Most companies in four Asia-Pacific countries have had to protect against phishing and ransomware attacks, with those infected in Australia being the most willing to pay ransomware demands.
Australians are also the most likely to be victims of such attacks, with 92% reporting phishing incidents and 90% reporting business email compromise attacks.
As per Proofpoint's State of the Phish report, another 86% and 80% have had to deal with ransomware and supply chain attacks, respectively. In Singapore, South Korea, Japan, and Australia, 2,000 employees and 200 security professionals were polled.
Singaporeans experienced the next highest number of attacks, with 85% dealing with phishing incidents and 78% dealing with ransomware attacks. Another 72% reported business email compromise, with 46% reporting direct financial loss.
However, while Singapore reported the highest number of ransomware infections (68%), their Australian counterparts (58% of whom were infected) were more likely to cave to ransom demands when breached. In Australia, 90% admitted to making a payment at least once, compared to 71% in Singapore and 63% in South Korea. Only 18% of Japanese businesses paid at least one ransom, the lowest overall, while the global average was 64%.
In accordance with the report, Japanese law forbids local businesses from transferring funds to organized crime, which may include cybercrime. According to Proofpoint, 64% of Japanese respondents reported a successful phishing attack, compared to the global average of 84%. According to the security vendor, this could be due to cybercriminals' lack of fluency in the local language, which makes it easier for Japanese employees to identify poorly worded phishing lures.
"Around the world, English is the language most used in phishing attacks, so businesses that don't conduct activities in English may receive some protection," the report noted. However, it highlighted that it might be less culturally acceptable in some countries to acknowledge they suffered a security breach, resulting in under-reporting.
In South Korea, 48% of the 72% who experienced ransomware attacks became infected. In Australia, 83% of the 96% who had cyber insurance said their insurer paid the ransom in full or in part. In Singapore, 90% of respondents reported having cyber insurance, with 95% reporting that their insurers paid the ransom in full or in part.
In South Korea, 82% had cyber insurance, while 74% and 72%, respectively, said their insurers covered the ransom payment in full or in part. Globally, 76% of organizations were targeted by ransomware, with 64% becoming infected. 82% of insurers stepped up to pay the ransom in full or in part for those who had a cyber insurance policy for ransomware attacks.
"While conventional phishing remains successful, many threat actors have shifted to newer techniques, such as telephone-oriented attack delivery and adversary-in-the-middle (AitM) phishing proxies that bypass multi-factor authentication," said Ryan Kalember, Proofpoint's executive vice president of cybersecurity strategy. "These techniques have been used in targeted attacks for years, but 2022 saw them deployed at scale. We have also seen a marked increase in sophisticated, multi-touch phishing campaigns, engaging in longer conversations across multiple personas. Whether it's a nation state-aligned group or a business email compromise actor, there are plenty of adversaries willing to play the long game."
The security vendor emphasized the significance of employee training and security awareness, especially as phishing attempts become more sophisticated.
"The awareness gaps and lax security behaviours demonstrated by employees create substantial risk for organisations and their data," said Jennifer Cheng, Proofpoint's Asia-Pacific Japan director of cybersecurity strategy. "While email remains the favoured attack method for cybercriminals, we've also seen them become more creative--using techniques much less familiar such as smishing and vishing. Since the human element continues to play a crucial role in safeguarding companies, there is clear value in building a culture of security that spans the entire organisation."