The year 2022 encompassed some major surprises in the cybersecurity arena. Where organisations had all their protective gears on, still a lot happened that was beyond human control. But we are here to learn from our mistakes and so it is important to uncover some specific details that caused key disruptions leading to irreplaceable losses.
With the advancement of technology, cyber attacks are increasing at a huge pace, which of course, shakes the affected businesses’ foundation. If you are into technology and follow the tech news, you might encounter cyber attack updates almost every day. One prominent and significant type of cyber attack is phishing, which due to its intensity and popularity, is our topic of discussion today.
Continue reading to know more about this key attack, its impact in the previous years, and the practices used. In this blog, we have pulled together the most recent phishing statistics on global security incidents from multiple surveys, reports, and third-party studies to help organisations and individuals in staying informed about phishing scams. By staying aware of these phishing statistics, you can not only stay more vigilant in 2023 and the years that follow but also make informed decisions. If you are concerned for your security, you can try our cyber security assessment services.
Before we jump on phishing attack statistics, let’s understand what phishing is.
In cybersecurity, phishing is a type of social engineering attack that is used to trick individuals into providing legitimate access to sensitive information. Typically, phishing involves emails, where the cybercriminal or threat actor sends out emails that appear to be from a legitimate source, such as a well-reputed brand, the organisation’s senior executive, or a trusted resource.
Depending on the attacker’s goal, the email might contain malicious attachments such as documents, images, and URLs, which, if opened or clicked, can steal sensitive information or download malware onto the device. One thing you should keep in mind is that spoofing and phishing are different things. You can read more about spoofing vs phishing here.
What percentage of cyber attacks are phishing?
Phishing and spear phishing attacks have been significant contributors to cyber attacks in recent years, with a varying percentage depending on the data sources and years.
- The Anti-Phishing Work Group recorded over 10 million phishing attacks in just the first quarter of 2022 alone, with a steady increase in the following quarters.
- Phishing attacks rose by 1.3x between July and October 2022.
- A report from SlashNext showed a 61% increase in phishing attack vectors with malicious URLs from 2021 to 2022, totalling 255 million.
- Other sources have reported that phishing was the initial attack vector in 16% of data breaches, with an average cost of $4.91 million.
- Additionally, a survey by IBM revealed a rise in the cost of security breaches, from $4.24 million in 2021 to $4.35 million in 2022.
- A survey of 1400 companies revealed that 26% of them experienced a prominent increase in malicious emails, where 88% of such emails had ransomware in them.
- Furthermore, it was observed that spear phishing emails targeting non-executives increased to 77%.
- In a survey conducted by an anti-phishing platform, 80% of respondents experienced a rise in email phishing since the start of the covid 19 pandemic.
- In 2021, 25% of data breaches included phishing.
- In 2021, credential harvesting-based phishing emails reached the percentage of 54, which previously was at 40.09% of all phishing attacks.
- Previously, phishing increased from 55% in 2019 to 57% in 2020.
- Some anti-phishing platforms that had been detecting phishing attempts between 68K to 94 K per month have reported a tripling of phishing attacks since the start of the covid 19 pandemic.
How many people suffer from phishing scams?
It is quite challenging to determine the precise number of individuals or even businesses who have fallen victim to phishing scams, as many data breaches and incidents go unreported or undetected due to many reasons. Nevertheless, it’s evident that phishing is a predominant issue that impacts a significant portion of both individuals and companies (SMBs as well as Large enterprises).
- A recent study found:
- 23% of individuals aged between 18 and 40 are most likely to fall victim to phishing attempts.
- 19% of individuals aged between 41 and 55 are also susceptible to a phishing attack.
- Another survey in the UK revealed:
- 58% of adults aged between 25 and 34 receive more phishing emails than other age groups.
- 4.8% of individuals aged between 35 and 44 have responded to phishing attacks.
- 26% of workers have fallen for a phishing email while at work in the previous year.
- Phishing attacks have led to significant financial losses for US businesses, with the total amount exceeding 54 million dollars.
- In 2022, nearly 29% of firms have acknowledged losing a client as a result of a business email compromise incident.
- Another study indicates that a majority of people (75%) who get tricked by phishing are found by using common email formats or web searches.
- On average, 14 phishing emails are sent to an employee per year.
- 33% out of 75% of employees received a significantly increased number of phishing emails as compared to last year.
- During the year 2021, a total of 323,972 internet users were successfully targeted by a phishing attack.
- In 2021, 19,954 complaints related to Business Email Compromise (BEC) and Email Account Compromise (EAC) were reported, with a total estimated loss of approximately $2.4 billion (£1.99 billion).
Latest phishing statistics w.r.t Industries
Cybercriminals do not discriminate when it comes to targeting individuals and businesses, and phishing attacks can happen to any industry. In 2022, numerous phishing attacks targeted a wide range of businesses.
