20 Informative Phishing Statistics for a Secured 2021

Are you among the 45% of people who don’t know what phishing is?

While it does sound similar to fishing, there’s one significant difference: in this case, you’re the prey, and the bait is an email or a website that looks genuine — but isn’t.

As you’ll learn from the following phishing statistics, our growing reliance on internet-connected devices has given hackers unprecedented access to our personal information. The lack of awareness of being phished certainly doesn’t help and can have severe consequences.

The information you’re about to read will help you understand just how widespread phishing is and how big of a problem it has become for both individuals and businesses.

Top Phishing Statistics (Editor’s Choice)

  • In 2018, the volume of phishing attacks grew by 40.9%.
  • In 2017, almost 1.4 million phishing sites were created each month.
  • Google and Facebook lost $100 million in 2017 as a result of phishing attacks.
  • Since 2011, the number of mobile phishing attacks has been growing by 85% each year.
  • Spam messages accounted for 28.5% of global email traffic in 2019.
  • Gmail blocks over 100 million phishing emails daily.
  • 83% of spear-phishing attacks are brand impersonations.
  • 96% of hackers use spear-phishing to gather intelligence.

General Phishing Stats

1. In 2018, the volume of phishing attacks grew by 40.9%.

(PhishLabs, IBM, PhishMe)

US organizations were the main targets of hackers, having been on the receiving end of 84% of all phishing attacks in 2018. For comparison, Canada was in second place with just 4% of attacks, while China and France tied for third place with 2%.

According to IBM’s phishing attacks statistics, the average cost of a single phishing attack for a US-based organization in 2018 was about $3.9 million. The actual cost depended on the size of the enterprise — large companies with more elaborate infrastructure had to pay more, while smaller companies paid less.

A survey conducted by PhishMe in 2017 found that an average mid-sized company had to spend around $1.6 million to recover from one of these attacks.

2. SaaS companies and email providers are the number one target of phishing attacks.


Phishing statistics from 2020 show that Software-as-a-Service (SaaS) companies and webmail providers were the targets of 34.7% of phishing attacks worldwide. Financial institutions came in second with 18%, while payment platforms came in third with 11.8%. Social media websites (10.8%) and eCommerce businesses (7.5%) round out the list of top five phishing targets.

3. In 2017, Almost 1.4 million phishing sites were created each month.


Phishing has been growing at an unprecedented rate over the last few years, but 2017 was by far the biggest year for this type of cybercrime. Phishing statistics from that year reveal that 1.38 million new sites were created every month, which translates to 46,000 new phishing websites created per day.

In May 2017 alone, more than 2.3 million unique phishing sites were set up. However, most of these sites were short-lived and typically stayed online for 4–8 hours.

4. Google and Facebook lost $100 million in 2017 as a result of phishing attacks.


According to the FBI’s statistics on hacking, hackers made over $676 million back in 2017. Always looking for ways to devise new phishing schemes, cybercriminals started impersonating vendors to trick companies into shelling out huge sums of money.

Even tech giants like Facebook and Google weren’t immune to these attacks. In 2017, cyber crime statistics and trends show that these two companies lost over $100 million to a China-based hacker pretending to be a vendor selling computer parts.

5. In 2018, more than 50% of phishing websites used SSL certificates.


One of the most worrisome phishing facts, this doesn’t come as a big shock knowing that the phishing sites’ primary role is to mimic genuine websites. With SSL certificates, hackers add a lock icon and the “https” prefix to the web address. These are the two tell-tale signs of genuine websites, so users never even suspect the site they’re using isn’t trustworthy.

6. In 2019, almost 90% of businesses were victims of phishing attacks.


A 2020 Proofpoint hacking statistics report shows that an unprecedented 88% of organizations experienced targeted phishing attacks in 2019. That same year, 86% had their business email network compromised by hackers. These numbers demonstrate that rather than casting a wide net, hackers are now targeting specific businesses to ensure their phishing campaigns’ success.

7. In the third quarter of 2020, most phishing sites used .com domains.


During the third quarter of 2020, 40.09% of phishing websites were hosted on .com domains, making them even more difficult to distinguish from genuine sites. Statistics on phishing attacks reveal that hackers also used other seemingly legit domains, such as .org (1.79%) and .net (3%).

However, many opted for phishy-looking domains like .xyz (5.84%) and .buzz (2.57%). Interestingly, the top 10 includes three top-level domains: .ru (Russian national domain) in 2.93% of cases, .tk (the domain of Tokelau, a territory of New Zealand) in 1.47% of cases, and .ml (Mali’s national domain) in 1.3% of cases.

8. Since 2011, the number of mobile phishing attacks has been growing by 85% each year.

(Lookout, Lookout)

According to mobile phishing statistics, the number of attacks has been growing since 2011 at a steady annual rate of 85%. In the first quarter of 2020 alone, mobile phishing attacks have gone up by 37%. Mobile devices are mostly targeted for all the personal and corporate data they carry. Research shows that mobile users are three times more likely to fall for phishing scams.

