The biggest human cyber-risk is neglecting your humans. Through
that fog of uncertainty, social engineers make billions by being
better than the good guys at knowing what makes people tick and,
accordingly, how to make them click. So, who's clicking on what,
and why? And how accurately and quickly are employees reporting
phishing threats? Categorized by geography, job role, phishing
theme, and industry verticals, this report provides fresh
insights into employee cyber behavior and the latest phishing
tactics being used out in the wild. It reveals
never-before-reported metrics and connections between the
changing cybersecurity landscape, real employee threat
detection, and their cybersecurity training. It also includes,
for the first time, the element of speed, or dwell time,
alongside real threat detection. Best of all? This report offers
hope for security teams. The global averages of cyber behaviors
after 1 year of Hoxhunt's security awareness training prove that
good training indisputably improves behaviors and reduces human
cybersecurity risk. People really can make a difference when it
comes to preventing phishing attempts Understanding where your
greatest sources of human risk are lets you channel resources to
the right people in the right place and at the right time.
Cybersecurity is a team sport. The data from this report
shows that we can build a strong security culture by creating
a psychologically safe environment where individuals are
rewarded for success and coached on mistakes. A collective
effort encourages users to feel personally responsible for
security and fortifies an organization’s cyber defenses.”
– Petri Kuivala, CISO Advisor to Hoxhunt & Former CISO of Nokia
and NXP R
This report is based on data collected from 15 million Hoxhunt phishing simulations, and millions of real reported malicious emails, sent to 1.6 million users in 125 countries. As a result, it offers statistically significant results that security leaders and CISOs can pull insights from to shape their cyber security training programs and secure the budget they deserve.
To effectively explore this report, you'll need to be familiar
with the following terms:
Success rate: Correctly reporting a phishing simulation
Miss rate: Neglecting to report or click a phishing
simulation
Real cyber threat detection: Reporting a real
phishing
email Failure rate: Clicking a phishing
simulation link
Dwell time: Time between receiving and reporting a phishing
email
Onboarded: Enrolled in the Hoxhunt program
Another key development is the use of blockchain technology to track and trace illegal transactions. Blockchain’s transparent and immutable ledger makes it possible to track the movement of cryptocurrency transactions on the dark web, which has become the preferred method of payment for illegal goods and services. In the future, monitoring platforms will integrate blockchain analytics to map criminal networks, expose illicit markets, and assist in the identification of criminal actors.
o understand the impact of security awareness & phishing training, we first need to look at the macro trends. What phishing techniques are the most pervasive right now? Business email compromise (BEC) A staggering 64% of businesses report facing BEC attacks in 2024, with a typical financial loss averaging $150,000 per incident. These phishing attacks frequently target employees with access to financial systems, mimicking executives or trusted contacts. Credential phishing Around 80% of phishing campaigns aim to steal credentials, particularly targeting cloud-based services like Microsoft 365 and Google Workspace. With the growing reliance on cloud platforms, cyber attackers leverage realistic fake login pages to deceive users. HTTPS phishing An increasing number of phishing sites now use HTTPS to appear legitimate. In 2024, approximately 80% of phishing websites feature HTTPS, complicating detection for users. Voice phishing (vishing) Vishing attacks are growing in prevalence, with 30% of organizations reporting instances where threat actors used fake calls to impersonate officials or executives. Quishing (QR code phishing) QR code phishing attacks (quishing) increased by 25% year-over-year, as attackers exploit physical spaces like posters or fake business cards to lure victims. AI-driven attacks AI is powering phishing attacks, with deepfake impersonations increasing by 15% in the last year. These attacks often target high-value individuals in finance and HR. Multi-channel phishing Attackers are increasingly exploiting platforms like Slack, Teams, and social media. Around 40% of phishing campaigns now extend beyond email, reflecting a shift to these channel. Government agency impersonation Phishing emails mimicking government bodies such as the IRS or international tax agencies have increased by 35%. These often involve claims about overdue taxes or fines. Phishing kits The availability of ready-to-use phishing kits on the dark web has risen by 50%, enabling less sophisticated attackers to deploy high-quality phishing schemes. Brand impersonation Attackers frequently impersonate well-known brands like Microsoft, Amazon, and Facebook, leveraging user trust. For example, over 44,750 phishing attacks specifically targeted Facebook by embedding its name in domains and subdomains over the past year.
