Key Phishing Stats
91% of cyber attacks start off as a spear phishing email
59% of U.S. businesses were infected by ransomware via phishing emails
Email is the most common phishing vector (96%)
Phishing grew 40.9% in 2018
83.9% of phishing attacks targeted five key industries: financial, online services, cloud, payment, and SaaS services
The average annual cost of phishing and social engineering attacks in 2018 was $1,407,214
Too many people are willing to give out their personal information to strangers online without a second thought. If a fake email account and a commanding tone are all it takes to get into someone’s bank account or access their credit card information, it should come as no surprise that thousands have made a living exploiting this weakness. Before jumping into phishing statistics and discussing some interesting facts, we need to examine what phishing is.
What Does Phishing Mean?
You might be sitting comfortably at your desk when you get a new email from your company, a client, or simply an offer to book a family holiday. You click on the attachment or link to see what they’re writing about. Before you know it, you’ve fallen victim to one of the most common phishing attacks. You’ve unwittingly given criminals access to your company’s computer and all the sensitive data you’re authorized to view.
By internet standards, phishing is an ancient fraud. It dates back to the ‘90s, but has evolved with the times to exploit the new developments in the digital landscape. Contemporary phishing statistics from 2019 indicate that cybercriminals have now shifted targets and are employing new tactics. The principal, however, has remained the same. Phishing takes advantage of the weakest link in your cybersecurity plan: human error.
How Phishers Hook You
Most phishers do plenty of research before sending you a fake email, to the point where they make an exact copy of your everyday work email. Using this fake account, criminals could ask for or access passwords, login details, social security numbers, and company secrets. They could even transfer funds into their own account.
Some other types of phishing include:
- Smishing, or baiting an unsuspecting victim via a text message;
- Vishing, where a criminal impersonates tech support via a call, getting victims to give away information or configure their computers a certain way;
- Whaling, or phishing for the big guy: a CEO or any high-level corporate manager. Takes more research, but once hooked, criminals have greater access to confidential data;
- Spear phishing, or targeting a particular person rather than a group of employees. This approach also requires more in-depth victim research.
The only way to protect yourself, your employees, and your customers is to train them to recognize these attacks and ignore them. That’s why we’ve compiled this list of global phishing statistics from the past two years. To do so, we’ve used reputable sources such as Verizon, Barkley, PhishLabs, as well as a number of academic articles.
A variety of cybersecurity experts analyzed a plethora of phishing crimes conducted via web, email, social media, mobile, and a range of other channels. Here’s what they found.
1. In the past year, 76% of organizations experienced a phishing attack.
This is according to the 2018 State of the Phish Report. While not all phishing efforts are successful, the obvious threat should be of concern. Staying informed about the most recent phishing attacks and trends is a necessity, not a choice.
2. Phishing is the third most common cybercrime incident and the third most common cause of data breaches.
In the Verizon 2018 Data Breach Investigations Report, an incident refers to a security event that compromises the integrity, confidentiality, or availability of information. A breach, on the other hand, results in the confirmed disclosure of data to an unauthorized party.
3. 91% of cyber attacks start off as a spear phishing email, commonly used to infect organizations with ransomware.
These spear phishing statistics from 2018 indicate that hackers are willing to take the time to deliver more targeted attacks. After all, spear phishing takes more effort compared to attacking with malware, ransomware, or regular phishing. The attacker needs to monitor their victim’s everyday online behavior, social media profiles, and interests in order to put together a credible fake email. A recent Trend Micro report indicated that 1% of enterprise emails are phishing attacks. As many as 96% of criminals who spearphish do so to gather intelligence.
4. For the first time since 2013, the overall number of ransomware infections dropped by more than 20% in 2018.
Enterprise ransomware detections influenced the trend, increasing by 12%. This clearly indicated that the issue of cybersecurity remains significant. Still, since fewer ransomware cases took place in 2018, criminals may have begun to feel such an attack is no longer worth it.
5. 59% of U.S. businesses have been infected by ransomware via phishing emails.
A phishing attack online can easily lead to the installation of ransomware. That puts you at risk not only of a data breach, but potentially a denial of service attack that could cost your business millions.
6. Phishing and pretexting comprise 98% of incidents involving social channels.
Social engineering is a type of attack that relies primarily on human interaction. Criminals manipulate people into revealing compromising information about themselves or their companies. They then use that information to gain access to systems, networks. or physical locations, usually for financial gain.
7. Phishing and pretexting account for 93% of breaches.
Phishing stats indicate a link between the cybercrimes that can have severe consequences for businesses. Pretexting refers to an attacker who pretends to need either personal or financial data in order to confirm the identity of the recipient. More than 95% of the time, pretexting is financially motivated.
