Despite increased employee awareness, phishing rates skyrocketed in 2024, according to a new annual cloud threat report by SaaS cybersecurity firm Netskope. Phishing rates are up by 190%, about triple the rate seen in 2023, giving MSPs plenty of work to do as they continue to provide critical cybersecurity protections for their customers.
The threat report, conducted by Netskope Research Labs, found that the growing phishing problems are complicated today by additional threats from generative AI adoption and covert attacks by cybercriminals who are covertly placing dangerous links in a wide range of web pages, ads and other innocuous places.
“Generally, this showcases that current employee training to assure security is ineffective, and that employees remain the weakest security link,” Rob Enderle, principal analyst with Enderle Research, told ChannelE2E. “Employee training on security has always been inadequate. You need regular Red Team testing where a friendly group of attackers tests security, and employees are ranked and rated on their security effectiveness.”
MSPs can help, said Enderle, by providing more security services and training that can get to the root of the deepest problems. “Pushing for regular employee security training, hard and enforced rules on application approval, and helping with Red Team tests are all things MSPs should advise and help accomplish,” he said.
Diving into the Details
The latest Netskope report found that 8.4 out of every 1,000 users clicks a phishing link per month, nearly triple the 2023 average. And making the threat even greater, users with Microsoft 365 credentials were the top targets in the attacks, according to the report.
In addition, personal app use “is rampant in the enterprise,” despite companies often banning the use of personal apps on employees' work devices, the report stated. “More than one out of every four users (26%) [is] uploading, posting, or otherwise sending data to personal apps every month, with personal use of cloud storage, webmail, and GenAI apps posing the most significant risks to organizations worldwide,” the report continued.
Other dangerous factors include generative AI risks. The number of GenAI users nearly tripled since 2023, and 94% of business organizations are now using GenAI apps, which can increase data risk to organizations worldwide, according to the report. Adversarial risks from other nations also increased in 2024, as Russian groups TA577 and UAC-0050 and the Chinese group Salt Typhoon caused active attacks around the world, the report concluded.
While external attackers are ultimately to blame, it's the human element that is so often at the center of attack techniques. Workplace culture and the complexity of modern systems doesn't help, either, the report found.
“Although the human element of cybersecurity risk is widely known, the complexities of the modern workplace make it increasingly challenging for individuals to make informed decisions about sensitive data, digital risks, and security protocols,” the Netskope report states.
The statistics in the report were collected from November 1, 2023, through November 30, 2024, and reflect attacker tactics, user behavior, and organization policy.
How MSPs Can Help Battle These Threats
Ray Canzanese, the director of Netskope Threat Labs, told ChannelE2E that MSPs can help by understanding these risks and working on improved protections.
“MSPs are well-positioned to understand which solutions and controls have been most effective in peer organizations,” he said. “They can use that knowledge to build and refine scalable solutions for their customers.”
The problems will worsen as social engineering risks grow, said Canzanese. “MSPs should look at the report and ask themselves where they have gaps in their existing offerings that need to be addressed, especially in the areas of social engineering, zero-trust, and cloud and AI risks,” he said.
Another IT analyst, Shelly Kramer, principal analyst with theCUBE Research, said the report provides more evidence that threat actors can reliably count on business employees having a fairly widespread state of ignorance about cybersecurity risks through emails and links.
“Even more concerning these days is that beyond phishing, vishing, and smishing (email, voice, SMS) campaigns these days hackers are also turning to inserting malware links inside apps, showing up in search results, ads, shopping sites, and the like,” said Kramer. “Phishing used to be linked primarily to email, and that is now no longer the case. Hackers are relentless, and with good reason. The more success they have with infected links and grabbing user credentials, the greater opportunities exist for them to do what they really want: Get deeper access to networks, data, and do dirty deeds.”
Ultimately, these are not new problems, said Kramer, but they are problems that are growing even more quickly due to GenAI, which can be used by cyberattackers “to create campaigns that look and sound more sophisticated than ever before. So yes, a 3x increase in phishing attacks makes perfect sense to me — and that number will likely continue to increase.”
MSPs can help even more in this battle, said Kramer, “by putting the right security protections in place while also embracing and executing on a mindset for and with their clients that perpetuates the need for continuous training.”
In the end, “employees are not going to quit using apps they are not supposed to use,” said Kramer. “They are not going to quit using AI at work, even if it is precluded. So acknowledging that and working with them, embracing the realities here is the path forward. And MSPs can play an outsized role for their clients on this front.”