9. There were more than 140,000 phishing sites in the second quarter of 2020.


The latest phishing statistics show that a total of 146,994 unique phishing sites were discovered in the second quarter of 2020. Encouragingly, this number marks an 11% decrease compared to the first quarter of the year. It’s also the smallest number of phishing sites since the third quarter of 2018 when their number (138,328) was at a four-year low. However, despite this downward trend, phishing websites today have become much more sophisticated and genuine-looking.

20 Informative Phishing Statistics for a Secured 2021

Email Phishing Statistics 2020

10. Spam messages accounted for 28.5% of global email traffic in 2019.


Minor interruptions aside, the share of email spam in total email traffic has been steadily declining since 2008. That year, 92.6% of all email messages exchanged worldwide were spam.

In the 11 years since, the share of spam emails has gone down by more than two-thirds, according to internet spam statistics. The number from 2019 also represents a significant decline from 2018, when email spam volume was 45.3%.

11. Phishing emails containing ransomware are on the rise again.

(Akamai, Bowling Green State University, Proofpoint)

In 2016, phishing emails were the most widespread channel of ransomware distribution. For illustration, the share of ransomware-infected spam emails grew by 92% in the second quarter of that year, only to see another increase of 97.25% in the third quarter. Since then, hackers had shifted their focus toward websites with downloadable software to spread ransomware.

However, recent email phishing attacks show that email is again becoming the go-to method for recent ransomware attacks. Between 2017 and 2019, the number of emails containing ransomware has gone up by 109%. Six major ransomware families are currently active, with as many as 350,000 emails sent daily in June 2020.

These campaigns primarily target US organizations across various sectors — from media and entertainment to manufacturing and education.

12. Gmail blocks over 100 million phishing emails daily.

(Google Security Blog)

Google phishing statistics reveal that Gmail’s built-in filters block more than 100 million phishing emails daily. In 68% of the cases, the blocked emails are part of a previously unknown phishing scam. Google notes that the attacks are usually targeted at a few dozen organizations with corporate accounts on Gmail.

This again shows that hackers have reduced the volume of attacks in favor of focusing all their resources on targeting those most likely to fall for their scam.

13. Most internet users can’t identify phishing websites and emails.

(PR Newswire, Business Wire)

The phishing email statistics from a 2019 survey conducted by Avast showed that 61% of participants couldn’t tell the difference between the genuine and fake Amazon login page.

Similarly, in 2015, Intel Security wanted to see how adept people were at telling phishing emails apart from genuine emails. Only 3% of the 190,000 participants from 144 countries managed to identify all phishing emails successfully.

On the other hand, 80% misidentified at least one example — and in reality, it only takes one misguided click to fall victim to a phishing campaign.

14. Microsoft Office files accounted for 48% of malicious email attachments in 2018.


Symantec’s 2018 Phishing Activity Trends Report shows that almost half of all malicious email attachments came in the form of Microsoft Office documents. Specifically, 39.3% were disguised as Word files, while 8.7% were delivered as Excel sheets. Other common formats for malware distribution included executable (19.5%), rich text (14%), and Java archive (5.6%) files.

These files are usually presented to the unwitting victim as receipts, invoices, or other forms of notification from some institution. Hidden inside is a malicious script. When the victim downloads and opens an infected file, they trigger the execution of the hidden script.

As with most email phishing attacks, they might not even be aware of it, as malicious software may be discreetly installed on their computer and sit there undetected, gathering sensitive information.

15. In 2018, “urgent” was the most common word in phishing emails targeted at businesses.


This word appeared in 8% of all phishing emails sent to organizations in an attempt to scam them. According to phishing attacks statistics, variations of this word were also used, including “important” (5.4%), “important update” (3.1%), and “attn” (short for attention; 2.3%).

Other keywords commonly found in phishing emails targeted at organizations included “request” (5.8%), as well as “payment” and “outstanding payment” (5.2% and 4.8%, respectively).

Statistics also reveal that hackers targeted 5,803 organizations with emails containing these words in 2018. Each of these organizations received 4.5 such emails on average.

Data Phishing vs. Spear-Phishing Stats

16. In 2019, there were 1,506 data breaches in the US.


According to 2019 data breach statistics, more than 1,506 data breaches occurred due to data phishing attacks, compromising 164.68 million records. Most of these attacks targeted businesses, intending to steal confidential information and client data. This marked a 19.8% increase from 1,257 breaches in 2018.

However, hackers stole more than 471 million records that year.
Recent reports show that 540 data breaches were recorded in the first half of 2020. This is just 35.9% of the previous year’s total number, so data breaches may experience a decline in 2020.

17. According to internet fraud statistics, 65% of hackers used spear-phishing in 2018.


While data phishing targets multiple recipients as part of a large campaign, spear-phishing is aimed at a single organization or individual. The overall number of spear-phishing attacks was down in the period between 2015 and 2018. However, active hackers stepped up their game during this period and targeted 30.1% more organizations — 55 compared to 42 before 2015.

18. 83% of spear-phishing attacks are brand impersonations.

(Channel Futures, Statista)

Spear-phishing statistics from 2019 reveal that brand impersonation is by far the most popular way to carry out these attacks. It involves hackers posing as a trustworthy brand or company in an attempt to gain access to valuable information from their targets.