Governments and law enforcement agencies may argue that these advanced monitoring techniques are necessary for combating terrorism, cybercrime, and trafficking. However, there is a risk that surveillance could overstep boundaries, leading to violations of privacy and the potential for unwarranted surveillance of innocent individuals. In some cases, innocent people might be caught in the crossfire of these monitoring systems due to the high degree of data scraping involved.
Furthermore, there are ethical dilemmas surrounding the use of data collected from the dark web. When monitoring systems identify potential threats, they often gather sensitive data such as usernames, email addresses, and transaction details. The question arises as to how this data should be handled—whether it should be shared with law enforcement agencies, private corporations, or individuals. The ethical implications of monitoring extend to the potential for misuse of this data, especially in cases where information is not used for criminal investigations but for purposes of marketing, personal surveillance, or even social engineering.
Dark web monitoring plays a crucial role in strengthening cybersecurity by identifying potential breaches before they manifest in the real world. As cyberattacks grow in sophistication, cybercriminals are increasingly using the dark web to trade stolen credentials, malware, and ransomware tools. In 2025, we can expect dark web monitoring to be a standard component of cybersecurity strategies, not just for government agencies, but for private companies as well.
By monitoring discussions and transactions on dark web forums, companies can gain insight into emerging threats that could impact their networks. For instance, the sale of a zero-day exploit or the exchange of corporate data stolen from a particular company could serve as a warning sign for imminent cyberattacks. Additionally, businesses can use dark web monitoring to identify data leaks or breaches involving their customers, allowing them to take immediate action to mitigate the damage.
Law enforcement agencies will continue to use dark web monitoring as a tool to track down cybercriminals, uncover illicit markets, and dismantle illegal organizations operating on the dark web. As governments and law enforcement agencies grow more proficient in using AI and machine learning to identify criminals, they will increasingly be able to monitor and track the movement of illegal goods and services more efficiently. This could lead to greater accountability in the fight against cybercrime, human trafficking, and drug trade. However, the increasing effectiveness of dark web monitoring could also lead to concerns about government overreach and the potential for civil rights violations.
Different industries are attacked at varying levels of intensity. This is likely due to malicious actors seeking high ROI in their attacks. Industries that yield the most profit with the least effort for a cyberattack, perhaps due to lower level of security maturity and poorly trained employees, will look like easy prey. The table below shows the highest and lowest performing industries based on Success, Miss, and Failure rates, sorted by highest Success rate to lowest.
Manufacturing & construction is the most targeted vertical (over 300,000 attacks per organization in 2023), whereas the tourism industry seems to interest attackers the least (less than 500 attacks per organization in 2023). The high threat reporting activity in the financial services (61%) and utilities (50%) sectors are encouraging and, respectively, 100% and 66% higher than the lowest performing industry, Retail (30%). This may be due partly to there being more computer-based work in Finance and Utilities than in Retail, along with a stronger security culture in sectors that have long been prime targets for bad actors. Also note the poor success rate in Pharma & Healthcare, an industry particularly challenged by phishing and a very busy workforce. Meanwhile, the Retail and Logistics sectors' low failure rates are offset by their low success rates and high miss rates, indicating higher uncertainty in human cyber security risk. Pharma and healthcare's second-highest miss rate (54%) is concerning given the FBI's IC3 report naming it as the critical infrastructure sector that's most breached by ransomware, and that it's experienced the costliest average data breaches for 13years in a row (IBM Cost of a Data Breach). At $10.93 million, healthcare is almost double the number two sector,Finance at $5.9 million, and over twice the next sector, Pharma, at $4.82 million
While the stats and trends around the threat landscape and human cyber risk are typically grim, this report offers hope. It indicates that, regardless of employee industry, background, or location, risk can be reduced with ongoing participation in a gamified, adaptive training program. The importance of connecting and revealing dwell time and threat detection from the training to the real world context can’t be overstated. We equate risk with real threat detection. A threat report reduces risk more than any other action. The faster it is submitted and responded to, the less damage the social engineering attack will cause. The correlation between success rates and miss rates further validates findings by Hoxhunt that engagement is the key metric for tracking and unlocking resilience. Inactive employees aren’t learning or reinforcing secure behaviors, so misses are more likely to become phishes. The variations between the different user cohorts’ phishing outcomes underscore the need for tailored training and targeted interventions based on risk profiles. By knowing our people, we can keep ourselves safer from the bad guys.
BESTCopyright © 2024 Top10VPNREVIEWS.NET. All Rights Reserved. The information we share on this website does not constitute legal or professional advice and should not be treated as such. Reproduction of this site in whole or in part is strictly prohibited.