8. Email continues to be the most common phishing vector (96%)
It’s much easier than calling and pretending to be tech support, and it covers more ground. That’s why email is the go-to solution for cybercriminals. When you receive anywhere from dozens to hundreds of emails during your workday, it’s easy to let your guard down.
9. Despite email malware remaining stable, the rate of phishing has declined, dropping from one in 2,995 emails to one in 3,207 from 2017 to 2018.
The phishing threat is often accompanied by other issues, including ransomware and malware. An email spiked with malware could contain either an attachment or a link that can infect the recipient’s computer. Malware can then capture login data, using the credentials to access banking apps or other potentially sensitive information. Phishing is often merely the precursor to malware installation, and it ultimately leads to the theft of confidential data. Symantec email phishing statistics from 2018 show a rising trend for email malware worldwide.
10. Motives for phishing are split between financial greed (59%) and espionage (41%).
Not all data breaches or phishing campaigns are about selling credentials on the black market for less than $5 a piece. Corporate or government espionage and the theft of intellectual property is also a serious issue that can border on cyber warfare. As corporations race to be the best in the business, other people’s ideas, solutions, and sensitive data can give them an unfair advantage. The 2018 Verizon phishing report suggests the involvement of state-affiliated actors.
11. 78% of people don’t click on a single phish all year.
Luckily, most people never click on phishing emails. Results from phishing
simulations, in the normal (median) organization show that most people are able to refrain from clicking on problematic emails when tested. Still, one has to wonder whether employees who are overworked and possibly sleep deprived would perform as well.
12. On average, 4% of people in any given phishing campaign will click it.
One of the most important phishing facts to remember is it only takes one victim to bring down an entire system. Hackers don’t care if the vast majority of employees ignore their message; all they need is one to fall for the bait. When that happens, all the time and money the criminals spend on unsuccessful emails becomes irrelevant.
13. On average, 53% of IT and security professionals who responded to the Wombat survey reported their organizations have experienced at least one more advanced, targeted spear phishing attack in 2017.
The number of people or organizations who report a phishing attack is almost negligible. With this in mind, the 53% of carefully plotted, targeted attacks security professionals admit to in the survey is huge. Don’t forget that reporting an attack is vital, as it helps you respond quickly and adequately.
14. In Q1 2019, Kaspersky’s anti-phishing software prevented 111,832,308 attempts to direct users to scam websites.
As indicated in a recent Kaspersky report, that’s a 24% increase compared to the Q1 2018 figure, which was 90,245,060. The anti-phishing module implemented in Kaspersky Lab’s solutions offers three methods to keep you safe, and will never leave you wondering how to prevent phishing.
First, Kaspersky will check if any website you’re trying to access is listed on the anti-phishing databases available on your device. Then, sites are checked for safety in a number of cloud databases. Finally, a heuristic analysis helps with websites that aren’t blacklisted on either the online, or the offline list. This helps with new, more sophisticated attacks from criminal newcomers.
15. In Q1 2019, as in the previous year, Brazil was the most successfully phished country, with 21.66% of users falling victim.
Brazillians seem to have a problem handling phishing. This year, criminals are coming back for more. The call, text, and email phishing statistics of 2019 for the other top five countries are as follows: Australia (17.20%), Spain (16.96%), Portugal (16.86%), and Venezuela (16.72%).
16. Phishing grew 40.9% in 2018.
This cybercrime rose steadily during Q1 of 2018, remained high in Q2 and Q3, and then declined slightly in Q4. Financial institutions were the top most targeted industry in 2018, after years of fluctuations. Meanwhile, the SaaS industry has acquired more users, and received an exponential number of phishing scams, and other cyber attacks.
17. As many as 83.9% of phishing attacks targeted five key industries: financial, online services, cloud, payment, and SaaS services.
In 2018, PhishLabs traced numerous phishing sites targeting 1,263 brands belonging to 773 parent institutions. The company’s experts noticed that the total volume of phishing sites was similar to what they’d measured during previous years. PhishLabs defines phishing attack websites as those that host phishing content on a unique, fully qualified domain.
18. Financial institutions were targeted by 28.9% of all phishing activity in 2018, compared to 21.1% in 2017.
After being displaced by online services in 2017, financial institutions were once again the top phishing target in 2018. To nobody’s surprise, the banking industry is one of the top targets for phishing attacks, thanks to the direct access it offers to financial assets. While strong safety protocols are built into banking websites and apps, human error is often a factor. When employees don’t know how to detect phishing attacks, large thefts can result.
