Firstly, what exactly is phishing?
‘Phishing’ is a term commonly used to describe cyber security attacks and online scams. Victims of phishing ,‘are lured via fake correspondence, often in the form of emails or social media messages leading to carefully constructed phishing sites.’ [Statista]
Once the victim clicks a phishing link and hands over their details, their data is then harvested and used in scams, including identity theft and online fraud.
Due to the fact that for many of us, so much of our lives has now moved online, it is now more important than ever that we understand the threat that phishing attacks pose in order to preempt and prevent them.
This article will explore the four main types of phishing, plus 50 phishing attack statistics you need to know.
Types of phishing:
Phishing attacks can come in many different forms. The most common types of phishing can be broken down into five main groups: Email phishing, spear phishing, whaling, smishing and vishing and angler phishing
- Email phishing: Email phishing is the most common form of phishing. Email phishing is when an attacker sends an email to a victim, usually posing as a credible source, such as a bank or government department. The attacker will usually ask for information from the victim, such as bank details or login credentials.
- Spear phishing: Spear phishing is similar to email phishing, but is a much more targeted attack. When spear phishing, the attacker may still pose as a credible source, however the aim of spear phishing is to choose a source much closer to home to the victim than a bank or organization. A common example of this is a victim receiving an email from an attacker posing as the CEO of a company they may work in. [source]
- Whaling: Whaling is an even more targeted attack than email and spear phishing. When using this strategy the attacker aims for senior level employees in an organization (or the ‘big fish’), and aims to ask the victim to perform a specific action that they might usually do for their boss – for example, authorizing a financial transaction or changing payroll information. [source]
- Smishing and vishing: In smishing and vishing, emails are replaced by text messages and phone calls to the victim. Smishing suggests a text being sent to the victim while vishing involves a phone conversation. The most common form of smishing is the victim receiving a text message from a bank, alerting them to fraudulent activity and asking that they click on a link. The link brings the victim to a website designed by the attacker, which is set up to capture the victim’s details. [source]
- Angler fishing: Angler fishing is a relative newcomer to phishing involving social media. By using fake URLs, websites, tweets and social media posts, hackers can subtly persuade victims to give their personal data. [source]
Now that we are familiar with the most common phishing terms, let’s take a look at 50 vital phishing attack statistics that you need to know:
Phishing Statistics 2023
1. There are 1.27 million unique phishing sites worldwide.
According to Statista, 1.27 million unique phishing sites were detected worldwide in Q3 2022. This was a 15% increase from the previous quarter.
2. Phishing is the most common type of cyber crime, with 300,497 individuals affected in 2022.
In 2022, it was found that phishing was the most common type of cyber crime reported by the United States Internet Crime Complaint Center. The research by Statista found that phishing affected 300,497 individuals.
3. There was a 17% increase in brands targeted by phishing between 2021 to 2022.
As reported by Statista, in July 2022, 621 brands worldwide were targeted by phishing attacks – up from 522 in July of the preceding year.
4. Vietnam is the most targeted country by phishing.
According to a report published by Statista in May 2023, Vietnam was the most targeted country by phishing in 2022 – the phishing attack rate among internet users in the country was 17.03%.
The rest of the data breaks down as follows:
5. Financial institutions were the most targeted online industry by phishing attacks in 2022.
As of Q3 2022, financial institutions were the most targeted industry by phishing attacks, with 23% of phishing attacks aimed at financial institutions. This was closely followed by Saas/ Webmail (17%) and Social media (11%). [Source: Statista]
The rest of the data breaks down as follows:
6. Adults between the ages of 18 and 29 are the least concerned about becoming a victim but more likely to experience a scam or cyber attack.
According to research from NAB, people aged between 18 and 29 are the least concerned about experiencing a scam or cyber attack, however they are more likely to become a victim. The research found that 16% of men and 18% of women in that age group said they were concerned about being scammed. However, the research also found that twice as many men (34%) and women (38%) in that age bracket had experienced a scam or cyber attack. [source: News.com.au]
7. Google blocks around 100 million phishing emails everyday.
According to Telecom, Google blocks roughly 100 million phishing emails every day.
8. 3 billion phishing emails are sent everyday.
