How many people actually fall victim to phishing attacks? What kind of tricks and tools are threat actors using to get you to open those messages? What are they trying to accomplish? And how much damage do they actually cause?
No matter how robust your firewalls and filters, phishing attempts - i.e., messages designed to dupe you into divulging information, enacting transactions, or downloading malware - can still very easily land in your inbox.
To help you understand this cyber attack technique, here are the latest phishing statistics, including the lowdown on its impact and the effectiveness of phishing defense measures.
Table Of Contents
- Phishing Attack Trends
- Who Are the Phishing Targets?
- Who Are Committing Phishing Attacks?
- Common Phishing Attacks
- Common Features of Scams
- Emerging Impact of AI in Phishing Attacks
- Impact of Phishing
- Notable Recent Phishing Campaigns
- Conclusion
- Frequently Asked Questions
Phishing Attack Trends
The figures show that the volume of phishing attacks is on the increase, and a growing number of organizations are impacted by it.
Phishing attacks rely on human error. Statistics suggest that although most people follow email hygiene and safe usage policies most of the time, there’s always a small proportion who forget or ignore the rules.
1. Phishing is the single most common form of cyber crime. An estimated 3.4 billion emails a day are sent by cyber criminals, designed to look like they come from trusted senders. This is over a trillion phishing emails per year.
2. Email impersonation accounts for an estimated 1.2% of all email traffic globally.
3. Around 36% of all data breaches involve phishing.
4. 84% of organizations were the targets of at least one phishing attempt in 2022 - a 15% increase on the year before.
5. In Q4 2022, The Anti-Phishing Working Group, APWG, observed 1,350,037 total phishing attacks, up from 1,270,833 the previous quarter.
6. In 2022, APWG logged ~4.7 million phishing attacks. Since 2019, the number of phishing attacks has increased by more than 150% yearly.
7. Growth of phishing attacks by year:
| 2019 | 779,200 |
| 2020 | 1,845,814 |
| 2021 | 2,847,773 |
| 2022 | 4,744,699 |
Global Average Phishing Email Click Rates
8. In 2021, the average click rate for a phishing campaign was 17.8%.
9. More targeted spear phishing campaigns had an average click rate of 53.2%.
Phishing Email Click Rates by Industry Sector
10. Individuals working for educational institutions are most likely to open a phishing email. Healthcare and retail employees are the least likely to do so.
11. Phishing email click rates worldwide by industry:
| Sector | Click Rate |
|---|---|
| Education | 27.6% |
| Finance & Insurance | 26.6% |
| Information Technology | 25.6% |
| Agriculture & Food | 21.2% |
| Service Providers | 20.2% |
| Not-for-profit | 16.3% |
| Energy | 14.8% |
| Manufacturing | 13.4% |
| Public Sector | 10.4% |
| Transport | 7.5% |
| Retail | 7.2% |
| Healthcare | 5.6% |
Malicious Link Activation
12. 3% of employees will click on a malicious link within a phishing email.
Who Are the Phishing Targets?
Those behind phishing attacks usually try to trick users into handing over financially-valuable information. The targets chosen by attackers reflect this.
Industries Most Targeted
Security organizations all have their own service and user bases. As such, when it comes to showing which sectors are targeted by phishing attacks the most, different organizations produce slightly different figures. On the whole, however, the financial sector tends to come out on top as the most attacked sector.
13. Most attacked industries, Q4, 2022.
| Industry | Percentage of phishing attacks |
|---|---|
| Financial Institutions | 27.7% |
| Software-as-a-Service Providers | 17.7% |
| Other | 18.2% |
| Social Media Providers | 10.4% |
| Logistics / Shipping | 9.0% |
| Payment Services | 6.0% |
| eCommerce / Retail | 5.6% |
| Telecom | 3.1% |
| Cryptocurrency | 2.3% |
14. Phishing attacks by industry, Jan-June 2022.
| Industry | Percentage of phishing attacks |
|---|---|
| Banks | 27.7% |
| Online Shops | 17.2% |
| NGOs | 10.7% |
| Educational Institutions | 9.3% |
| Healthcare | 9.1% |
| Governmental Organizations | 8.2% |
| Telecom | 7.5% |
| IT Services | 6.6% |
| Insurance | 2.4% |
| Others | 1.3% |
Size of Organizations Targeted
15. On average, an employee of a small business with less than 100 employees will experience 350% more phishing and other social engineering attacks than an employee of larger enterprises.
