- The number of people clicking on links in phishing attacks tripled in one year
- The new Netskope report argues that this is because threat actors have evolved their tactics.
- Cloud applications remain the number one goal
The number of workers clicking on phishing links saw a significant increase in 2024, putting businesses of all sizes at risk of being compromised, new research claims.
A Netskope report based on anonymous usage data collected by its Netskope One platform found that over the year, for every 1,000 workers, there were 8.4 who clicked on a link in a phishing email.
This represents a three-fold increase from the previous year, when only 2.9 people did the same.
Microsoft a popular target
Netskope says the significant increase in successful phishing attempts was particularly due to two things: people suffering from cognitive fatigue (there are simply too many phishing attacks and people eventually let their guard down) and threat actors being super creative and adaptable, thus creating more difficult threats. detection campaigns.
That said, threat actors were more interested in access to cloud applications. These took up more than a quarter of all clicks, with Microsoft’s Live and 365 credentials being of particular interest.
Pages targeting Yahoo and AOL were also quite widespread, while those for Adobe and DocuSign were used as stepping stones to other credentials.
“Microsoft’s popularity as a phishing target is not surprising because Microsoft 365 is the most popular productivity suite by a wide margin,” the report states.
Netskope suggested that phishing awareness training will also need to be revamped this year, as it focused too much on email and not enough on other channels.
Email was not the number one attack vector that distributed these phishing links. Netskope believes this is mainly because people have learned to pay attention to incoming emails, forcing threat actors to get creative. “They know that their victims may be wary of incoming emails (where they are repeatedly taught not to click on links), but will click on links much more freely in search engine results,” the report says.
So instead of doing it through emails, users were tricked on search engines (via SEO poisoning), as well as on shopping, technology, and entertainment sites that posted references in comments, malicious ads, and infected sites.
