9 in 10 data breaches due to phishing attacks aimed at employees: survey

Employers urged to train staff in identifying, reporting malicious emails

9 in 10 data breaches due to phishing attacks aimed at employees: survey

Nine in 10 data breaches in 2023 originated from phishing attacks targeting employees, as Secure Email Gateways (SEGs) struggle with more sophisticated phishing campaigns.

An SEG is a form of email security technology that adds another layer of protection from spam and malicious emails to prevent them from reaching a user's inbox, according to Cofense.

But Cofense's 2024 Annual State of Email Security report found that SEGs are finding it hard to keep up with evolving phishing campaigns, as it recorded a 104.5% increase in the number of malicious emails bypassing SEGs.

The healthcare and finance industries remain the top targeted industries, with increases in malicious emails bypassing SEGs at 84.5% and 118%, respectively, according to the report.

"The data we present in this report speaks directly about the escalating sophistication of cyber threats, which demand a different approach to effective email security," said David Van Allen, CEO of Cofense, in a statement.

Major cyber threats

Credential phishing emerged as a top threat vector in 2023, with a 67% increase in volume in 2023 compared to the year prior.

"This sophisticated form of attack often involves convincing individuals to give up their login information or other sensitive data, which can then be used to gain access to secure systems and networks," the report read.

The use of QR codes in phishing campaigns are also "rapidly increasing," according to the report, as well as vishing, smishing, and brand impersonation tactics.

"It's evident that the email-based attack vector is evolving at an unprecedented pace going into 2024," Van Allen said.

Amid growing threats, the report advised that organisations should no longer settle for "good enough" email security.

"With the increasing frequency and severity of email attacks, it is essential to train your employees to identify and report malicious emails, while deploying industry-leading solutions to identify and remediate threats that are actively bypassing SEGs," the report read.