How many phishing emails are sent everyday? A whopping three billion phishing emails are sent by cyber criminals every single day, as reported by Znet.com.
9. 55% of phishing websites use targeted brand names.
According to F5 Labs Phishing and Fraud Report of 2020, these phishing websites use targeted brand names and are designed to capture the victims data easily.
10. There was a 15% increase in phishing attacks in 2020, during the global pandemic.
It was reported by F5 Labs Phishing and Fraud Report of 2020 that there was a 15% increase in phishing attacks in 2020. It is thought that this was made possible due to the increased amount of people working from home.
11. In 2021, nearly 83% of companies experienced phishing attacks.
How many companies experience phishing attacks? According to the FBI’s 2021 IC3 Report, it was found that almost 83% of companies experienced phishing attacks.
12. Facebook and Microsoft are the most impersonated brands in phishing.
CSO have reported that Facebook and Microsoft are the most impersonated brands in phishing attacks, as of 2022. Web pages impersonating Facebook and Microsoft made up roughly 25% of phishing attempts.
13. Phishing attempts have tripled since 2020.
The Anti Phishing Working Group’s research stated that phishing attempts are 3x higher than in 2020.
14. 65% of cyber-attacks are a result of spear phishing.
How common is spear phishing? According to the 2019 ISTR by Symantec, 65% of cyber attacks occur as a result of spear phishing.
15. 88% of organizations face spear phishing attempts every year.
According to Norton, 88% of organizations are targeted by spear phishing attempts every year.
16. The most expensive phishing attack in history cost Facebook and Google $100 million.
What was the biggest ever phishing attack? The most expensive phishing attack in history was with Facebook and Google. A Lithuanian hacker impersonated Quanta Computer, a Taiwan based company, sending fake invoices between 2013 and 2015, costing the two tech giants a whopping $100 million. [source]
17. The majority of unsolicited spam emails are sent from Russia.
Where do phishing emails come from? According to a report by Statista, in 2022, the majority of unsolicited spam emails were sent from Russia, at 29.82%. This was followed by China (14%) and the US (10.71%).
The rest of the data breaks down as follows:
18. Almost 70% of phishing emails have an empty subject line.
How do you spot a phishing email? The subject line may be a good place to start. According to the Expel Quarterly Threat Report 2022, 67% of phishing attackers leave the subject line blank in malicious emails.
19. ‘Fax Delivery Report’ is the most common subject line in phishing emails.
On the rarer occasion that a phishing email does contain a subject line, the most common choice is ‘Fax Delivery Report’, according to Expel Quarterly Threat Report 2022.
The rest of the data breaks down as follows:
Most common subject line in phishing emails.
Empty 67.48%
Fax Delivery Report 9.01%
Business proposal request 5.83%
Request 4.20%
Meeting 4.07%
You have (1*) New Voice Message 3.46%
Re: Request 2.10%
Urgent request 2.03%
Order Confirmation 1.83%
20. Roughly 91% of data breaches are a result of phishing.
How big of an issue is phishing? According to Deloitte, approximately 91% of data breaches are from phishing.
21. It is estimated that phishing attacks will increase by 400% year on year.
Are phishing attacks getting worse? The FBI have reported that it is estimated that phishing attacks will increase by 400% year on year.
22. The average employee will receive 14 malicious emails per year.
How many phishing emails can the average employee expect to receive? According to research by tech company Tessian, the average employee will receive 14 malicious emails per year.
23. Retail is the most frequently targeted industry with 49 phishing emails received per employee per year.
In the same research by Tessian, it was found that retail was the most frequently targeted industry over a twelve-month period that the research was conducted. It was reported that the retail industry received 49 emails per employee per year on average. Although it was found that attackers have no preference when it comes to company size.
24. You are most likely to receive phishing emails between 2PM and 6PM.
The same research by Tessian reported that phishing emails were most frequently received between 2PM and 6PM.
25. In 2020, 1 in every 4,200 emails was a phishing attempt.
As we know, the pandemic played a large role in the increase in phishing attempts. It was reported by Semantec that in 2020, 1 in every 4,200 emails was a phishing attempt.
26. 90% of IT professionals state that email phishing is one of their top concerns.