19. Online services accounted for 24.1% of phishing sites in 2018, compared to 26.8% in 2017.
Despite a slight reduction in share, though, the actual volume of phishing activities in this industry increased by almost a quarter. While online services accounted for a slightly reduced proportion of phishing sites in 2018, don’t let that fool you. Attack volume continued to rise, and the industry remains a popular target for phishers.
20. The proportion of phishing crimes targeting the cloud storage and file-hosting industry remained constant in 2018 at 12%.
The cloud storage industry had the honor of moving one step ahead in the line of victims of the latest phishing attacks. The slight decrease in the phishing volume within the payment services industry has done the trick, with cloud storage dropping to fourth place according to findings by PhishLabs.
21. 98% of attacks that reach users’ inboxes contain no malware.
The vast majority of the latest phishing email threats that reached corporate users consisted either of email scams or credential theft. This suggests that email security technologies are good at detecting malware, but struggle to identify social engineering and credential theft phishing. Attacks using these methods are more likely to reach users’ inboxes undetected.
22. Organizations in the United States remained the most popular phishing victims in 2018, accounting for 84% of total phishing volume.
As one of the most powerful countries in the world, the U.S.A. is by far the most popular target for phishing attacks. Still, anti-phishing efforts have resulted in a slight fall in share (from 85% in 2017). The actual volume of phishing attacks targeting U.S. organizations rose by more than 40% in 2018, and has more than doubled since 2015.
23. Nearly half (42%) of emails reported by corporate users pose some risk.
Phishing has remained a persistent threat for decades because criminals constantly adapt their phishing efforts according to new technology and opportunities. These new opportunities include free domains and hosts for phishing websites, as well as SSL certificates, to name a few. Cybercriminals who use phishing have successfully moved with the times, which is why it’s getting so hard to identify a phishing attack.
Small business owners are more likely to be hit by email threats—including spam, phishing, and email malware—than those in large organizations. They are also less likely to ever recover and face a greater risk of going out of business as a consequence of these attacks.
24. Nearly 50% of phishing sites use HTTPS encryption—a 40% increase over the previous quarter alone, and a nearly 900% increase since the end of 2016.
In the latest 2019 phishing news, the padlock icon next to a web address is no longer enough to let users know a site is secure and legitimate. According to new research from PhishLabs, as many as half of all phishing-related scams are hosted on padlocked websites that begin with HTTPS. It’s just more proof that hackers are getting smarter; the moment a new security solution comes up, they find a way to override it.
25. The average annual cost of phishing and social engineering attacks in 2018 was $1,407,214.
How much money is lost to email scams every year? Well, the total annual cost of all types of cyber attacks is increasing In 2017, the average annual cost of phishing and social engineering attacks amounted to $1,298,978.
26. In 2018, Lookout revealed that 56% of mobile device users received and tapped on a phishing URL.
The phishing statistics 2018 Lookout has published offer a useful insight into just how worryingly uneducated mobile users are when it comes to phishing. Mobile-optimized apps and websites make it even more difficult for users to recognize phishing, as simplified UI/UX options omit vital information like the hostname and full URL. By the time you realize that a shady company is targeting you, you’ve already clicked on a malicious URL.
27. According to a 2017 Keepnet study, the average successful spear phishing attack on a business could bring the attacker up to $1.6 million.
The spear phishing definition of a hyper-targeted email attack seeking unauthorized access to sensitive info in itself explains why profits are so high from this crime. These attacks involve in-depth research and thorough cyberstalking efforts, which is why it’s usually large, organized groups criminals who perpetrate them. The criminals then share their profits.
28. 13% of all spam messages come from the U.S.A.
According to the latest phishing email data analyses, the U.S.A. is the primary source of spam messages. The data shows that 13% of all spam messages sent in the last year originated in the U.S.A.
29. Those over the age of 55 are more likely to know what phishing is than those aged 18-29.
The fact that those over the age of 55 are more likely to recognize these scams than those between the ages of 18 and 29 shows how long data phishing has been around.
30. 82% of manufacturers have experienced a phishing intrusion in the past year
The vast manufacturing sector covers not only the industrial supply chain, but also the numerous connected devices used in factory administration. Manufacturing organizations must focus on preventing unauthorized access to protect their business interests.
31. 24% of all phishing attacks target healthcare organizations
The second most common victims of phishing attacks are healthcare organizations. These large, busy organizations are vulnerable to breaches, and the data they keep is particularly sensitive. This is yet another reason to report phishing websites, even if you aren’t involved in the healthcare industry.
