State of the Phish 2023

Every year, threat actors look for new ways to outwit victims and bypass defenses. And 2022 was no different. As businesses rolled out new security controls, cyber criminals responded.

They added complex techniques like telephone-oriented attack delivery and multi-factor authentication (MFA) bypass. Unknown to most users, these techniques gave cyber attackers a new advantage. And with threat actors constantly upping their game, CISOs and infosec teams had their work cut out.

Now in its ninth year, our annual State of the Phish report explores end-user security awareness, resilience and risk using survey data from 15 countries, along with data sourced from our products and threat research team. The report benchmarks understanding of common cyber attacks and defensive tactics, before looking at how potential gaps in knowledge and cyber hygiene enable the real-world attack landscape. Most attacks target people before they target systems. That’s why helping users build good security habits is crucial. So, the final section of the report examines security awareness practices and outlines opportunities to build and sustain a security-aware culture at every level of an organisation.

Alongside this year’s main report, we’re also giving regional summaries to help organisations understand how local nuances affect gaps in awareness. This regional summary includes data from Australia, Japan, Singapore and South Korea. Data has been drawn from surveys of 2,000 working adults and 200 security.