Introduction
In 2024 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], enterprises faced a significant increase in phishing success rates [1] [2] [6], driven by cognitive fatigue and sophisticated attacker tactics. This trend highlights the vulnerabilities in current security measures and the evolving nature of phishing attacks, particularly targeting cloud applications and leveraging generative AI.
Description
In 2024 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], enterprise employees experienced a significant surge in phishing success rates [1] [2] [5] [6], with the number of users clicking on phishing links rising to 8.4 per 1,000 workers—nearly tripling compared to the previous year. This alarming trend reflects a staggering 190% increase from 2023, when fewer than three per thousand users were affected [2] [6] [9]. The rise in successful phishing attempts is attributed to cognitive fatigue among users and the increasing sophistication of tactics employed by attackers, who are now more adept at targeting cloud applications. Over a quarter of phishing clicks were directed at accessing cloud services [3], particularly Microsoft’s Live and Microsoft 365 credentials [2] [3] [4] [5] [6] [9], underscoring the latter’s status as the leading productivity suite.
Notably, 94% of organizations adopted generative AI in 2024, up from 81% in 2023 [1], with ChatGPT emerging as the most popular tool among enterprises [1]. This rapid adoption has contributed to the evolving landscape of phishing tactics, as attackers leverage generative AI to craft more convincing phishing lures. Despite the prevalence of phishing awareness training, many organizations find it inadequate, as it primarily focuses on email [3], which is no longer the main attack vector [3]. Users are increasingly susceptible to phishing attempts through search engine results [3], SEO poisoning [3], and malicious ads on various websites [3], indicating a shift in how these attacks are executed.
Cloud applications emerged as the primary target for phishing campaigns [2] [4] [6] [7], accounting for 27% of all user clicks [2] [4] [6] [7] [8] [9]. Microsoft services [1] [10], particularly Microsoft Live and Microsoft 365 [2] [4] [5] [6] [9] [10], were the most targeted [2] [4] [6] [7] [8] [9] [10], representing 42% of phishing attempts during this period [5]. Additionally, 88% of organizations reported experiencing downloads of malicious content from personal cloud platforms like GitHub, Microsoft OneDrive [1] [2] [3] [4] [5] [6] [9] [10], and Google Drive at least once per month, highlighting the risks associated with the widespread use of these applications. A significant portion of employees, 88%, engaged with personal cloud apps monthly, with 26% uploading or sharing sensitive data [4], raising concerns about potential data breaches. Regulated data [1] [8], including personal [1] [2] [6] [8], financial [1] [8], and healthcare information [1] [8], was involved in 60% of policy violations [1].
Other notable targets included banking providers at 17% and telecommunications companies at 13%. Phishing links were most frequently encountered through search engines (19%) [8], followed by shopping (10%) [8], technology (8.8%) [8], business (7.4%) [8], and entertainment (5.7%) websites [8]. This shift away from email as the primary vector for phishing attacks emphasizes the urgent need for enhanced security measures. Despite the rapid adoption of generative AI [1], many organizations remain in the early stages of implementing data protection measures [1], with only 45% having deployed data loss prevention (DLP) controls [1]. While 73% block at least one generative AI app [1], comprehensive policies to manage associated risks are still lacking [1]. To address these challenges [1], organizations are advised to invest in advanced data protection measures [1], limit access to non-essential applications [1], and continuously monitor app usage for signs of misuse [1]. Strict controls should be enforced for generative AI tools [1], ensuring only approved applications are used for legitimate purposes [1], alongside real-time coaching for employees to make informed decisions [1].
Conclusion
The surge in phishing success rates in 2024 underscores the need for organizations to enhance their security measures and adapt to the evolving threat landscape. As attackers become more sophisticated, leveraging generative AI and targeting cloud applications, enterprises must prioritize advanced data protection strategies and comprehensive policies. By investing in robust security frameworks and real-time employee training, organizations can mitigate risks and safeguard sensitive information against future phishing threats.
References
[1] https://observenow.com/2025/01/phishing-attacks-surge-in-2024-netskope-research-highlights-growing-security-challenges/
[2] https://aicompetence.org/netskope-threat-labs-phishing-clicks-nearly-tripled-in-2024-ubiquitous-use-of-personal-cloud-apps-and-genai-tools-require-modern-workplace-security-to-mitigate-risk-2/
[3] https://www.techradar.com/pro/security/phishing-clicks-nearly-tripled-in-2024-as-criminals-aim-for-smarter-attacks
[4] https://siliconangle.com/2025/01/07/netskope-finds-enterprise-phishing-clicks-nearly-tripled-past-year/
[5] https://www.techedgeai.com/netskope-research-reveals-soaring-phishing-success-rates-and-growing-genai-risks-in-2024/
[6] https://finance.yahoo.com/news/netskope-threat-labs-phishing-clicks-050100487.html
[7] https://www.infosecurity-magazine.com/news/phishing-click-rates-triple/
[8] https://www.digit.fyi/report-phishing-clicks-surged-190-in-2024/
[9] https://electronicsera.in/netskope-threat-labs-phishing-clicks-nearly-tripled-in-2024/
[10] https://cybermagazine.com/articles/netskope-data-shows-phishing-success-rate-tripled-in-2024