Cybercriminals are increasingly trading malicious attachments for malicious URLs as an attack vector, according to Proofpoint’s Q1 2019 Threat Report, released Wednesday.

The Emotet botnet in particular is wreaking havoc this year, the report found: 61% of malicious payloads observed in Q1 were driven by the actor distributing Emotet, displacing credential stealers, standalone downloaders, and RATs in the overall threat landscape, the report noted.

SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic)

Emotet’s growing popularity is an indication of the shift in attack vectors, the report found: Malicious URLs in emails outnumbered malicious attachments by roughly five to one for Q1 2019—up 280% from Q1 2018. Much of this traffic was driven by the Emotet botnet, according to the report.

“The massive shift in Emotet’s prevalence and classification highlights just how quickly cybercriminals are adapting new tools and techniques across attack types in search for the largest payday,” Sherrod DeGrippo, senior director of Threat Research and Detection for Proofpoint, said in the release. “To best defend against a rapidly changing threat landscape, it is critical that organizations implement a people-centric security approach that defends and educates its most targeted users and provides protection against socially-engineered attacks across email, social media, and the web.”

Tips to keep your organization cybersecure

Here are four ways to keep your company cybersecure in the coming year, according to Proofpoint:

1. Assume users will click

Social engineering is one of the most popular ways for cybercriminals to launch email attacks, the report noted. Train employees and seek out solutions that can identify these types of threats, which seek to exploit the human factor.

2. Build a robust email fraud defense

Business email compromise (BEC) attacks are on the rise, and are often difficult to detect. Make sure any solutions you use have classification capabilities and blocking policies.

3. Protect your brand reputation and customers

Make sure you are fighting attacks over all mediums, including social media, email, and mobile—particularly those that attempt to harm your brand.

4. Train users to spot and report malicious email

Regular user training and simulated attacks can teach employees to identify attacks, and can help organizations identify who might be the most vulnerable, the report noted.

For more, check out How to create a transformational cybersecurity strategy: 3 paths on TechRepublic.