Most people don’t know what phishing is until they become a victim. Phishing statistics show that this type of cybercrime is on the rise, and the best way to reduce the chances of becoming a victim is to get informed.
Cybercriminals hope their victims will take the bait and give them sensitive data or access to their systems. Unfortunately, antivirus software can’t help if we’re reckless. The data we have gathered here will help you better understand the threats and be safer in the online world.
Top Phishing Facts (Editor’s Choice)
- Phishing attacks against financial institutions have increased by almost 7% in 2021
- Phishing attacks in the US more than doubled in 2020
- 10% of all spear phishing emails are part of a sextortion scam
- Two-thirds of internet users can’t identify phishing websites and emails
- There were 1,001 data breaches in the US in 2020
- The losses from business email compromises skyrocketed to $1.8 billion in 2020
- 46% of phishing websites use SSL certificates
- There were more than 611,000 unique phishing sites in the first quarter of 2021
General Phishing Statistics
1. Phishing attacks against financial institutions increased by almost 7% between Q4 of 2020 and Q2 of 2021.
(APWG)
Financial institutions have always been popular targets, and the number of attacks is growing. In Q4 of 2020, they dealt with 22.5% of all phishing attacks, but the percentage jumped to 29.2% in Q2 of 2021. Another sector taking a massive hit is cryptocurrency.
Digital wallets and exchanges have seen a dramatic rise in cyberattacks. They went from 2% of all phishing attacks in Q1 of 2021 to 7.5% in Q2 of 2021. The results are not surprising, considering the popularity and significant increase in cryptocurrency value. These phishing attack statistics show that attacks are targeted towards lucrative sectors.
2. Around half of all phishing attacks were targeted at financial institutions and social media in Q1 of 2021.
(Statista)
Financial institutions and social media were the most popular targets at the beginning of 2021. At the same time, SaaS and webmail sectors had a slight decrease, with 19.6% of all phishing attacks. With money flowing in from the government incentives and the lockdowns causing people to spend more time at home and on social networks, the results are not surprising.
3. The FBI states that the phishing attacks in the US more than doubled in 2020.
(FBI)
FBI phishing statistics show that there were 241,342 complaints, with losses going over $54 million in 2020. This was more than a 100% increase compared to 2019 when 114,702 cases and $57 million in losses were reported. Interestingly, even though the number of attacks increased dramatically, the overall damage was actually lower in 2020.
4. 46% of phishing websites use SSL certificates.
(Webroot)
This is one of the most worrisome phishing facts. Internet users often rely on that certificate as proof that the website is legit, and the very fact that there are so many false websites out there using this certificate is very troubling.
With SSL certificates, hackers add a lock icon and the HTTPS prefix to the web address. These are the two tell-tale signs of genuine websites, so users never even suspect the site they’re using isn’t trustworthy.
Types of Phishing Attacks and Emerging Trends
5. One out of ten spear phishing emails is part of a sextortion scam.
(ComputerWeekly)
Sextortion and blackmail emails were once part of large campaigns that most spam filters would detect. Nowadays, hackers send fewer of these emails targeting specific people, so they’re much more likely to end up in the target’s inbox.
These emails usually come from hacked Google and Microsoft accounts and target executive managers at companies. In them, hackers claim to have made a compromising video of the victim using their computer’s camera and demand a large Bitcoin payment.
6. In 2019, almost 90% of businesses were victims of phishing attacks.
(Proofpoint)
A 2020 Proofpoint hacking statistics report shows that 88% of organizations experienced targeted phishing attacks in 2019. That same year, 86% had their business email network compromised by hackers. These numbers demonstrate that instead of casting a wide net, hackers are now targeting specific businesses to ensure their phishing campaigns’ success.
7. In Q3 of 2020, most phishing sites used .com domains.
(Securelist)
During the third quarter of 2020, 40.09% of phishing websites were hosted on .com domains, making them even more difficult to distinguish from genuine sites. Statistics on phishing attacks reveal that hackers also used other seemingly legit domains, such as .org (1.79%) and .net (3%). However, many opted for phishy-looking domains like .xyz (5.84%) and .buzz (2.57%).
Interestingly, the top 10 includes three top-level domains: .ru (Russian national domain) in 2.93% of cases, .tk (the domain of Tokelau, a territory of New Zealand) in 1.47% of cases, and .ml (Mali’s national domain) in 1.3% of cases.
