SMS phishing (smishing) attacks more than doubled year-on-year in 2021

In The Human Factor Report 2022, security vendor Proofpoint found that SMS phishing () attacks more than doubled year-on-year in 2021. The report is based on their analysis of over 2.6 billion email messages, 49 billion URLs, 1.9 billion attachments, 28 million cloud accounts and 1.7 billion mobile messages.


The study details most common attack surfaces and methods including categories of risk, vulnerabilities, attacks, Russian Aligned APT’s, and Privilege as a vector.


Key Findings:


  • 50% – Managers and executives make up only 10% of users, but almost 50% of the most severe attack risk
  • 100k – Attackers attempt to initiate more than 100,000 telephone-oriented attacks every day.
  • Malicious URLS are 3-4x more common than malicious attachments.
  • Smishing attempts more than doubled in the U.S. over the year, while in the U.K. over 50% of lures are themed around delivery notification.
  • More than 20 million messages attempted to deliver malware linked to eventual ransomware attack
  • Data loss prevention alerts have stabilized as businesses adopt permanent hybrid work models.
  • 80% of businesses are attacked by a compromised supplier account in any given month.
  • 35% of cloud tenants that received a suspicious login also saw suspicious post-access activity.


Experts with Dispersive Holdings and Veridium offer perspective:


Rajiv Pimplaskar, CEO, Dispersive Holdings, Inc.:


Human factor:


  •    “Supply chain attacks via software or hardware vendors as well as 3rd party vendors are a skyrocketing risk during 2022 and beyond. Therefore, it’s no surprise that 80% of businesses are attacked by a compromised supplier account on a monthly basis. Businesses should urgently look to bolster 3rd or nth party connections as well as remote access with strong identity verification to mitigate this threat.”

Nation State:


  •    “2022 year to date has been underscored by increased nation state involvement and the cyber cold war intensifying. The nation state involvement within these proxy conflicts as a means of destabilizing global and particularly western activities is a serious threat as such threat actors are highly motivated and sophisticated and are able to breach most conventional cyber defenses with relative ease. Businesses particularly within the critical infrastructure sectors should consider bolstering their cyber capabilities with more advanced military grade solutions such as a next gen VPN that offers heightened protection.”

Damon Ebanks, VP Marketing, Veridium:


“Cybercriminals continue to rely on human interaction to click malicious links, download dangerous files, inadvertently install malware, transfer funds, and disclose sensitive information. The security of an organization can be addressed by tackling the password issue head-on by completely removing passwords from the equation.


“By eliminating the use of knowledge-based authentication users cannot share credentials and phishing attacks cannot capture passwords (since there are none to expose). Brute force attacks are ruled out because bad actors can’t guess a password that doesn’t exist, and keyboard recorders can’t capture password information. Password-less authentication is of interest to all types of organizations, public and private, regardless of where they are on their digital transformation journey.


“The global pandemic has amplified the need for simple and secure access for employees, customers, and partners because these groups now work or operate from any location that can’t be secured by IT security. With the surge in gas prices remote work will remain the norm and a world where zero trust is the only solution will remain. We are living in a world where Passwordless authentication should be the norm.”