We’ve cast our net for the latest phishing statistics to help you keep up to date on one of the largest threats your organization is facing.
By Caitlin JonesUpdated April 21st, 2022
Social engineering attacks are one of the most prevalent, and dangerous, types of cybercrime that organizations around the world are currently facing – but don’t take our word for it.
We’ve pulled together the most recent phishing statistics from around the world to help illustrate the breadth and severity of this threat. These stats come from third-party surveys and reports, and we’ll be updating them as new research emerges to help you stay on top of the latest figures.
The Frequency Of Phishing Attacks
According to recent research from IRONSCALES, 81% of organizations around the world have experienced an increase in email phishing attacks since March 2020. Despite the very real threat that phishing poses to businesses today, almost 1 in 5 organizations only deliver phishing awareness training to their employees once per year. This lack of awareness is a large contributing factor to the fact that phishing remains the threat type most likely to cause a data breach. In fact, according to Verizon’s 2021 DBIR, around 25% of all data breaches involve phishing and 85% of data breaches involve a human element.
This figure is supported by further research conducted by the FBI’s Internet Crime Complaint Center (IC3), who received a record number of complaints from American citizens in 2020. IC3’s report found that phishing, including vishing, SMiShing and pharming, was the most prevalent threat in the US in 2020, with 241,342 victims. This was followed by non-payment/non-delivery (108,869 victims), extortion (76,741 victims), personal data breach (45,330 victims) and identity theft (43,330 victims).
The average number of business email compromise (BEC) attempts received in the last year saw a dramatic 15% increase between Q2 and Q3, and we’re increasingly seeing malicious data breaches being caused by stolen credentials, rather than the installation of malware. According to IBM, one in five companies that suffered a malicious data breach in 2021 was infiltrated due to lost or stolen credentials, while 17% were breached via a direct phishing attack. Additionally, data from Google Safe Browsing shows that there are now nearly 75 times as many phishing sites as there are malware sites on the internet.
Phishing Delivery Methods
While the majority of social engineering attacks are delivered by email, one-third of IT professionals have experienced an increase in social engineering delivered via other communication platforms in the last year. These include video conferencing platforms (44%), workforce messaging platforms (40%), cloud-based file-sharing platforms (40%) and SMS (36%).
The biggest category of phishing, according to a study by APWG, is targeted towards webmail and Software-as-a-Service (SaaS) users; these types of attack are responsible for 34.7% of phishing attempts. The same study reported an increase in the number of BEC attacks sent from free webmail providers, from 61% to a staggering 72%, and found that over half of these attacks used Gmail as their delivery method.
How People Are Getting Hooked
According to the results of Terranova Security’s 2020 Gone Phishing Tournament, almost 20% of all employees are likely to click on phishing email links and, of those, a staggering 67.5% go on to enter their credentials on a phishing website. That means that 13.4% of employees are likely to submit their password on a fraudulent phishing page. But what’s persuading so many users to click on malicious links?
According to research from KnowBe4, the most common subject lines to real-life phishing emails in Q3 of 2021 were as follows:
IT: Odd emails from your account
IT: Upcoming Changes
HR: Remote Working Satisfaction Survey
Facebook: Your Facebook access has been temporarily disabled for identity check
Twitter: Potential Twitter Account Compromise
From these subject lines, we can clearly see that bad actors have been capitalizing on two main areas:
The fact that most organizations around the world have continued to embrace a remote or hybrid way of working, rolling our new, unfamiliar cloud technologies across their workforces.
The fact that many people have increasingly turning to digital entertainment and virtual communication platforms to stay in touch with both colleagues and loved ones since the beginning of the COVID-19 pandemic.
Speaking of staying in touch, LinkedIn phishing messages make up 47% of social media phishing attempts, making faux LinkedIn messages by far the most common social media phishing subject. These emails commonly contain account reset requests, or “information” about potential new connection opportunities (“You appeared in new searches this week!” “People are looking at your LinkedIn profile!”), which could reel in those who lost their jobs due to the pandemic.
A recent Threat Report from ESET found that, in Q3 of 2020, the most common types of malicious files attached to phishing emails were as follows:
Windows executables (74%).
Script files (11%).
Office documents (5%).
Compressed archives (4%).
PDF documents (2%).
Java files (2%).
Batch files (2%).
Android executables (>1%).
According to Check Point, Microsoft is the most impersonated brand globally when it comes to brand phishing attempts, holding the majority with 43. With the increase in organizations relying on Microsoft’s suite of cloud applications since the start of the pandemic, it’s easy to see why attackers are exploiting their name. Microsoft is followed by DHL (18%), LinkedIn (6%) and Amazon (5%).