How worried are IT professionals about phishing? Perhaps unsurprisingly, professionals from the IT industry see phishing as a significant cybersecurity threat. According to IronScales.com, a whopping 90% of IT professionals state that email phishing is one of their top concerns.
27. 76% of malicious emails do not contain an attachment.
Aside from having no subject line, another useful way to spot a malicious email is to check if it has any attachments. According to research by SonicWall.com, 76% of malicious emails do not contain an attachment.
28. 66% of malware instances get into computers through malicious email attachments.
According to research by Verizon, 66% of malware instances get into computers through malicious email attachments.
29. 47% of social media phishing attempts refer to LinkedIn.
Research by Sonic Wall also found that almost half (47%) of social media related phishing attempts refer to LinkedIn.
30. On average, phishing attackers spend $3 to $12 for a custom phishing web page.
As it turns out, creating a phishing web page is dangerously accessible for scammers. The average phishing attacker spends between $3 to $12 for a custom phishing web page, as per research by Semantec.
31. 97% of people cannot say whether or not an email, ad, or message is a phishing attack.
Just how prepared are we for cyber attacks? According to IntelSecurity, a startling 97% of people cannot identify whether or not an email, ad or message is a phishing attack.
32. Just 60% of organizations offer cyber security education to their employees.
How many organizations offer cyber security education to their employees? Cyber security education is still lacking – according to ProofPoint, only 60% of organizations give cyber security education to their employees.
33. The average data breach costs businesses roughly $3.68 million.
According to IBM, the average data breach costs businesses roughly $3.68 million. This shows that taking cyber security seriously is becoming more important than ever.
34. 60% of security leaders stated that their organization had lost data in a cyber attack.
Are phishing attacks successful? According to research by ProofPoint, 60% of security leaders stated that their organization had lost data in a cyber attack.
35. It takes an average of 291 days to completely contain a phishing threat. (IBM)
Containing a phishing threat is time consuming, costly work. In order to contain a phishing threat within an organization, it takes an average of 291 days according to research conducted by IBM.
36. 2021 was the most expensive year for data breaches in the last 17 years.
According to research by APWG, in the last 17 years, 2021 was the most expensive year for data breaches.
37. 84% of US-based organizations say that their security awareness training successfully lowered phishing success rates.
Does security training really work against phishing attacks? As per research by ProofPoint, 84% of US-based organizations say that their security awareness training successfully lowered phishing success rates.
38. 44% of people think an email is safe when it contains familiar branding.
According to research by ProofPoint, almost half of people think an email is safe if it contains familiar branding.
[Survey was conducted through analyzing responses from 7,500 working professionals across 15 countries, as well as 1,050 security professionals across those countries. It also includes findings sourced from 135 million simulated phishing attacks over a 12 month period (2022) as well as 18 million emails reported from customers over that same time period.]
39. There were 300 – 400k telephone attacks everyday in 2022.
According to research by ProofPoint, there were 300 – 400k telephone attacks everyday in 2022.
40. 30 million malicious messages sent in 2022 contained Microsoft branding.
Research by ProofPoint found that 30 million malicious messages sent in 2022 contained Microsoft branding.
41. 2022 showed a 76% increase in direct financial loss from successful phishing.
Research by ProofPoint found that 2022 showed a 76% increase in direct financial loss from successful phishing, showing that phishing poses a substantial threat to organizations.
42. 1 in 3 people can’t define basic phishing concepts such as ‘malware’, ‘phishing’ and ‘ransomware’.
Research by ProofPoint found that people struggled to define even basic terms relating to cyber attacks, with more than 1 in 3 people unable to state the meaning of ‘malware’, ‘phishing’ and ‘ransomware’.
43. Only 35% of companies conduct phishing simulations.
WIth the potential financial loss for companies plus the frequency of phishing attempts, it could be argued that phishing preparation should be a priority for companies. However, in 2022, ProofPoint found that only 35% of companies conduct phishing simulations.
44. 64% of organizations infected with ransomware paid a ransom.
According to research conducted by ProofPoint, a startling 64% of organizations infected with ransomware paid a ransom.