16. For an organization with 1-250 employees, roughly one in 323 emails received will be malicious. For an organization of 1001-1500 employees, one in 823 emails is malicious.
Individuals Targeted
17. IT leaders identify finance professionals (27%) and IT team members (23%) as the individuals within their organizations most likely to be targeted by phishing attacks.
18. Remote workers may be more likely to be targeted than office-based employees. 80% of infosec professionals say they’ve seen increased security threats since the shift to remote working. 62% said that phishing attacks had increased more than any other type of threat.
Countries Targeted
19. According to DMARC, the Netherlands was targeted with the highest volume of phishing attacks in 2022 (17.7% of all attacks). Russia, Moldova, the USA, and Thailand follow.
20. Kaspersky data suggests that device users in Vietnam are statistically the most likely to encounter a phishing attack.
Who Are Committing Phishing Attacks?
More than half of phishing attacks originate from just three countries. Mostly, threat actors are driven by financial gain, although a small number of attacks appear to be politically-driven.
Source Countries
21. In 2022, 29.82% of spam emails were sent from Russia. Mainland China is the second most common source of malicious spam (14%), followed by the United States (10.71%).
Threat Actors and Motives
22. 95% of social engineering attack motivation is financially driven.
23. 35% of ransomware attacks are delivered via email.
24. Hacktivism and political motivations account for a very low proportion of phishing activity globally. However, there has been an inevitable rise in politically-motivated phishing linked to the war in Ukraine.
25. Google’s Threat Analysis Group (TAG) reports that from January to March 2023, Ukraine received ~60% of phishing attacks originating from Russia. Top campaign goals include intelligence collection and operational disruptions against critical infrastructure.
Phishing Delivery Techniques
26. Email is overwhelmingly the most popular method of conducting a phishing attack. An estimated 91% of all cyber attacks begin with a phishing email.
27. 91% of bait emails are sent via Gmail accounts. Reasons for the popularity of Gmail with threat actors are thought to include the ability to set up large numbers of accounts quickly and for free and the availability of Google’s inbuilt “read receipts” function.
28. Notwithstanding the dominance of email, a third of IT professionals report an increase in other message-related platforms.
29. 44% of respondents have experienced phishing via video conferencing platforms, 40% via workplace management platforms, 40% via file-sharing platforms, and 36% via text messages.
Common Phishing Attacks
Highly-targeted attacks make up a small proportion of phishing traffic overall. However, compared to generic attacks, they have a much higher success rate.
Spear Phishing
Definition: Sending messages - ostensibly from a known or trusted party - to induce specifically targeted individuals to reveal information to take specific actions.
30. Spear phishing campaigns make up only 0.1% of all email-based phishing attacks, but they are responsible for 66% of all breaches.
31. 50% of large organizations were targeted with spear phishing in 2022, receiving an average of five spear-phishing emails a day.
Whaling
Definition: Also known as big phishing and CEO-fraud, this involves using precisely-engineered spoofing emails to trick senior figures within organizations into disclosing credentials, money, or information.
32. Incidences of whaling and executive impersonations increased significantly following the shift to remote work in 2020. Between Q1 2020 and Q1 2021, the number of reported whaling attacks increased by 131%.
Common Features of Scams
A large proportion of attackers use fake messages that look as if they are from well-known companies. A growing number of attackers also seem to be putting AI to work to make their messages sound more convincing.
Top Phishing Brands
33. 55% of phishing attacks use established brand names to build credibility in their messages.
34. According to Check Point Research, LinkedIn is the brand most frequently imitated to lure phishing victims into disclosing credentials/ information.
35. Top 10 most frequently imitated companies in brand-related phishing attempts:
| Company | |
|---|---|
| 52% | |
| DHL | 14% |
| 7% | |
| Microsoft | 6% |
| FedEx | 6% |
| 4% | |
| Amazon | 2% |
| Maersk | 1% |
| AliExpress | 0.8% |
| Apple | 0.8% |
Phishing Trigger Words
36. The most frequently-used keywords used by phishing scammers in email subject lines:
- Invoice
- New
- Message
- Required
- File
- Request
- Action
- Document
- Verification
- eFax
- VM
(Tip: for more info on how these keywords are put to work, check out our article, Top Phishing Keywords Revealed).
Emerging Impact of AI in Phishing Attacks
In Q1 2023, Darktrace has reported a 135% increase in malicious email campaigns demonstrating advanced linguistic deviation in syntax, semantics, grammar, and sentence structure.
This development corresponds with the widespread availability of tools such as ChatGPT, providing a possible earlier indicator of the potential of generative AI in creating more sophisticated and convincing phishing attacks.
Impact of Phishing
Phishing statistics demonstrate how important it is for organizations to adopt an assume breach stance: i.e., to follow best practice when it comes to perimeter defenses and user training, but also to assume that notwithstanding these measures, successful phishing attempts are only to be expected.
Business Impact of Phishing Attacks
37. Phishing is the most common method for delivering ransomware, responsible for 45% of all ransomware attacks.
38. For enterprises, the average cost of a ransomware attack, including downtime and remediation, is estimated at ~$1,500,000.
39. Phishing attacks cost large organizations $15 million annually, or more than $1,500 per employee.
40. For each item of customer-related personally identifiable information extracted via a phishing attack, the average cost to the business is $180.
41. Of security leaders who have experienced phishing attacks, the most commonly cited consequences are as follows:
| Consequence of phishing | Percentage of security leaders who experience it |
|---|---|
| Lost/stolen data | 60% |
| Compromised credentials and accounts | 50% |
| Ransomware | 45% |
| Other malware | 30% |
| Direct financial loss | 20% |
Defense Against Phishing Attacks
42. IT and Security teams take an average of 27.5 minutes to handle a single phishing email.
43. The estimated cost of discovering and mitigating a single phishing email is $31.32.
44. Without proper training, 32.4% of employees are susceptible to falling for phishing scams.
45. Almost 1 in 5 organizations only provide phishing awareness training to employees once per year.
46. Many employees are not provided with updated security training when new technologies are introduced into the organization. 47% have received no security training for instant messaging platforms or communication applications. Almost 1 in 5 fail to remember or find the relevant information.
47. Human error contributes to 95% of successful cyber security breaches.
48. An estimated 58% of employees ignore cyber security guidelines, and 39% admit they are unlikely to report a security incident in the workplace.
49. 90% of confirmed phishing email attacks took place in organizations with Secure Email Gateways (i.e., measures such as firewalls, email scanning tools, and filters) in place.
Notable Recent Phishing Campaigns
Recent high-profile attacks and threats highlight how susceptible users can be to targeted scams. A couple of years ago, we saw hackers take advantage of Covid assistance schemes to dupe victims. In the US, there’s a risk of something similar occurring in relation to student loans.
BlackCat attack on Reddit
The ransomware group, BlackCat gained access to 80GB of data from Reddit in February 2023. The group demanded a $4.5 million payout, along with a rollback on its planned API pricing changes, in exchange for the return of their data.
Reddit blamed the attack on a “sophisticated and highly-targeted” phishing attack against employees…
Activision Breach
Activision, the makers of Call of Duty, was hit by data theft in December 2022 as the result of an unsuspecting employee’s credentials being stolen in an SMS phishing attack (called smishing). Data stolen included employee information and content release schedules.
Student Loans Forgiveness Scams
With the US Student Loan Forgiveness procedure now in place, the FBI has issued a warning against fraud and phishing schemes designed to swindle borrowers out of information or cash.
Conclusion
It’s clear from the phishing statistics that this cyber attack technique remains a persistent threat, and it’s also pretty clear why.
Even with filtering and threat intelligence solutions in widespread use, some malicious messages will always find their way into inboxes. There will always be some individuals who open those messages. And there will always be a handful of employees who go on to hand over credentials or click on those malicious links.
It shows that hackers only have to get lucky with phishing a few times to make their endeavors worthwhile. It also highlights the value of penetration testing: i.e., testing a network’s perimeters, finding out who is most vulnerable to phishing - and closing the gaps to reduce the chances of a successful attack.
The Complete Cyber Security Course! Volume 1: Hackers Exposed
4.8
★★★★★
Learn Social Engineering From Scratch
4.9
★★★★★
Cyber Security Awareness Training
4.8
★★★★★
Frequently Asked Questions
What is a phishing attack?
A phishing attack is where a threat actor sends a fraudulent communication that appears to come from a trusted sender. If successful, the victim is coaxed into taking a specific action, such as disclosing information or clicking on a link to execute malware.
What tools are used to commit a phishing attack
A few of the types of tools used by hackers in phishing campaigns include the following:
• Domain name permutation engines to help them generate convincing-looking domains where their bogus service will be hosted.
• Legitimate email services (e.g., Gmail for Business) to manage the sending of messages.
• Email extractor tools to harvest large volumes of email addresses.
• Spam assessment tools that make it easier for scammers to create and edit messages in such a way that they avoid getting caught in spam filters.
• Tools like BeEF and SET to generate convincing login portals, steal credentials, and send mass phishing emails.
• ChatGPT to automate the creation of phishing emails.
What is the goal of a phishing attack?
Phishing attacks are usually designed to coax the victim into disclosing valuable information (e.g., bank details or login credentials), to execute financial transactions, or to launch malicious scripts (e.g., to trigger a ransomware attack).
Can AI be used in a phishing attack?
Highly-targeted spear-phishing attacks require a lot of effort and industry-specific knowledge to get right. There is evidence that deep learning language tools (GPT, for instance) may be better than humans at creating convincing-sounding attacks. This potentially makes it easier for effective campaigns to be devised.
Sources
- APWG Phishing Activity Trends Report, Q4 2022
- Barracuda: Spear Phishing: Top Threats and Trends Report 2022
- Barracuda: Threat Spotlight: Bait attacks, 2021
- Barracuda: Threat Spotlight: Post-delivery email threats, 2021
- BleepingComputer: ‘Google: Ukraine targeted by 60% of Russian phishing attacks’, Article, 2023
- Check Point Brand Phishing Report, 2022
- Comparitech: Phishing statistics and facts, 2023
- Cyber News: ‘95% of cyber security incidents occur due to human error’, Article, 2022
- Cybsafe: Cyber Security Training, Press Release, 2023
- Deloitte: ‘8 simple practices towards cyber-resilience’, Press Release, 2020
- DMARC: Phishing Statistics, 2022
- Egress: ‘Fighting phishing: the IT leader’s view’, Report 2022
- Expel: Top Phishing Keywords, 2021
- F5 Labs: Phishing and Fraud Report, 2020
- Genmar: Simulated Phishing, Article, 2023
- IBM: Cyber Resilient Organization Study, 2021
- IBM X-Force Threat Intelligence Index 2022
- Ironscales: ‘How much does phishing cost businesses?’, Article, 2022
- Ironscales: State of Cybersecurity Survey, 2021
- IT Brew: Phishers may already be using AI to improve their attacks’, Article, 2023
- Kaspersky: Spam and Phishing in 2022, Report
- KnowBe4: Phishing by Industry Benchmarking Report, 2023
- Microsoft: The New Future of Work, Report, 2021
- Netwrix, Cyber Threats Report, 2020
- Ponemon: Cost of Phishing Study, 2021
- Proofpoint: State of the Phish Report, 2023
- SC Media: Ransomware payouts and recovery costs, Article, 2023
- Security Boulevard: Whaling Phishing Attacks: A Complete Guide, 2022
- Techradar: ‘One trillion phishing emails sent every year’, Article, 2019
- Terranova Phishing Benchmark Report, 2022
- Valimail Email Fraud Landscape Report, 2019
- Venari: $180 per record cost of PII, Article 2021
- Verizon Data Breach Investigations Report, 2023
Level Up in Cyber Security: Join Our Membership Today!
MEMBERSHIP
Gary Smith Gary spends much of his working day thinking and writing about professional and personal development, as well as trends and best practice in IT recruitment from both an organizational and employee perspective. With a background in regulatory risk, he has a special interest in cyber threats, data protection, and strategies for reducing the global cyber skills gap.