Latest Phishing Attacks 2019
Google’s 1.5 billion Gmail and Calendar users were recently affected by a major data breach.
Researchers have noticed attackers using this technique to effectively spam users with phishing links to credential-stealing sites. In this sophisticated scam, Gmail users are being targeted via malicious and unsolicited Google Calendar notifications. This case of Gmail phishing was only revealed in mid-June, 2019.
In January 2019, Twitter failed to report a PayPal phishing scam.
This one was so obvious that the phishing URL misspelled “PayPal” as “Paypall.” A fake account posing as PayPal promoted a made-up end-of-year sweepstakes event. If you do happen to click on a ridiculously obvious, misspelled phishing link at the end of a workday, reporting PayPal phishing would be a good idea.
A phishing attack affected 5,000 patients at Metrocare Services.
Metrocare Services, a mental health services provider in North Texas, was recently affected by a second phishing attack in the space of a few months. This latest attack saw an unauthorized individual accessing the email accounts of a number of employees. Statistics on phishing attacks indicated that the affected accounts contained the PHI of 5,290 patients.
Biggest Phishing Attacks
Operation Phish Phry
Victims entered their account numbers and passwords into fraudulent forms, granting criminals access to private data in 2009. The FBI ended up charging over 100 individuals for the crime.
An Austrian aerospace executive called Walter Stephan holds an unfortunate record in the world of phishing statistics and cybercrime in general. He lost his company more money from a single scam than anyone else in history: around $47 million in total.
The Target/FMS Scam
A data breach caused by a phishing attack affected 110 million users, including 41 million retail card accounts.
The Ukranian Power Grid Attack
This incident rewrote the rules for phishing attacks statistics. A small team was the first to use automated, scalable malicious firmware to take down multiple power grids simultaneously. The criminals used email phishing as their original attack vector.
What is a phishing virus?
A phishing virus is a type of malware that usually infects the victim’s computer via email. It’s usually disguised as an attachment or a link in the body of the email. Once opened, it is most commonly used to steal data from infected computers or servers. In some instances, phishing viruses are used for the purpose of spying on individuals.
This type of phishing is slowly becoming extinct as people around the world become more aware of it.
What can phishing lead to?
Phishing can lead to identity theft, which can cause serious problems for victims. Criminals can use the personal information they obtain to open bank accounts, rent or buy properties, open businesses, and drive you into the ground financially.
What is meant by phishing attack?
A phishing attack is a phrase that refers to a specific phishing incident: an attack that aims to obtain confidential information, launched by someone posing as a legitimate individual or entity in order to manipulate the victim into providing said information.
What is a phishing email and how can one be recognized?
This one is usually not too difficult, as misspelled domain names, poor grammar, and nonsensical messages meant for automated attacks are pretty common in phishing campaigns. Most attackers come from non-English-speaking countries, and their grammar is often so terrible that it’s almost impossible to understand the contents of the email. In fact, most phishers rely on the fact that some people don’t even read their emails at work, but simply skip the boring part and click on the link to see what it’s about. Don’t do that.
Of course, you may also receive a more targeted spear phishing attack. In that case, it’s important to be wary of simply any unexpected email or push notification that isn’t a part of your everyday routine.
What are the two types of phishing attack methods?
When speaking about phishing, we can differentiate between two major types.
The first is regular phishing, when not much is known about the victim except for their email address and perhaps their most basic info. This is a low-effort and low-payout form of phishing, in most cases.
The second type of phishing is called spear phishing, and it’s a much more targeted scam. Criminals choose individuals for maximum impact, which involves much more risk and effort, but also increases the potential gain. Spear phishing vs phishing could be summarized as such: spear phishing is more difficult, expensive, and targeted than regular phishing, but also produces the most lucrative results for criminals.
How can I report a phishing scam?
In order to keep their users safe, most companies that deal with data have safety guides and reporting systems in place. We’ve already discussed the measures of protecting oneself from email phishing, and all those principles apply to other services, too. Phishing on social media is exactly the same as email phishing and typically involves links and messages that lead to malicious websites. You can report Facebook phishing and read more about it here.
Some Final Thoughts
Phishing is evolving every day to meet the demands of the new digital market. Since most employees are now connected regardless of their job description, there’s a lot of data being produced every day for criminals to tap into.
The weak link here is rarely a cybersecurity system. Instead, human error has been driving phishing since the 1990s, a trend that shows no signs of slowing down. With contemporary phishing statistics indicating that phishing methods are evolving and taking different forms, the best way to avoid getting scammed is to invest in top-notch security technology and educate your staff about the dangers.