2024年网络钓鱼报告

proofpoint.com2024 State of the Phish Risky actions, real-world threats and user resilience in an age of human-centric cybersecurityREPORTINTRODUCTIONImagine a successful cyberattack against your organization. What does it look like? Maybe it involves a fiendishly clever piece of social engineering—a convincing lure that catches the recipient off guard. Or maybe it would take a smart technical exploit to get past your defenses. But in reality, threat actors don’t always have to try that hard. Often, the easiest way to breach security is to exploit the human factor. People are a key part of any good defense, but they can also be the most vulnerable. They may make mistakes, fall for scams or simply ignore security best practices. According to this year’s State of the Phish survey, 71% of working adults admitted to taking a risky action, such as reusing or sharing a password, clicking on links from unknown senders, or giving credentials to an untrustworthy source. And 96% of them did so knowing that they were taking a risk. When obliged to choose between convenience and security, users pick the former almost every time. So, what can organizations do to change this? In this report we’ll take a closer look at how attitudes towards security manifest in real-world behavior, and how threat actors are finding new ways to take advantage of our preference for speed and expedience. We’ll also examine the current state of security awareness initiatives, as well as benchmarking the resilience of people and organizations against attack. The foundation of this report is a survey of 7,500 end users and 1,050 security professionals, conducted across 15 countries. It also includes Proofpoint data derived from our products and threat research, as well as findings from 183 million simulated phishing messages sent by our customers over a 12-month period and more than 24 million emails reported by our customers’ end users over the same period. 2024 STATE OF THE PHISH \ REPORT2TABLE OF CONTENTSConclusion 27Key Findings4Security Awareness Trends Current state of security awareness Areas for improvement 10 1012Organizational Benchmarks Industry failure rate 20 21The Threat Landscape Threat prevalence Growing threats: TOAD, MFA-Bypass, QR codes and generative AI BEC attacks benefit from AI Microsoft remains most-abused brand Ransomware still a major concern Attack consequences141415 16161718Security Behaviors and Attitudes End-user behavior and attitudes 6 62024 STATE OF THE PHISH \ REPORT3KEY FINDINGSof organizations were infected by ransomware.attacks are launched with MFA-bypass framework EvilProxy every month, but 89% of security professionals still believe MFA provides complete protection against account takeover.69%of users took a risky action71% of them knew they were doing something risky96% andOver 1 millionBEC attacks were detected and blocked on average per month by Proofpoint.66 million42024 STATE OF THE PHISH \ REPORTof users who took risky actions eng