A recent study by INKY also found Microsoft to be the most impersonated brand, with Microsoft-related phishing emails accounting for almost 70% of brand impersonation phishing attempts in 2020, followed by Zoom, Amazon, Chase Bank and RingCentral.
The same report indicates that brand impersonation incidents are largely associated with brands in the technology sector (71.8%), followed by telecommunications, retail, finance and logistics.
We often imagine the bad actor to be a hoody-wearing figure, cloaked in shadows, perhaps sporting a Guy Fawkes (or V for Vendetta) mask for added suspicion. However, this often isn’t the case at all.
According to research from accountancy firm BDO, around half of the frauds reported by respondents came from external parties, but an alarming 34% of business owners said that the fraudulent activities had “involved collusion” between their employees and bad actors. Even more shockingly, 21% said that their own employees had been behind the fraud.
Who The Victims Are
We’re all familiar with the fear-inducing headlines that scream news of nation-state sponsored attacks against high-profile businesses, who lose millions or even billions of dollars to cybercriminals. However, small and mid-sized businesses are just as at risk of a cyberattack as large enterprises are, and they often don’t have the infrastructure or resources to defend themselves properly against attacks. Consider them “low-hanging fruit” for attackers.
BDO’s research found that six out of ten mid-sized business in the UK were hit by fraud in 2020, suffering average losses of 245,000 pounds, and nearly 40% of all companies surveyed said they’d experienced increased fraud attempts compared to the previous year.
So we know that organization’s of all sizes are under threat of falling victim to social engineering, but are any particular industries more at risk? Well, research from Verizon found that the number of reports of social engineering incidents were highest in the Public Administration, Mining & Utilities, Professional Services, Finance and Education sectors respectively. In terms of actual breaches suffered, the data looks a little different. Public Administration still takes the lead, followed by Mining & Utilities, Professional Services and Education .
KnowBe4’s Phishing By Industry Report found that the top industries at risk vary according to company size, but also reflect that healthcare and manufacturing are amongst the most targeted industries, alongside education, construction, business services and technology.
Finally, IBM found that the healthcare industry, though not always right at the top of the “most breached” lists, suffered the most in terms of the cost of a breach.
The Impact Of A Phishing Attack
Phishing attacks can be devastating to organizations that fall victim to them, in more ways than one. Let’s start by exploring the financial implications of falling for a lure.
The Financial Cost Of A Breach
According to IBM, the average cost of a data breach is 4.24 million dollars. This is higher than their figure from the previous year, and indicates that data breaches are becoming more financially dangerous. And the majority of that cost is split between detecting and escalating the breach (29%), and lost business cost (38%). The reality is quite the opposite: IBM’s study also shows a growing chasm in terms of the cost of a breach between organizations with more advanced security processes, such as incident response teams, and those with less processes in place. This means that, though costs are significantly lower for those with a formal security architecture in place, a data breach can cause irreparable damage to organizations without such protection.
Further to this, IBM found that customers’ personally identifiable information (PII) was both the most commonly compromised type of data—involved in 44% of all breaches—and the most costly. 80% of breached organizations reported a loss of customer PII in 2020, and breaches that suffered PII loss cost on average four dollars more per lost or stolen record (180 dollars) than those that hadn’t (161 dollars).
IC3 found that phishing scams are among the most costly, with US businesses suffering adjusted losses of over 54 million dollars. However, BEC attacks are the most costly of all, with an adjusted loss of around 1.8 billion dollars.
Those are some pretty big figures to get your head around, so let’s take it down to a per-business level: according to APWG, the average BEC wire transfer attempt requested in Q2 of 2020 was for over 80,000 dollars – a huge increase from the 54,000 reported in Q1.
The bottom line? Social engineering attacks are expensive, and this cost is only increasing.
The Consequences Of A Breach
The cost of a successful phishing attack can be broken down into the following categories:
Damage to reputation
Loss of intellectual property
Direct monetary losses
Response and remediation costs
Loss of revenue and customers
However, financial loss isn’t the only impact that a phishing attack can have on your organization. A successful attack can also lead to:
Compromised accounts or credentials
Malware infections, including ransomware
Data loss is a key consequence of a successful phishing attempt, but what exactly does that entail? According to Verizon, the following are the top types of data that are compromised in a phishing attack:
Credentials, such as usernames and passwords.
Personal data, such as addresses and phone numbers.
