Exploiting technical vulnerabilities is only part of the threat-scape – typically accomplished by the more sophisticated (or well-resourced) actors or groups. However, by volume, threat actors spend much more time and effort hitting us in our inboxes, via infected websites, and exploiting other human vectors, such as phones and MFA. Proofpoint’s 2023 Human Factor Report corroborates the countless incidents we see every day, that social engineering remains the most common technique with the vast majority using some element of psychological manipulation. According to Proofpoint, while highly complex techniques became commoditized, some of the biggest individual losses arose from nothing more than a friendly, persuasive conversation.

Here are a few key themes from this year’s report:

• Novel distribution pushed SocGholish into the top-five malware by message volume.
• At peak, MFA-bypass accounted for more than a million messages per month.
• Telephone-oriented attack delivery (TOAD) messages peaked at more than 13 million per month.
• Conversational attacks via mobile devices grew twelvefold.

Let us refrain from calling end-users our “weakest link.” Instead, let’s make them the best line of defense by reviewing the findings from this year’s Human Factor Report for a refresher on the successful social engineering techniques and then customizing security awareness curriculum accordingly to harden the human operating system. Access the report at Proofpoint.