In 2019, Microsoft was the most impersonated brand. Financial institutions like banks were also often impersonated. Fast forward to the second quarter of 2020; phishing attacks statistics show that Google and Amazon are the two most impersonated brands (13% each).

Social media platforms Facebook and WhatsApp are in second place (9%), while Microsoft has now fallen to third place (7%). Other commonly impersonated brands include Apple, Netflix, PayPal, and Huawei (2% each).

19. 96% of hackers use spear-phishing to gather intelligence.


Apart from intelligence gathering, hacker groups cite disruption (10%) and financial gain (6%) as their main motivators for launching a spear-phishing attack. According to phishing statistics from 2019, the number of known spear-phishing groups has experienced a steady rise over the last few years. In 2016, there were 116 known groups.

The next year, this number rose by 18.1% to 137. There were 155 active groups in 2018, marking a 13.1% increase year-over-year. Between 2016 and 2018, most known spear-phishing hacker groups (255) operated from inside the US, phishing scam statistics show.

During this same period, India had 128 known groups, Japan had 69, and China had 44. Other countries with large hacker communities include Turkey (43), Saudi Arabia (42), South Korea (40), Taiwan (37), and the United Arab Emirates (30).

20. 1 out of 10 spear-phishing emails is part of a sextortion scam.


Sextortion and blackmail emails were once part of large campaigns that would be detected by most spam filters. Nowadays, hackers send fewer of these emails targeting specific people, so they’re much more likely to end up in the target’s inbox.

According to phishing attack statistics, these emails usually come from hacked Google and Microsoft accounts and target executive-level managers at companies. In them, hackers claim to have made a compromising video of the victim using their computer’s camera and demand a large bitcoin payment. If the victim refuses, hackers threaten to send the video to their contacts.

20 Informative Phishing Statistics for a Secured 2021


While phishing attacks might not be as common as they once were, they’ve become much more sophisticated and better-targeted. Combine that with the phishing facts discussed in this article — including most people’s inability to tell the difference between fake and genuine websites and emails — and it’s easy to see why no one should take phishing for granted.

Whether you’re an executive at a big company or just a regular internet user, you must be careful online. Don’t click on any suspicious links sent from an unknown email address.

If you receive an unusual email from someone claiming to be your coworker, always check with them first before opening any attachments. When visiting websites, double-check the address bar before entering your personal information to ensure it’s not hackers trying to scam you.

Frequently Asked Questions

How common is phishing?

According to a Kaspersky Lab report, there were more than 103 million attempted phishing attacks worldwide in the third quarter of 2020. In the second quarter of the year, hackers have also set up more than 140,000 phishing websites.

While both these numbers are lower than in recent years, today’s phishing emails and sites are much more difficult to tell apart from their genuine counterparts. Hackers nowadays use SSL certificates, “https” address prefixes, .com domains, and compromised Google and Microsoft email accounts — all this to ensure the potential victim falls for their scheme.

What percentage of phishing emails target the US?

Statistics show that 84% of all phishing campaigns carried out worldwide in 2018 targeted US organizations. Looking exclusively at US-based organizations, 88% of them were targets of spear-phishing campaigns, and 86% had their email network compromised by hackers in 2019.

Out of all the phishing attacks against US companies in 2019, an alarming 65% were successful, which is well above the global average of 55%. To recover from one of these attacks, US companies spend $3.9 million on average. The cost is usually proportional to the organization’s size, meaning that large enterprises may spend much more than this.

How many phishing attacks have there been in 2019?

There were nearly 467.2 million attempted phishing attacks in 2019, according to Kaspersky Lab. During that same year, there were 1,506 data breaches in the US, which resulted in the hacking of more than 164.68 million confidential records across different industries.

This marked a significant increase in the volume of successful attacks compared to 2018 when hackers managed to carry out 1,257 data breaches against US targets. However, the scope of their attacks was much wider, as they managed to gain access to 471.23 million records.

What is the percentage of phishing attacks?

IBM’s researchers found that 31% of all cyberattacks in 2019 involved the use of phishing and email spam. Hackers carried out another 29% of attacks by using stolen passwords, which they had most likely obtained through phishing websites.

Therefore, phishing was used in up to 60% of all cyberattacks in 2019. Most of these attacks were aimed at businesses. Specifically, hackers targeted executive-level managers in various organizations, trying to steal their network login credentials.

According to an FBI report from September 2019, phishing attacks that compromise business email networks had cost companies worldwide more than $26 billion up to that point.

What percentage of cyberattacks start with a phishing email?

Up to 91% of successful cyberattacks start with a phishing email, according to various surveys. This email is usually part of a spear-phishing campaign — a sophisticated attack targeted at a specific organization rather than thousands of potential victims.

When designing their spear-phishing attacks, today’s hackers either use malicious software hidden inside seemingly legitimate attachments or opt to impersonate someone. According to phishing statistics, 83% of phishing attacks in 2019 started as brand impersonations.

In most cases, hackers would send an email from a genuine-looking brand address or set up a fake login page that looks exactly like the genuine one, complete with an SSL certificate.