8. Since 2011, the number of mobile phishing attacks has been growing by 85% each year.
(Lookout)
According to mobile phishing statistics, the number of attacks has been growing since 2011 at a steady annual rate of 85%. In the first quarter of 2020 alone, mobile phishing attacks have gone up by 37%.
Mobile devices are mostly targeted for all the personal and corporate data they carry. Research shows that mobile users are three times more likely to fall for phishing scams.
9. There were more than 611,000 phishing sites in the first quarter of 2021.
(Statista)
The latest phishing statistics show that a total of 611,877 unique phishing sites were discovered in the first quarter of 2021.
Encouragingly, this number marks a 5% decrease compared to the last quarter of 2020. Unfortunately, it’s also about four times more than what we saw in early 2020. That tells us that this downward trend will not last long and that the numbers will rise again.
Interesting Phishing Stats
10. Spam messages accounted for 28.5% of global email traffic in 2019.
(Statista)
Minor interruptions aside, the share of email spam in total email traffic has been steadily declining since 2008. That year, 92.6% of all email messages exchanged worldwide were spam.
In the 11 years since then, the share of spam emails has gone down by more than two-thirds, according to internet spam statistics. The number from 2019 also represents a significant decline from 2018, when email spam volume was 45.3%.
11. More than 50% of ransomware is distributed through phishing emails.
(Statista), (Proofpoint)
Phishing emails are still the preferred way for criminals to conduct ransomware attacks. Cybercriminals can buy, rent or lease ransomware instead of creating their own. That gives them more time to invest in new phishing techniques and baits. Ransomware statistics show six major organizations with as many as 350,000 emails sent daily in June 2020.
12. Gmail blocks over 100 million phishing emails daily.
(Google Security Blog)
Google phishing statistics reveal that Gmail’s built-in filters block more than 100 million phishing emails daily. In 68% of the cases, blocked emails are part of a previously unknown phishing scam.
Google notes that the attacks are usually targeted at a few dozen organizations with corporate accounts on Gmail. This again shows that hackers have reduced the volume of attacks to focus on those most likely to fall for their scam.
13. Phishing scam statistics show that about two-thirds of internet users can’t identify phishing websites and emails.
(Avast)
Avast’s survey showed that 61% of participants couldn’t distinguish between a genuine and fake Amazon login page. It could be that users are relying too much on their antivirus programs and don’t pay attention.
In just one month, the company has blocked almost 3 million phishing attempts targeting more than 590,000 US users.
14. Google and Facebook lost $100 million as a result of phishing attacks.
(Fortune)
Even tech giants like Facebook and Google aren’t immune to these attacks. Cybercrime statistics show that these two companies lost over $100 million in one of the biggest phishing attacks to date. A hacker pretended to be a computer parts supplier and was regularly sending invoices. The companies were clearing them without suspecting anything.
What makes this case interesting is that the criminal was caught. Unfortunately, that happens very rarely in cybercrime. The criminal was arrested in Lithuania and extradited to the US. He is now serving a sentence in US federal prison.
15. “Urgent” is the most common word in phishing emails targeted at businesses.
(PhishingBox)
This word appears in 8% of all phishing emails sent to organizations in an attempt to scam them. According to phishing attacks statistics, variations of this word are also used, including “important” (5.4%), “important update” (3.1%), and “attn” (short for attention; 2.3%).
Other keywords commonly found in phishing emails targeted at organizations included “request” (5.8%), as well as “payment” and “outstanding payment” (5.2% and 4.8%, respectively).
Statistics also reveal that hackers targeted 5,803 organizations with emails containing these words in 2018. Each of these organizations received 4.5 such emails on average.
Data Phishing vs. Spear Phishing Stats
16. In 2020, there were 1,001 data breaches in the US.
(Statista)
According to data breach statistics, more than 1,001 data breaches occurred due to data phishing attacks, compromising 155.8 million records.
Most of these attacks targeted businesses intending to steal confidential information and client data. This marked a 19.8% decrease from 1,473 breaches in 2019 when hackers stole more than 164 million records.
17. According to internet fraud statistics, 65% of hackers use spear phishing.
(PhishingBox)
While data phishing targets multiple recipients as part of an extensive campaign, spear phishing is aimed at a single organization or individual. It generally requires a lot more effort than mass low-quality phishing attacks.
That’s mainly because the hackers need to find details that would make them look credible. But, in turn, these attacks bring more profit.
18. 83% of spear phishing attacks are brand impersonations.
