Despite being one of the oldest tricks in the book, email attacks are still one of the most popular and effective forms of cybercrime, according to new research.
The latest edition of Proofpoint's annual "State of the Phish" report also revealed that these attacks are closely watched by ransomware, a devastating form of malware whose popularity still shows no signs of slowing down.
Based on company telemetry (more than 18 million emails reported by end users; 135 million simulated phishing attacks in a year), plus a survey of 7500 employees and 1050 security professionals worldwide, the report found that nearly half (44%) of employees would trust an email with a "family brand," while nearly two-thirds (63%) think an email address always matches the website or brand correspondent.
Work email compromised
Knowing this, it's no surprise that three-quarters of the global companies included in the study reported a business email compromise (BEC) attack in the past year. Most of the time, attackers take advantage of English-speaking companies, but non-English-speaking ones are also beginning to experience higher attack volumes, the researchers said.
Ransomware is also a big threat, according to the newspaper. Globally, more than three-quarters (76%) experienced such an attack in the past year, and two-thirds (64%) were victims of it. About half (52%) regained access to their data after paying the ransom.
Perhaps the most surprising finding of the report is that, even today, basic cyberthreats are not well understood. Many respondents were unable to correctly define malware, phishing, or ransomware. Additionally, only half (56%) of global companies with a security awareness program train their staff on cybersecurity best practices, and only a third (35%) run phishing simulations.
This lack of awareness is also the weakest link in the cybersecurity chain, experts say.
“Awareness gaps and lax security behaviors exhibited by employees create substantial risk to organizations and their data,” said Adenike Cosgrove, vice president, cybersecurity strategy, EMEA Proofpoint. "As email remains the attack method of choice for cybercriminals, and they use techniques far less familiar to employees, there is clear value in creating a culture of security that spans the entire organization."