Identity is now a battleground where most cyberattacks in the Asia Pacific (APAC) are won or lost. A significant shift in the region shows hackers going beyond purely system-based exploits, increasing their efforts to compromise human identities.
Credential Phishing and social engineering are more targeted, more convincing, and increasingly designed to compromise people, not systems. One of the key tactics that threat actors are pivoting towards is URL-based threats as a go-to tactic, whether stealing credentials or directing users to malware-laden websites.
Over a six-month period in 2024–2025, researchers observed URL threats four times more often than attachments. Once an attacker owns an identity, they can bypass traditional controls, move laterally, and monetise access quickly.
Human behaviour remains an evident risk yet difficult to navigate; people are both the primary target and, however, when empowered, the strongest defence.
Identity is escalating and is now in the crosshairs
Threat actors know that humans are easy targets – with attacks that blend psychological manipulation with technical agility, it’s where attacks start. Business email compromise, "pig-butchering" investment scams, and supplier invoice fraud all exploit human trust at speed and scale. Attackers use urgency, authority, fear, or greed to trigger mistakes, then capitalise with tools that automate credential theft, session hijacking, and lateral movement.
The target set has expanded beyond usernames and passwords to include federated cloud logins, OAuth tokens, service accounts, API keys, certificates, and secrets embedded in code. Industry research from the Identity Defined Security Alliance found that nine out of 10 organisations suffered an identity-related incident in the past year, underscoring the centrality of identities in modern attacks.
Proofpoint’s State of the Phish 2025 report shows that credential phishing and business email compromise remain the dominant email-borne threats, with social engineering driving most initial compromises. On the endpoint, a small misstep can create outsized risks. The State of the Phish report also found that more than one in 10 endpoints has exposed privileged account passwords, making it one of the most common and dangerous identity risks.
The human factor is the primary attack vector
Defences are strongest at the perimeter and weakest in the inbox, chat window, or mobile device. Threat actors exploit emotion and context, such as an urgent HR request, a supplier payment change, or a too-good-to-miss investment, to harvest credentials or convince users to approve malicious actions. Even multi-factor authentication (MFA) can be manipulated through MFA fatigue prompts, real-time phishing proxies, SIM swaps, or social engineering. When identity becomes the perimeter, pure perimeter defences fall short.
As organisations adopt AI agents, these systems are inheriting many of the same weaknesses as humans. AI assistants can be prompt-engineered, fed manipulated data, or coerced into unsafe actions, mirroring the psychological tactics used against people. Attackers now craft prompts and inputs that trick AI agents into granting access, exposing data, or interacting with malicious content. And while a compromised human can make one mistake, a compromised AI agent can repeat it at machine speed. Identity security must now extend beyond people to the AI agents acting on their behalf.
People as a resilient control
The same human layer that attackers love to exploit can flip the script and become a frontline defense. “Human resilience” is about making safer choices under pressure, spotting and reporting anomalies quickly, and defaulting to verification over convenience. It looks as simple as using strong passphrases and password managers, enabling phishing-resistant MFA where possible, shredding sensitive documents, and monitoring credit and identity records. Resilient individuals treat suspicious messages as a prompt to report, not react.
Businesses should combine security awareness education with just-in-time coaching and easy reporting so that suspicious messages are escalated quickly. Using nudging and just-in-time coaching, including Email Warning Tags (EWT), can help steer decisions towards desired choices. Treat phishing simulations as rehearsals rather than tests: run adaptive, role‑specific scenarios that mirror current lures (BEC, QR codes, collaboration platforms), and measure report rate and time‑to‑report as core resilience metrics.
Paired with robust security awareness training, businesses can help their employees develop critical thinking skills so that they can better evaluate future threats. When employees recognise and report threats, they shrink attacker dwell time and blunt campaigns before they spread.
Why a multi-pronged approach is necessary
Identity threats don't respect silos. Attackers can target weak links across email, cloud, endpoints, web, etc; a single gap can undo strong controls elsewhere.
- Jennifer Cheng, Proofpoint’s Director of Cybersecurity Strategy, Asia Pacific and Japan
A comprehensive, multi-layered strategy is essential because modern campaigns traverse multiple channels, including email, collaboration tools, SMS, and social platforms, and no single control covers them all. Sophisticated attack kits can relay MFA prompts and steal tokens, meaning that relying on a single layer invites bypass.
More importantly, faster detection and response to identity misuse directly reduces breach impact, limits downstream fraud such as supplier payment redirections, and curbs recovery costs and reputational damage.
In short, attackers use multiple steps and channels to reach a single goal: abuse trust. Defenders must layer preventive and detective controls across the same terrain, with people and identity at the centre.
To keep pace, organisations should combine identity controls, user readiness, and threat intelligence into an integrated, proactive defence. The first line of defence is a robust password security policy. All organisational devices, including computers, smartphones, and tablets, should be password-protected so that a lost device does not provide easy access to stored personal information or confidential business data. A comprehensive data privacy programme should ensure that all collected personally identifiable information remains confidential and secure at every level of the organisation, from collection through disposal.
Businesses must maintain PII (Personal Identifiable Information) confidentiality both digitally and physically by encrypting digital files and properly storing physical documents in secure locations away from public areas or unsecured networks. Lastly, building human resilience, as well-informed employees are less likely to fall prey to phishing scams or other attempts to steal login credentials.
Identity does not need to be the weakest link
Identity is the new perimeter, but it doesn't have to be the weakest link. By aligning people, identity controls, and intelligence, and by acting before attackers do, APAC organisations can materially reduce the likelihood and impact of compromise.
Individuals themselves can become the strongest point of defence when they implement proactive measures to uphold the best security against their most valuable asset – their identity.
Proactive identity protection is now the foundation of security, compliance, and trust in a region where digital business moves fast, and attackers move faster.
Jennifer Cheng is Proofpoint’s Director of Cybersecurity Strategy for Asia Pacific and Japan
