Published March 2025

Executive summary

Organizations across the world face relentless growth in cyberthreats, as criminal groups leverage new technologies for malicious ends. The application of AI for offensive cyberthreats has threat actors rubbing their hands in glee, and organizations are racing to fight emerging offensive AI with defensive AI. In most years, we see continued evolution in the design of new types of attacks and threats – with recent explorations by threat actors focusing on MFA bypass in phishing attacks, new types of BEC attacks, QR code phishing, and early forays into deepfakes. Incidents and data breaches usually follow.

This research study investigates the on-the-ground cyberthreat realities for firms with up to 1,000 employees. We surveyed 252 organizations in the United States, Canada, United Kingdom, and the European Union.

Discover the latest email security attack trends, new and emerging tactics, and real-world experiences from IT professionals.

Key findings include:

• Half of organizations experienced between two and four types of incidents during the previous 12 months.
• 64.3% expect the threat level of phishing attacks against their organization to rise this year.
• One in five organizations lost money through a business email compromise attack over the previous 12 months.
• 56.3% of respondents anticipate that the threat level of BEC attacks against their organization will increase in 2025.
• Offensive AI used by threat actors enables cyberattacks to become more sophisticated, voluminous, unique, and evasive.
• AI is the emerging innovation that respondents say offers the greatest potential boost to email security at their organization over the next 12 months.
• With continued degradation in the threat landscape anticipated over the next 12 months, organizations that don’t improve their readiness and defenses will be in a progressively worse position over time.

Released September 2024

Executive summary

Organizations in critical infrastructure sectors operate under heightened warnings of cyberattack due to their control of physical infrastructure that wreaks havoc on economic, financial, and health systems when compromised. While warning levels are increasingly high, efficacy at protecting the most common attack vector— email—is low. Most organizations have been breached in the past 12 months (multiple times), half lack confidence in their current protections, and most know their approach is not best in class. With the level of threat posed by email attacks expected to increase over the next 12 months, critical infrastructure organizations intent on strengthening their email security posture must take a dramatic approach that emphasizes prevention and preclusion of email-borne threats. The data in this survey is drawn from a global audience of organizations in critical infrastructure sectors.

Published March 2024

Executive summary

A striking paradox lies at the heart of modern email security. Despite high levels of confidence among organizations in their defensive capabilities and in their employees’ and executives’ ability to spot phishing emails, image-based and QR code phishing attacks continue to breach their defenses with unsettling frequency. This discrepancy between the perceived effectiveness of security protocols and the reality of ongoing infiltrations underscores a concerning gap in current cybersecurity strategies. As these emerging attacks grow increasingly complex, the need for a comprehensive reassessment of email security approaches becomes more urgent, challenging organizations to bridge the confidence-security paradox with immediate technical and training improvements.

Key insight: while over 70% of organizations feel their current stack is effective against image-based and QR code phishing attacks, nearly 76% were still compromised within past 12 months.

Published August 2023

Executive Summary

Email is one of the most common ingress points into organizations for threat actors. As organizations have implemented email security solutions and trained employees to recognize email attacks, threat actors have pivoted to more advanced methods that bypass protections. They have also embraced artificial intelligence (AI) to make attacks more scalable and personalized while also less detectable. 

Email security vendors are using AI in their defensive tools to stop attacks that leverage new and emerging attack methods in email. Many organizations have gained AI-enabled protections by virtue of their incumbent email security vendors adding AI capabilities to strengthen defensive posture. In addition, most have gone shopping for new solutions offering AI to bolster the baseline protections offered by cloud email providers. 

When purchasing AI-enabled solutions to strengthen email security, organizations want the ability to protect more than just email, automated mitigation and remediation of identified threats, and next-generation capabilities to safeguard employees, the organization, and its customers, suppliers, and business partners.

Request a Copy

Published March 2023

Executive summary

In our research last year on the business cost of phishing, commissioned by IRONSCALES, we found that IT and security teams spent an average of 27.5 minutes dealing with a single phishing email. In this research, also commissioned by IRONSCALES, we dug deeper into business email compromise (BEC), an extremely costly type of phishing attack. We found that organizations see BEC as twice the problem of phishing in general, and among large organizations, concern with BEC attacks will increase by 43.3% over the next 12 months. Many organizations are over-reliant on technologies with questionable efficacy at addressing the threat of BEC attacks. Confidence in the ability of executives and employees to detect BEC attacks remains low, and new channels are being used as precursors to BEC attacks—increasing the risk footprint.

Organizations must re-examine their anti-BEC approach, re-balance their technology strategy, and leverage better signals on BEC threats to target training at the most frequently attacked people and groups.

Sponsored by BlackFog, Cerby, OpenText Cybersecurity, Quest, and SonicWall

Executive summary

CISOs and CIOs view cybersecurity as a significantly higher priority than two years ago and are investing in multiple areas to meet escalating regulatory demands, protect new digital channels, and counteract ongoing cyber incidents. Improving protections for cloud services and platforms is the top-rated priority (attacks against cloud services were the most-seen incident type during the past year), followed by protections against ransomware attacks. CISOs and CIOs see a range of issues within apps, cloud platforms, data, and on-premises infrastructure requiring ongoing and higher investment in 2023. They are budgeting accordingly.

The data presented in this white paper is from a survey of CISO and CIO respondents at 284 organizations in the United States with more than 1,000 employees. 

Request a Copy

Published November 2022

Executive summary

The past few years have necessitated the rapid adoption of new workplace technologies, like cloud collaboration apps and services alongside email. 

This shift has benefited employee productivity and external collaboration as organizations across the world embrace new work patterns. 

However, threat actors have also caught on to this growing trend, extending their attack techniques to these new apps and services, and consequently continuing to threaten employees accessing web-based applications and email.

In this report, we present new findings that explore the changing threat landscape for email, web, and cloud apps, and what organizations must do to bolster security protections for these channels. 

Read this report to learn more about:

• Organizations adopting new channels alongside email
• Threat actors have been quick to attack these new channels
• Security incidents lead to costly and time-consuming incident response
• Threats are expected to increase in frequency and sophistication
• All organizations are deploying new solutions to mitigate changing threats

Published October 2022

Executive summary

Phishing is a type of cybersecurity attack experienced by all organizations. Successful attacks result in lost account credentials, fraud, and data theft. Preventing successful attacks is proving costly for organizations, with phishing- related activities consuming one third of the total time available to IT and security teams. On average, organizations spend almost 30 minutes dealing with each phishing email identified in their email infrastructure.

The purpose of this research was to quantify the direct costs borne by organizations in mitigating the phishing threat, and to explore expectations about how phishing will change over the next 12 months.

Commissioned by Egress

Executive summary

This buyer’s guide will help IT and security professionals research, evaluate, and choose an email security solution that can augment and fill the gaps left by secure email gateways and the native security provided by cloud email platforms.

The guide’s five sections explore the concept of human activated risk and how new email security solutions in the market can mitigate both inbound and outbound threats that evade existing controls such as Microsoft 365 and SEGs.

What you’ll learn:

• The three types of human activated risk and their outcomes
• Why existing controls are ineffective at reducing human activated risk
• The characteristics of technology needed to offer inbound and outbound protection
• Deployment options for organizations with Microsoft 365, a SEG, or both
• Key questions to ask vendors when evaluating email security solutions

Published April 2022

Executive summary

The number one concern for security managers in 2022 is the amount of time their analysts will spend investigating suspicious messages and remediating confirmed threats. For this report, we surveyed security managers from organizations using Microsoft Office 365 about phishing, business email compromise (BEC), and ransomware attacks to report how email-borne security threats are impacting businesses.