- A survey of data from more than 750,000 unique endpoints worldwide found that there was a 130% increase in phishing between July and November 2022.
- The same report statistics indicate that phishing was used in 76% of email-based initial attacks, which also include:
- Malware delivery (18%)
- Advance attack (3%)
- BEC (3%)
- The report also shows that the industries that were most targeted between July and November 2022 are as follows:
- Computers & IT (6%)
- Manufacturing (6%)
- Finance (11%)
- Services (15%)
- Retail (18%)
- Real Estate (18%)
- Construction (19%)
- Other (7%)
- Research conducted by the Anti-Phishing Work Group during the first three quarters of 2022 observed the following businesses being targeted by phishing attempts:
- In the first quarter of 2022:
- The financial sector, including banks (27.6%)
- Webmail and Software-as-a-service (20.5%)
- E-commerce (14.6%)
- Social Media (12.5%)
- Crypto-related targets such as cryptocurrency wallets and exchanges (6.6%)
- Logistics and shipping (3.8%)
- Payment (5.0%)
- Others (13.4%)
- In the second quarter:
- The financial sector, including banks (27.6%)
- Webmail and Software-as-a-service (19.1%)
- E-commerce (5.6%)
- Social Media (15.3%)
- Crypto-related targets such as cryptocurrency wallets and exchanges (4.5%)
- Logistics and shipping (4.3%)
- Payment (6.3%)
- Telecom (2.6%)
- Others (14.7%)
- In the third quarter:
- The financial sector, including banks (23%)
- Webmail and Software-as-a-service (17%)
- E-commerce (4%)
- Social Media (11%)
- Crypto-related targets such as cryptocurrency wallets and exchanges (2%)
- Logistics and shipping (6%)
- Payment (4%)
- Telecom (3%)
- Others (30%)
- The mining and utility industry in 2022 was particularly affected by phishing scams, as they accounted for 60% of data breaches in this sector.
- Similarly, a large percentage of incidents in the operational technology sector, 78%, are caused by phishing attacks.
- Research conducted in 2021 revealed that the IT industry received over 9,000 phishing scams in 30 days out of an average of 376,914 emails.
- Additionally, the healthcare industry received 6,000 phishing scams from an average of 451,792 emails.
- The manufacturing industry also received 6,000 phishing emails from an average of 331,184 emails.
- In 2021, 38% of cyberattacks in retail businesses originated as phishing.
- 20% of phishing targeted professional businesses, including architects, law firms, and accountants, in 2021.
- The energy sector suffered 60% of cyberattacks as a result of phishing.
- The manufacturing industry suffered 40% of phishing attacks.
Phishing statistics w.r.t country
It is worth noting that the ratio of successful phishing attacks varies in each geographic location due to security awareness, computer literacy, economic and technological development, and different regulations and laws that are in place in each of these locations to address cybercrime.
Recent phishing attacks’ tactics and methods may vary depending on the geolocation and targeted businesses. Still, the goal around the globe remains: to steal personal or sensitive information for financial gain.
- 39% of businesses in the UK that suffered cyber-attack had 83% phishing attempts as the most common threat vector.
- 51% of businesses and 54% of charities in the UK have only experienced phishing attacks and no other security breaches.
- The UK has witnessed a rise in phishing attacks from 72% to 83% in 2022.
- Middle east witnessed email-based phishing by 2x just before FIFA 2022.
- In the second quarter of 2022, Saudi Arabia hit a high phishing email percentage of 168%.
- Security monitoring and reporting platform observed phishing statistics for the year 2022 and concluded the topmost targeted countries with percentages as follows:
- Netherlands (17.6%)
- Russia (13.6%)
- Moldova (6.9%)
- The same monitoring platform observed that the largest amount of blocked phishing emails originated from Thailand, making it 45% of all phishing attacks.
- Concerning the same report, the largest number, which is 55% of all email-based attacks delivered to the SPAM folder, originated from Russia.
- Similarly, the top countries where most phishing emails came from in 2021 are:
- Russia (24.77%)
- Germany (14.12%)
- USA (10.46%)
- China (8.73%)
- Netherlands (4.75%)
- Whereas in 2021:
- 42% of phishing attacks were used against organisations in Europe.
- North American organisations faced 47% of phishing attacks against them.
- In Latin America, the percentage remained the same as in North America, i.e., 47%.
- While Asian organisations received 43% of phishing emails.
Phishing statistics of countries with the most Blocked URLs
Since phishing attacks typically use malicious links/phishing websites or attachments in emails, some countries block URLs based on their reputation and other facts. It is crucial to note that blocking the URLs did not necessarily mean they received a huge number of phishing links, other factors, such as technical difficulties, domain complaints, etc., also contributed to the reasons for blocking.
