Proofpoint Exec: ‘Phishing is the Leading Cause of Breaches Globally’

This article was originally published on TechRepublic.

Security professionals gathered this week for the Proofpoint Protect 2025 conference in Nashville, Tennessee to discuss the latest cyberthreats and the growing influence of AI on cybersecurity. Email-based phishing remains the top concern, according to Proofpoint researchers.

Davide Canali, director of threat research at Proofpoint, noted the company scans 3.5 billion emails each day, which is one-third of the global total. Proofpoint also scans 49 billion URLs and 3 billion attachments daily as it searches for malicious code, credential theft, and fraud.

“Of the $50 billion in reported losses over the past years due to cybercrime, fraud accounts for 85%,” said Canali at the event. “Phishing is the leading cause of breaches globally.”

Proofpoint’s Phishing and URL-based Threat research found that 71% of users admitted to taking risky actions, nearly all knew they were doing something risky, and 58% engaged in behavior that would have made them vulnerable to common social engineering tactics. Even users with multifactor authentication (MFA) remain vulnerable. Over a million attacks are launched every month to bypass MFA, yet 89% of security professionals believe MFA provides complete protection against account takeover.

AI-enhanced phishing trends

Less work for hackers with high likelihood of rewards

AI is receiving heavy investment from technology titans as they race for market dominance. The cybercriminals have also seized on AI’s potential to turbocharge their attacks, using it to automate and amplify techniques. Canali expressed serious concerns about the impact AI is exerting over phishing.

“AI has provided cybercriminals with a 95% reduction in the effort needed to launch attacks,” he said. “Forty-six percent of users are more likely to click on phishing links generated by large language models (LLMs).”

Increases in remote access attacks, QR code threats, automated campaigns

A new breed of hackers no longer needs coding expertise to carry out attacks; Proofpoint surveys of CISOs indicate that 54% view generative AI as a potent security risk to their organizations.

For example, phishing is being paired with remote access controls. Criminals impersonate Help Desk and request remote access to an employee’s device. Once inside, they quickly deploy malware; this tactic is not new, but AI is scaling it at unprecedented speed. Proofpoint research revealed that 34% of URL-based malware campaigns now deliver remote access software.  

AI is also being used to boost the quantity of QR code threats — 4.2 million in the first half of 2025 — and fuel automated phishing campaigns. Instead of one human devising a phishing campaign, watching results, and adjusting it gradually to improve effectiveness, AI agents are trained to devise their own campaigns, adjust them in near real time, and rapidly scale the most effective phishing emails across vast swaths of users or precisely target them to certain user types as in spear-phishing attacks. 

AI-enhanced cyber-defenses

Fortunately, AI is also being deployed to strengthen security. Cybersecurity vendors are harnessing AI to harden defenses, detect malware and intrusion attempts faster, and block phishing traffic.

“AI enables us to understand more within emails and be more effective at detecting and preventing threats,” said Dan Rapp, chief AI & data officer, Proofpoint. “AI means we need to continuously train our tools to provide the most relevant data set,” he added.

Rapp noted that LLMs can be cost-prohibitive in cyber-defense and slow to train. Accordingly, Proofpoint has created smaller, specialized AI models that are much faster to deploy; these models are updated 2.5 times per week.

“A defense-in-depth strategy is best for email security,” said Rapp. “If you look at the email before it hits a mailbox, you can do a lot more such as put warning tags on suspicious content or screen them out entirely.”  

‘AI agents are profoundly worse’ at resisting social engineering

With any new technology, you must be cognizant of the fact that you may be introducing a fox into the henhouse, added Rapp.

“AI is not secure regardless of what providers tell you, but it will become more secure over time,” he said. “We put strong guardrails on our AI tools such as audit features, rollback, and kill switches.”  

Despite these safeguards, he conceded that it is an ongoing battle. Threat actors consistently find many more ways to take advantage of AI, and they are aided by the literal nature of AI. By enhancing cybersecurity with many AI agents, developers will inadvertently present hackers with new pathways into the enterprise. Why? It turns out those super-intelligent AI agents are also pretty dumb when it comes to social engineering.

“If we thought humans were bad at resisting social engineering, AI agents are profoundly worse,” said Ryan Kalember, chief strategy officer, Proofpoint. 

Earlier this week at the Proofpoint Protect 2025 conference, the cybersecurity and compliance company announced new agentic AI security solutions.