• by Ray Schultz , Columnist, February 22, 2022

People must be afraid to open their emails. Business email compromise (BEC) attacks increased by 18% in 2021 YoY — victimizing many users, according to Proofpoint’s State of the Phish report released Tuesday. 

Of the firms studied, 78% saw email-based ransomware attacks and 77% faced BEC assaults last year. 

Moreover, 83% suffered at least one successful phishing attempt, up from 57% in 2020. And 68% of organizations faced at least one ransomware infection stemming from a direct email payload, second-stage malware delivery, or other exploit, the study notes. 

Also occurring at this time was an increase in the number of employees working at home due to the COVID-19 pandemic. Of the firms polled, 81% report that more than half their employees are working remotely either full- or part-time. But only 37% educate workers about best security practices for remote working, resulting in major lapses. 

Case in point: While 97% of workers have a home Wi-Fi network, only 60% say their network is password-protected.

The damage is severe in some cases. Almost 60% of firms infected with ransomware paid a ransom. And 32% paid additional ransom sums to regain their data and systems, while 54% had access restored after the first payment. But 4% never saw access, even after paying. 

Another 10% refused to pay additional ransom demands and thus surrendered their data. 

Even when properly trained, employees are bound to avoid opening any emails when working, including those from legitimate brands. This could have a severe impact on email marketing response. 

Of the workers polled, 42% took a dangerous action, including clicking a malicious link, downloading malware or exposing their personal data or login credentials. 

In addition, 56% of those with access to an employer-issued laptop, smartphone, tablet or other device allowed friends and family to use it for shopping, playing games and streaming media. 

And strangely, only 53% could correctly define the term “phishing” in a multiple-choice quiz, down from 63% in the prior year., while 63% recognized the definition of malware, versus 65% in 2020. 

What’s more, a mere 23% identified the definition of the term “smishing,” compared to 31% in the previous year. 

Only ransomware had greater name recognition, although it isn’t saying much — from 33% to 36% YoY. 

 “As email remains the favored attack method for cyber criminals, there is clear value in building a culture of security,” says Alan Lefort, senior vice president and GM of security awareness training for Proofpoint.  

Lefort adds that, in this evolving threat landscape, “it is critical that organizations empower their people and support their efforts to learn and apply new cyber skills, both at work and at home.”

Proofpoint surveyed 600 information and IT security professionals and 3,500 workers across the U.S., Australia, France, Germany, Japan, Spain, and the U.K. 

In addition, the firm has analyzed data from almost 100 million simulated phishing attacks sent by Proofpoint customers to their employees during a one-year period, and 15 million emails reported via the firm’s PhishAlarm reporting button.