When it comes to securing their organizations, CISOs need to focus on the human in the loop.

Phishing, scam, hacker business concept in red and blue neon gradients. Man with fishing hook stealing key
Image: A Stefanovska/Adobe Stock

According to Proofpoint’s 2022 Human Factor report, 55% of U.S. workers admitted to taking a risky action in 2021. Twenty-six percent clicked an email link that led to a suspicious website, 17% accidentally compromised their credentials and only half were able to correctly identify the term phishing.

“The other part to this equation is that threat actors have gotten a lot better at employing social engineering in their attacks,” said Ryan Kalember, Proofpoint’s executive vice president of cybersecurity strategy. “We see threat actors leverage real life events to solicit an immediate, emotional response, such as with the Ukraine conflict. We also see threat actors employ a combination of email, call centers and live interactions to sell the idea that the communication is legitimate.”

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

Key to the successful execution of these email-based phishing attacks is trust, the report said. More than ever, hackers today are using stolen credentials to not only gain access to networks and systems but also execute business email compromise and privilege escalation attacks.

“Over the past year, we’ve seen a growing trend of cybercriminals going to surprising lengths to develop rapport with victims before attempting to initiate an attack,” the report said.

Once an attacker gains the victim’s trust, usually by impersonating an executive within the organization, they then ask them to execute tasks such as transferring money or changing an invoice. In an average month, Proofpoint sees around 80,000 of these task-orientated malicious emails.

Another method hackers are using is called “thread-hijacking”. This is where an attacker, who is already lurking on someone’s email account, inserts themselves into an existing email conversation with a co-worker or business partner. Because the hacker is now part of a legitimate email thread, the victim is far more likely to open attachments, click on links or carry out some task the attacker asks them to do.

“Unlike a random, unknown address, a victim is more likely to believe an email is legitimate if it’s coming from their boss,” said Kalember. “We have seen these tactics employed to falsely solicit bank transfers and invoice payments, all because the request was coming from the email of a known employee from inside the organization.”

The report also found that:

  • Smishing attempts, where attackers use texts instead of email to lure victims, more than doubled in the U.S in 2021. CISOs should take note, given that 54% of respondents revealed they use their personal phones for work purposes.
  • Telephone-oriented attack delivery, where cybercriminals call victims directly to get them to call a bogus customer service number so operators can convince them to provide remote access to their computer or download malware, is on the rise. There were over 100,000 attempts to initiate telephone attacks every day of 2021.
  • 2021 was a banner year for ransomware, with 649 attacks reported to the FBI.
  • High-privilege users such as managers and executives make up only 10% of overall users within organizations but almost 50% of attack risk.
  • Over 80% of businesses are attacked by a compromised supplier account each month.
  • Over 90% of cloud tenants that Proofpoint monitors were targeted every month. A quarter of them were successfully hacked. Over the course of 2021, 63% of cloud tenants were successfully breached indicating that cloud account compromise is now a substantial and permanent part of the threat landscape.
  • Threat actors are weaponizing legitimate cloud and email services from Microsoft and Google to add legitimacy to their messages. Microsoft’s failure to address vulnerabilities in Active Directory, Office macros, PowerShell and other tools has allowed threat actors to easily compromise these systems once the victim has mistakenly clicked the wrong link or opened an attachment.
  • The threat from people within the organization is growing because cybercriminals are actively recruiting disgruntled employees. In exchange for a cut of the profits, the ransomware group Demonware tried to get employees to infect their own machines with ransomware.
  • Malicious links in emails are three to four times more common than malicious attachments today.

About the report

The report draws from a multi-trillion datapoint graph, one of the largest data sets in cybersecurity. Every day, Proofpoint analyzes more than 2.6 billion email messages, 49 billion URLs, 1.9 billion attachments, 28.2 million cloud accounts, 1.7 billion mobile messages and more.