(Channel Futures), (Statista)
Spear phishing statistics reveal that brand impersonation is by far the most popular way to carry out these attacks. It involves hackers posing as a trustworthy brand or company in an attempt to gain access to valuable information from their targets. In 2019, Microsoft was the most impersonated brand. Financial institutions like banks were also often impersonated.
Google and Amazon were the two most impersonated brands in 2020 (13% each). Social media platforms Facebook and WhatsApp are in second place (9%), followed by Microsoft (7%). Online fraud statistics show that other commonly impersonated brands include Apple, Netflix, PayPal, and Huawei (2% each).
19. 96% of hackers use spear phishing to gather intelligence.
(PhishingBox)
Apart from intelligence gathering, hacker groups cite disruption (10%) and financial gain (6%) as their main motivators for launching a spear phishing attack. The number of known spear phishing groups has had a steady rise over the last few years. In 2016, there were 116 known groups.
Phishing email statistics show that the following year, this number rose by 18.1% to 137. There were 155 active groups in 2018, marking a 13.1% increase year-over-year.
20. The losses from business email compromise schemes skyrocketed to $1.8 billion in 2020.
(FBI)
In its annual report, the FBI states that it received 19,369 business email compromise complaints. The losses reported were $1.8 billion.
However, if we compare that to 2019 data (23,775 complaints and $1.7 billion in losses), we can see that the number of complaints dropped, but the losses increased. These business email compromise statistics indicate that hackers are shifting their focus from mass phishing attacks to more precise and sophisticated attacks that bring in a larger bounty.
Conclusion
Phishing attacks have become much more sophisticated. If we combine that with the fact that most can’t tell the difference between fake and genuine websites and emails, it’s easy to see why no one should take these statistics on hacking and phishing for granted.
Whether you’re an executive at a big company or just a regular internet user, you must be careful online. Don’t click on any suspicious links sent from an unknown email address.
If you receive an unusual email from someone claiming to be your coworker, always check with them first before opening any attachments.
When visiting websites, double-check the address bar before entering your personal information to ensure it’s not hackers trying to scam you.
People Also Ask
According to a Kaspersky Lab report, there were more than 103 million attempted phishing attacks worldwide in the third quarter of 2020. In the second quarter of the year, hackers also set up more than 140,000 phishing websites.
While both these numbers are lower than in recent years, today’s phishing emails and sites are much more difficult to tell apart from their genuine counterparts.
Hackers nowadays use SSL certificates, HTTPS address prefixes, .com domains, and compromised Google and Microsoft email accounts, all this to ensure the potential victim falls for their scheme.
According to the FBI’s statistics, there were 241,342 phishing attacks in 2020, which generated losses higher than $54 million. Its statistics also show that the number is on the rise. For instance, there were more than 114,000 phishing attacks in 2019 and more than 26,000 in 2018.
What’s worrying is that the quality is also improving. Hackers are switching from mass low-quality campaigns to targeted, sophisticated attacks.
In its study, the Ponemon Institute concluded that the average annual cost of a phishing attack in 2021 is around $14.8 million for a company with 9,600 employees. The amount has almost quadrupled since 2015 when it was around $3.8 million.
In addition, the attacks are becoming more sophisticated and target higher-ranking executives, which, in turn, brings better profits.
Valimail, a cybersecurity company, estimates that there are about 3 billion spoofed emails sent every day. This is 1% of all emails sent each day globally. Spoofing allows phishing and spam emails to appear as if they are coming from legitimate sources.
Furthermore, Google’s data shows that Gmail blocks more than 100 million phishing emails every day. Considering that it has 1.5 billion users, we can conclude that roughly 7% of users are targeted by cybercriminals.
Spear phishing is on the rise, both in quantity and in quality. According to one study, 75% of organizations experienced phishing attempts, and 35% experienced spear phishing in 2020.
96% of phishing attacks arrive by email, and Symantec research says that one in 4,200 emails is, in fact, a phishing email.
The most common subject lines were: Urgent, Request, Important, Payment, and Attention.
According to the FBI, there were 241,342 victims of phishing attacks in 2020, more than a 100% increase compared to 2019. The statistics look even grimmer when compared to 2018 when there were just 26,000 victims.
These are official statistics based on the reported phishing attacks. The real numbers are likely higher because victims sometimes become aware of the attack months after it happened.
We can assume that the numbers we see in phishing statistics will continue to rise since cybercrime is a lucrative business.