45. One third of employees say cybersecurity is not a top priority of theirs while at work.
While 90% security professionals consider cybersecurity as a top priority at their company, one third of employees say cybersecurity is not a top priority of theirs while at work. [Source: ProofPoint]
46. 34% of employees did something in 2022 that put their organization at risk.
With the lack of simulations and cyber security education in organizations in 2022, it may come as no surprise that 34% of employees did something in 2022 that put their organization at risk. [Source: ProofPoint]
47. One third of people took a ‘risky’ action when sent a malicious email.
According to research conducted by ProofPoint, one third of people took a ‘risky’ action when sent a malicious email, such as clicking links or downloading malware.
48. Roughly 1 in 10 attacks were blocked as a result of user reporting.
Cyber security education can make a difference, according to research conducted by ProofPoint. During their research, they drew date from 135 million simulated phishing attacks, and found that approximately 1 in 10 (or 75 million) threats were blocked as a result of user reporting.
49. 53% of cyber security professionals believe that hackers might use ChatGPT to craft more believable and legitimate-sounding phishing emails.
What is the future of phishing? ChatGPT has many uses, and phishing may unfortunately be one of them. In a 2023 survey by Statista, it was found that 53% of respondents believed that hackers might use ChatGPT to craft more believable and legitimate-sounding phishing emails.
[Survey conducted in January 2023; 1,500 respondents; IT and cybersecurity decision-makers]
50. Almost half of cybersecurity professionals believe that ChatGPT would help less experienced hackers improve their technical knowledge and develop their skills, as well as for spreading misinformation.
ChatGPT may also be useful to less experienced hackers. A survey by Statista found that almost half (49%) of IT and cybersecurity decision makers surveyed believe that ChatGPT would help less experienced hackers improve their technical knowledge and develop their skills, as well as for spreading misinformation.
[Survey conducted in January 2023; 1,500 respondents; IT and cybersecurity decision-makers]
In conclusion, from these statistics, it’s clear to see that phishing poses a real threat to organizations around the world. With a 76% increase in direct financial loss as a result of phishing, [ProofPoint] it is difficult to ignore the impact phishing has on business and organizations in the present day. Plus, with the increase in popularity and accessibility of tools like ChatGPT, it is becoming easier than ever for phishing attackers to impersonate brands and trick the average employee into a scam which may cost their company millions in damages.
However, it is clear to see that with the right tools, education, phishing simulations and information, over time we can learn to protect our business from cybersecurity threats and look forward to a safer and more secure digital world.
Sources:
https://www.statista.com/topics/8385/phishing/#topicOverview
https://www.techopedia.com/definition/4121/spear-phishing
https://www.techopedia.com/definition/whaling-attack-whale-phishing
https://www.itgovernance.eu/blog/en/the-5-most-common-types-of-phishing-attack
https://www.statista.com/statistics/266155/number-of-phishing-domain-names-worldwide/
https://www.statista.com/statistics/184083/commonly-reported-types-of-cyber-crime-global/
https://www.statista.com/statistics/266362/phishing-attacks-country/
https://www.statista.com/statistics/266161/websites-most-affected-by-phishing/
https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf
https://docs.apwg.org/reports/apwg_trends_report_q1_2022.pdf
https://docs.broadcom.com/docs/istr-24-2019-en
https://www.delta-net.com/blog/5-of-the-most-expensive-phishing-scams-in-history/
https://www.statista.com/statistics/263086/countries-of-origin-of-spam/
https://www.tessian.com/blog/what-we-learned-analyzing-two-million-malicious-emails/
https://ironscales.com/blog/ironscales-releases-findings-from-state-of-cybersecurity-survey/
https://www.sonicwall.com/medialibrary/en/white-paper/mid-year-2021-cyber-threat-report.pdf
https://www.phishingbox.com/downloads/Verizon-Data-Breach-Investigations-Report-DBIR-2017.pdf
https://www.proofpoint.com/sites/default/files/gtd-pfpt-us-tr-state-of-the-phish-2020.pdf
https://www.ibm.com/reports/data-breach
https://docs.apwg.org/reports/apwg_trends_report_q4_2021.pdf
https://www.proofpoint.com/us/resources/threat-reports/state-of-phish
https://www.statista.com/statistics/1378211/chatgpt-usage-cyber-crime-global/