Most companies in four countries in Asia Pacific have had to fend off phishing and ransomware attacks, with infected people in Australia being the most willing to give in to ransomware demands.
These people are also more likely to encounter such attacks, with 92% experiencing phishing incidents and 90% reporting business email hacking attacks. And another 86% and 80% had to deal with ransomware and supply chain attacks, according to Proofpoint’s State of the Phish report. The study surveyed 2,000 employees and 200 security professionals in Singapore, South Korea, Japan and Australia.
Respondents in Singapore experienced the second highest number of attacks, with 85% having to deal with phishing incidents and 78% reporting ransomware attacks. Another 72% suffered a business email hack, with 46% incurring direct financial losses. Another 68% reported attacks in the supply chain.
But while Singapore, at 68%, reported the highest number of ransomware infections, its peers in Australia – 58% of whom were infected – were more likely to succumb to ransom demands upon penetration. About 90% of Down Under admitted to paying at least once, compared to 71% in Singapore and 63% in South Korea. Only 18% of businesses in Japan have paid at least one ransom – the lowest across the board, with the global average being 64%.
According to the report, Japanese laws prohibit domestic companies from handing over funds to organized crime, which can be considered to include cybercrime. Proofpoint added that Japanese participants were less likely to report a successful phishing attack, at 64%, compared to the global average of 84%. The security vendor theorized that this could be due to the cybercriminals’ lack of fluency in the local language, making it easier for Japanese employees to identify poorly worded phishing lures.
“English is the language most commonly used worldwide in phishing attacks, so companies that do not conduct activities in English may receive some protection,” the report noted. However, it has been highlighted that it may be culturally unacceptable in some countries to admit that they have experienced a security breach, which has led to underreporting.
In South Korea, of the 72% of those exposed to ransomware attacks, 48% were eventually infected.
Of the 96% in Australia with electronic insurance, 83% said their insurance company paid the ransom either in whole or in part. About 90% in Singapore reported having cyber insurance, 95% of which had insurance companies that paid the ransom either in whole or in part.
About 82% in South Korea and 78% in Japan also have electronic insurance, with 74% and 72% respectively saying their insurance companies covered the ransom payment either in whole or in part.
Globally, 76% of organizations have experienced ransomware attempts, with 64% eventually infected. Among those who had a cyber insurance policy for ransomware attacks, 82% of insurance companies offered to pay the ransom either in full or in part.
said Ryan Kalember, Proofpoint’s executive vice president of cybersecurity strategy. “These methods have been used in targeted attacks for years, but 2022 has seen them become widely deployed. We’ve also seen a significant increase in complex, multi-touch phishing campaigns, engaging in longer conversations across multiple people. Whether it’s a nation-state-compatible group or settlement actor As the business goes, there are plenty of adversaries ready to play the long game.”
The security vendor has called for the importance of training employees and building security awareness, especially as phishing attempts are getting more and more sophisticated.
“Gaps of awareness and lax security behaviors demonstrated by employees create significant risks for organizations and their data,” said Jennifer Cheng, Director of Cybersecurity Strategy for Asia Pacific and Japan at Proofpoint. “While email remains the preferred method of attack for cybercriminals, we have also seen them become more creative – using less common techniques such as phishing and spear-phishing. As the human element continues to play a critical role in protecting businesses, there is clear value in building a culture of security that covers the entire organization.”