survey respondents in the U.S. said their organization experienced at least one successful email-based phishing attack in 2021, compared to 74% in 2020. “While this is still an increase, it is less significant than what we saw across the global theater,” Cosgrove said.

Ultimately, “multilayered protection is the best strategy against phishing emails, with the most important principle being the placement of people at the center of the security strategy,” she said.

“It’s critical to understand which users are most targeted — which we refer to as very attacked people — and which of them are the likeliest to fall for the social engineering that phishing attacks rely on,” Cosgrove said. “Users are a critical line of defense against phishing — and its important security awareness education provides a foundation to ensure everyone can identify a phishing email and easily report it.”