Internal data, such as sales figures.
Medical data, such as insurance claim information.
Banking data, such as credit card information.
Current Phishing Trends
The last two years have seen some massive changes to the way we work, from migration to a remote office and back, to rapid digital transformation, to an increase in the use of AI technologies. Many of these changes were accelerated by the COVID-19 pandemic, and it’s clear that the Coronavirus and the subsequent global switch to hybrid-remote work have had a huge impact on the attack surface we’re facing.
Between February and March of 2020, as organizations rushed to enable their employees to work from home during the first wave of the pandemic, the number of phishing emails spiked by a staggering 667%, according to Barracuda Networks, as attackers lost no time in capitalizing on the period of fear and uncertainty.
This spike is mirrored by research from Abnormal Security, which reports a huge increase in COVID-19 themed attacks starting in Q1, with the weekly volume of campaigns further increasing by 389% between Q1 and Q2. However, Q3 saw a decline in the number of COVID-19-related campaigns, with scammers instead favoring attacks based on invoice and payment fraud. Throughout Q3, the number of invoice and payment fraud BEC attacks increased by 81%.
IBM also report an 11% increase in the number of BEC attacks in Q2, as hackers took advantage of unfamiliar remote work scenarios. As well as increasing attack volume, having a remote workforce increased the total average cost of a data breach by nearly 137,000 dollars, bringing it up to 4 million dollars.
And the reports don’t stop there! In the US, IC3 reports that they received over 28,500 complaints in 2020 related to COVID-19. These complaints reports attacks targeting the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), which strived to support small businesses during the pandemic. These attacks specifically targeted unemployment insurance, Paycheck Protection Program (PPP) loans, and Small Business Economic Injury Disaster Loans.
Unfortunately, huge numbers of these attacks were successful. More than a quarter of business owners suffered security breaches caused by a cyberattack since national lockdowns were imposed and more business was being conducted online. As a result of this, 76% of business owners say that they feel more exposed to fraud since the beginning of the pandemic, and 66% say that they’re concerned about being targeted by scammers as we move further into 2021.
Microsoft’s New Future of Work report shows similar results, stating that 80% of security professionals have experienced an increase in security threats since shifting to remote work. Of this 80%, 62% say that phishing campaigns have increased more than any other type of threat.
These fears and experiences are neither unwarranted nor unfounded: Zscaler found that, between January and March alone, the number of blocked suspicious messages targeting remote workers increased by 30,000% – yes, that’s thirty thousand – and that the number of COVID-19-related spear-phishing attacks rose by 667%.
And, as attack numbers continue to rise and phishing continues to be the leading cause of data breaches around the world, we can only expect these trends to continue.
How Can You Protect Your Business Against Phishing Attacks?
Unfortunately, there isn’t a single silver bullet solution to email security. We recommend taking a multi-layered approach to your phishing defense, by implementing a range of both technical and human-centric solutions.
Secure Email Gateway
Secure Email Gateways (SEGs) monitor your employees’ inbound and outbound emails, scanning them for malicious content. If the SEG detects any spam, phishing or malware threats, it quarantines or blocks the email so that it never reaches its intended recipient.
However, while SEGs are very effective at blocking spam and traditional phishing attempts, sophisticated spear-phishing attacks are able to evade them by impersonating known trusted senders. To defend your data against internal threats, you need to implement a solution that protects each user at an individual level.
Cloud Email Security
Cloud email security solutions sit within your email network itself and monitor all inbound, outbound and internal communications for malicious content. Cloud solutions use AI and machine learning to analyze each individual employee’s communication patterns, then scan their email comms for anomalous behavior. This enables the solution to detect more targeted and personalized spear-phishing attempts.
A strong training program can have a huge impact on the way in which your employees respond to phishing attempts. A recent report from Cofense (formerly PhishMe) found that employees who have completed a security awareness training program are far more likely to report a suspicious email than those who haven’t, greatly reducing the dwell time of a phishing email – i.e. the time taken to detect and remediate an attack.
Cofense’s study, which analyzed millions of results from their own simulated phishing campaigns, found that 82% of trained employees reported a simulated phish within an hour of receiving it, 52% reported it within 5 minutes, and 19% within 30 seconds.
The success of awareness training is further supported by research from KnowBe4, which found that, after completing one year of phishing awareness training, the average improvement rate across all industries and organization sizes was 87%.
Want to find out more about how you can protect your employees’ inboxes? Check out our buyers’ guides to the top security solutions that will help you defend against phishing attacks: