Chris Lawrence is a journalist and chief editor at Wlan Labs. He has been writing about technology for more than ten years. He writes about everything ranging from privacy to open source software. His goal is to educate readers about important topics to help make their lives easier.
Phishing has been around since the very early days of the Internet, but as we begin to rely more and more upon the worldwide web, the risks and dangers are becoming more substantial. Recent phishing statistics can reveal a great deal about the true nature of the problem globally
Phishing itself relates to the practice of sending out fraudulent emails. The emails will often pretend to be from established companies to try and convince their victims that they are a legitimate business and begin building trust with them.
Once that trust has been formed, the cybercriminals behind the fraudulent emails will then attempt to gain personal information from their victims, such as credit card details or passwords.
It is so important to always be aware of potential threats when online, and phishing is certainly no exception.
With this in mind, we are going to be taking a look at fifty phishing stats to help you stay safe and aware when it comes to phishing scams. Let’s get started.
The Rise of Phishing
It is no surprise that in the present day with our reliance on technology growing more and more prominent every day, the frequency of phishing attacks is constantly on the rise. We are going to be taking a look at some particular stats in relation to this frequency and rise of phishing attacks.
Let’s take a look:
- IBM published a study showing that one in five companies fell victim to data breaches in 2021, with credentials and information being stolen in the process. 17% of these breaches were carried out via phishing.
- Despite this significant increase, only around one in five organizations actually provide phishing awareness training to their employees.
- The 2021 Verizon DBIR report shows that about a quarter of any and all data breaches involved phishing scams in some way and that a whopping 85% of these breaches, in general, have some kind of human element involved in the process.
- Verizon’s figures are supported by research that was undertaken by the Internet Crime Complaint Center of the FBI. This research showed that in 2020, there was a record number of complaints filed by Americans that involved a form of phishing.
- The Internet Crime Complaint Center also shows that this was the most significant threat in 2020, with around 241, 342 victims falling prey to phishing of some kind. This is more than the victims of other prominent cybercrimes, such as identity theft- which the report showed had a total of 43,330 victims in the United States in 2020-, personal data breaches- with 45,330 victims-, extortion- 76,741 victims-, and non-delivery/non-payment, the second most common cybercrime with 108,869 victims.
- Google Safe Browsing data continues this theory on the rise of phishing, showing that on the Internet there are now almost 75 times more phishing websites than there are malware websites.
- Research from IronScales suggested a huge increase in email phishing attacks worldwide since March 2020, with their numbers reporting an 81% increase.
- Within the last year, business email compromises- otherwise known as BEC– had a massive increase of 15% between the second and third business quarters.
The Common Victims of Phishing
Whilst phishing is easily able to affect anyone, there are certain victims that are targeted more than others.
Businesses, in general, are particularly susceptible, and whilst large businesses are usually the ones that will make the headlines, small businesses and mid-size ones are often targeted just as much or even more so than larger ones.
This is because these smaller establishments will often not have the kind of security measures that big businesses will have, making them more vulnerable and unable to protect themselves well.
Businesses are not the only organizations that tend to fall prey to these kinds of scams, with sectors such as Education, Finance, and Public Administration also being noteworthy targets of this kind of fraudulent online activity.
Let’s check out some stats in regard to the common victims of phishing scams:
- In 2020, research by BDO showed that around six out of ten middle-sized businesses in the United Kingdom fell victims to phishing fraud. These businesses suffered a huge amount of financial strain due to this, with an average loss of around £245,000.
- A fair amount of mid-sized companies and businesses were surveyed in regard to this, and a huge 40% of them reported an increase in attempted phishing and online fraud in comparison to other years.
- Reports of social engineering incidents- as suggested in a report by Verizon- were at the highest in five particular sectors in 2020: Mining and Utilities, Finance, Professional Services, Public Administration, and Education.
- Despite the previous stat, the actual statistics surrounding the most common breaches in certain sectors are a little bit different (but only slightly). Public Administration is the most affected sector, followed closely by Mining and Utilities, then Professional Services, and then Education.
KnowBe4 published a Phishing by Industry report that showed which industries were the most at risk according to their sector and size. In this report, small relates to a business size of one to 249 employees, medium relates to a business of 250 to 999 employees whilst large relates to a business of more than 1000 employees.
With this in mind, let’s now take a look at some of the stats that this report has to offer:
- A small healthcare and pharmaceutical company has a 44.7% chance of becoming the target of a phishing attack.
- A small education organization has a 41.1% chance of becoming the target of a phishing attack.
- A small manufacturing business has a 40.9% chance of becoming the target of a phishing attack.
- A medium-sized construction business has a 49.7% chance of becoming the target of a phishing attack.
- A medium-sized healthcare and pharmaceutical company has a 49.2% chance of becoming the target of a phishing attack.
- A medium-sized general business service organization has a 43.5% chance of becoming the target of a phishing attack.
- A large technology company has a 55.9% chance of becoming the target of a phishing attack.
- A large healthcare and pharmaceutical company has a 49.3% chance of becoming the target of a phishing attack.
- A large manufacturing organization has a 46.8% chance of becoming the target of a phishing attack.
From these results, it is easy to see that companies that tend to be targeted more than others are healthcare and manufacturing along with technology, construction, education, and business services.
This focus on the healthcare sector is also reiterated by a study from IBM, with results that suggested that healthcare is a sector that tends to suffer greatly from phishing attacks, even if the sector isn’t always at the top of the list when it comes to the most breached industries.
How Do People Fall Victim to Phishing?
Due to emails being the common method of phishing attacks (though there are other methods becoming increasingly prominent that we will touch on later), one of the most well-known ways that people can fall victim to these online scams is via links that are attached to the phishing emails.
- The 2021 Gone Phishing Tournament results from Terranova Security showed that a surprisingly large number of employees will fall prey to these links and end up clicking on them.
- What is even more surprising is that a huge 67.5% of those people will then go on to input their details into the phishing website that they are taken to.
- Taking both of these figures into account, Terranova Security suggests that a surprisingly substantial 13.4% of employees across various industries will ultimately end up inputting their details into a phishing website.
The Methods of Attracting Victims
It is easy to see that there is certainly something that is attracting victims to phishing scams if the previously mentioned numbers are anything to go by.
But what exactly is it that makes these scams so convincing? Let’s now take a closer look at the different ways that cybercriminals will lure in their victims, as well as some statistics in regard to this.
Impersonating Established Brands
One of the most common scam forms which goes way beyond just phishing is the impersonation of already established brands.
- Check Point suggests that the most impersonated brand around the world in regard to phishing scams is Microsoft, with 43% of impersonation scams taking on the guise of the popular tech company.
- This is followed by the delivery service DHL- with 18%-, the employment social networking platform LinkedIn- 6%- and the worldwide commerce service Amazon (at 5%).
- A study by INKY also reinforces this, also naming Microsoft as the most impersonated brand by scammers, noting that a massive 70% of all brand-related impersonation scams consisted of Microsoft-related phishing emails in 2020 alone.
- INKY also reports that the most common businesses that fall prey to impersonation are technology organizations, which account for 71.8% of impersonation scams. This is then followed by sectors such as retail, logistics, telecommunications, and finance.
- After Microsoft, INKY reported that the other companies that are frequently used in regard to brand impersonation phishing scams include Amazon, financial service Chase Bank, video conferencing service Zoom, and cloud-based collaborative solution company RingCentral.
Subject lines in emails are another common method in which scammers are able to lure in their victims and convince them of their authenticity.
The website KnowBe4 conducted research in regard to the most prevalent email subject lines that are used in real-life phishing emails.
These were the most common in the third business quarter of 2021, according to KnowBe4:
- Twitter: Your Twitter Account Might Be Compromised
- HR Related: Please Complete This Satisfaction Survey in Regards To Remote Working
- Facebook: Access To Your Facebook Account Has Been Temporarily Disabled As An Identity Check is Needed.
There are also two common IT-related email subject lines:
- Upcoming Changes.
- Strange Activity From Your Email Account.
These subjects suggest that cybercriminals hope to capitalize on two particular areas in regards to this: the huge influx in both online entertainment, social media, and remote working due to the COVID-19 pandemic.
- KnowBe4 also reported that 47% of phishing attempts via social media are done via LinkedIn, which is particularly cruel when you consider the struggle to find employment for millions of people during the pandemic.
Threats on The Inside!
It might seem like something straight from a movie, but internal threats are very much a real issue when it comes to phishing scams.
- BDO – an accountancy firm- has conducted research that whilst half of the fraudulence that is reported comes is external, a shocking 34% of businesses have experienced some form of collusion that occurs internally between scammers and employees.
- What is even more surprising is that many of these businesses have found that 21% of these scams were caused by the employees themselves.
Attachments are another highly popular way in which scammers will attract their victims in phishing emails.
ESET compiled a Threat Report of common malicious attachments and files, taking into account the third business quarter of 2021.
The results- from most common to least- were as follows:
- Windows Executables (74%): These are files that can be run with options or instructions and are found on all operating systems, hence their popularity with scammers.
- Script Files (11%): Text files that tend to contain sequences of debugger commands.
