2024 State of the Phish

Imagine a successful cyberattack against your organization. What does it look like? Maybe it involves a fiendishly clever piece of social engineering—a convincing lure that catches the recipient off guard. Or maybe it would take a smart technical exploit to get past your defenses. But in reality, threat actors don’t always have to try that hard.

Often, the easiest way to breach security is to exploit the human factor. People are a key part of any good defense, but they can also be the most vulnerable. They may make mistakes, fall for scams or simply ignore security best practices. According to this year’s State of the Phish survey, 71% of working adults admitted to taking a risky action, such as reusing or sharing a password, clicking on links from unknown senders, or giving credentials to an untrustworthy source. And 96% of them did so knowing that they were taking a risk.

When obliged to choose between convenience and security, users pick the former almost every time. So, what can organizations do to change this? In this report we’ll take a closer look at how attitudes towards security manifest in real-world behavior, and how threat actors are finding new ways to take advantage of our preference for speed and expedience. We’ll also examine the current state of security awareness initiatives, as well as benchmarking the resilience of people and organizations against attack.

The foundation of this report is a survey of 7,500 end users and 1,050 security professionals, conducted across 15 countries. It also includes Proofpoint data derived from our products and threat research, as well as findings from 183 million simulated phishing messages sent by our customers over a 12-month period and more than 24 million emails reported by our customers’ end users over the same period.