- Microsoft Office Documents (5%): Applications designed by Microsoft, including Microsoft Word for text documents and Microsoft Excel for spreadsheets.
- Compressed Archives (4%): An archive file format that compresses the files.
- PDFs (2%): A printed document style of file format that creates an electronic version of text, an image, or graphics.
- Java Files (2%): Source code that is written in the Java programming language.
- Batch Files (2%): Files with instructions within them.
- Shortcuts (2%): A shortcut link to another file on your computer.
- Android Executables (less than 1%): An executable file intended to work for Android phones.
The Diversification of Phishing Attack Methods
As mentioned, phishing tends to be an email-based cyberattack, on both Software-as-a-Service users and webmail users.
This is by far the most common phishing platform, with a study by APWG providing the following figures on the matter:
- 34.7% of all phishing attempts are done via this platform.
- Attacks from free webmail providers have raised significantly from around 61% all the way up to 72%.
Despite the common use of email platforms and services, a study from IronScales.com suggested that cybercriminals are upping their game and branching out when it comes to diversifying their phishing methods.
The study asked IT professionals about ways that social engineering attacks had been delivered to them.
Let’s look at the stats from that study:
- 36% delivery via SMS.
- 40% delivery via cloud-based and file-sharing platforms.
- 40% delivery via messaging platforms used by the workforce.
- 44% delivery via platforms used for video conferencing.
This by no means takes away from the fact that phishing is still primarily executed via email, but it does mean that people have to be even more aware than ever before when it comes to using any and all kinds of communication platforms.
The Impact of COVID-19 on Phishing Scams
There are some stats that we have looked at here that shows just how much cybercriminals took advantage of the global pandemic situation by increasing their phishing efforts significantly.
Let’s look at some stats that reflect this:
- In the months of February and March 2020, when the pandemic began, Barracuda Networks reported an insane 667% spike in phishing emails across businesses
- IBM reported an increase of 11% in BEC attacks in the second quarter of 2020 due to the rise in remote working.
- Abnormal Security reports that from the first quarter of 2020 to the second quarter, the weekly volume of phishing campaigns increased by 389%.
- Complaints were also rife during this time, with IC3 reporting 28,500 complaints of phishing scams related to COVID-19.
- The fear of scams from business owners has certainly grown due to COVID-19, with 76% of these owners admitting to feeling much more vulnerable and exposed to fraudulence since the pandemic began. 66% of these owners still feel concerned about this in regard to their business.
- Zscaler reported that between January and March of 2020, there was a gargantuan increase of 30,000% in the number of suspicious messages that were targeted and blocked by remote workers.
- The New Future of Work report from Microsoft shows the effect on security professionals as well, with 80% of these professionals having to deal with a substantial increase in threats following the move to remote working in many businesses.
- 62% of these professionals stated that these threats involved phishing campaigns.
The Financial Impact of Phishing
It is no secret that these kinds of scams can have a horrible financial impact on the companies in question.
Some of the stats in relation to this impact include the following:
- IBM reports that the average security breach can cost around 4.24 million dollars. Out of this cost, 38% of the money is spent on replacing any lost business cost, whilst 29% is spent on detecting the breach and then escalating it. IBM goes on to report that the information that is known as the most commonly compromised data is personally identifiable information, which is involved in about 44% of these breaches.
- In 2020, 80% of breached organizations reported the loss of personal customer information.
The Benefits of Training for Security Awareness
Awareness of phishing- as well as other forms of security breaches- can be an invaluable asset to employees and has been proven to have a positive impact.
- A study from Confese, which focused on analyzing millions of results obtained from simulated phishing campaigns- revealed that a huge 82% of employees that had the appropriate training successfully reported the simulated scam within an hour. An impressive 52% reported it within 5 minutes of receiving it, whilst 19% were able to do so within 30 seconds.
- KnowBe4 further this by conducting research on security training, which showed that with one year of completed phishing training, there was an average improvement rate of 87% across a wide range of businesses, industries, and organizations.
From the stats that we have looked at in this article, it is obvious that there has been- and will continue to be – a huge increase in phishing emails and scams of that nature. This is in part due to the COVID-19 pandemic, alongside the general progression of technology as a whole.
There are many ways that a business can protect itself and ensure that its staff maintains a keen eye to avoid any major security breaches.
Security awareness training is one option that- as suggested by the studies and stats above- has an impressive improvement rate when it comes to reporting suspicious activity.
Keeping track of certain methods that scammers use to lure in their victims- such as certain email subject lines and attachments that we talked about earlier- is another effective method.
Hopefully, this article and our list of fifty different phishing-related statistics have helped you on your way to ensuring that you and your employees are always ready to handle suspicious emails and activity and avoid phishing entirely.