Regardless, with the latest report of November 2022, the countries with the most blocked URLs are:
- United States (20.5%)
- Germany (9%)
- Italy (8.6%)
- Japan (5.4%)
- Brazil (5.4%)
- United Kingdom (5.2%)
- Colombia (4.3%)
- France (3.4%)
- Canada (3.3%)
- Singapore (2.8%)
Phishing statistics for the attack vector
Phishing attack vectors refer to the techniques used by attackers to deceive employees or individuals into revealing sensitive information or taking specific actions. These vectors can include but are not limited to, SMS messages, phone calls, emails, social media platforms, and other methods.
- Web3 platform usage was increased to 482% for phishing campaigns.
- Social media has become a popular choice among cybercriminals for phishing attacks. Since 2021, LinkedIn has been a major source of phishing attacks and messages among all other social media platforms.
- During Q1 2022, the most commonly imitated brands in phishing attempts were:
- LinkedIn (52%)
- DHL (14%)
- Google (7%)
- Microsoft (6%)
- FedEx (6%)
- WhatsApp (4%)
- Amazon (2%)
- Maersk (1%)
- AliExpress (0.8%)
- Apple (0.8%)
- Phishing attacks delivered through messaging apps typically include:
- WhatsApp (90%)
- Telegram (5.04%)
- 96% of phishing attempts are delivered via email.
- A small number, 3% of phishing incidents occur through malicious websites.
- Only a tiny fraction of 1% of phishing attacks are executed via phone calls.
- Additionally, there has been an increase in phishing threats from trusted service platforms like Google, Amazon Web Services, and Microsoft. Mobile phishing threats have also risen to 50%.
- 32% of all threats detected by email security platforms are hosted on trusted services such as Google, Microsoft, etc.
- Lastly, the rate of phishing sites is 75% higher than other types of malicious websites.
- 30.6% of all emails received were considered spam.
- 1.6% of all emails received contained malware or phishing links.
- 1.5% of phishing campaigns utilised web3-hosted content to steal credentials in the first quarter of 2022.
- During 2021, the brands that were most commonly imitated in phishing attempts were:
- Microsoft (43.19%)
- IRS (13.75%)
- Amazon (12.32%)
- Naver (10.98%)
- AOL (10.33%)
- DHL (9.43%)
Phishing attacks statistics for email content
A successful phishing attack often uses catchy subject lines to entice victims to open the email. These subject lines are designed to create a sense of urgency or fear in order to trick the recipient into taking the desired action, such as opening malicious email attachments or clicking on a phishing link. By using these tactics, the attacker aims to coax the recipient into fulfilling the desired action without questioning the authenticity of the email.
- Around 67% of email phishing attacks come with empty subject lines.
- Other subject line includes:
- Fax Delivery Report (9%)
- Business Proposal Request (6%)
- Request (4%)
- Meeting (4%)
- You have (1) New Voice Message (3.5%)
- Re: Request (2%)
- Urgent request (2%)
- Order Confirmation (2%)
- 50.6% of phishing URL has non-standard characters.
- 40% of emails trick users with HR-related subject lines.
- In 2021, a significant percentage of phishing emails came from low-traffic domains (43.35%).
- In 2021, around 24% of phishing emails were targeted and diverted to employee payroll deposits.
In phishing emails, words are commonly used to deceive the recipient, which include but are not limited to:
- Important appears in 5.4% of phishing messages.
- Attention appears in 2.3% of phishing emails.
- Urgent appears in 8% of phishing emails.
- Important Updates appear in 8% of phishing emails.
- 94% of phishing attempt involves malicious attachment as the payload source
- Commonly used file types/attachments used for phishing attacks are:
- .RTF (38%)
- .XLS (15%)
- .ZIP (13%)
- 6% of phishing involves malware installation via malicious links/URLs.
- 21% of malicious websites are sourced from web3.
- 35% of messages/emails with links to WordPress sites are phishing sites.
How do people fall for phishing at organisations?
There could be several reasons why people fall for deceptive phishing or spam messages being at the peak of the technological era. A recent survey indicates the following phishing statistics behind the high percentage of targeted attacks in the workplace.
Some stats around various types of spear phishing and other phishing attack forms
- In 2022, around 35% of ransomware was delivered through phishing.
- 91% of cyberattacks targeting businesses usually start with spear phishing attacks.
- 54% of employees find emails to look legitimate.
- 52% of employees assume that emails come from senior executives; that’s how they fell for a spear phishing attack.
- 48% of employees believed emails were legitimate because they were distracted.
- 38% of employees trusted them because they came from a well-reputed brand.
- 52% of employees responded to phishing emails because of tiredness.
Is phishing among the priorities for IT and security professionals?
- 75% of cybersecurity professionals cite phishing, i.e., social engineering, as the topmost threat at their organisation.
- A survey revealed 90% of IT professionals’ top concern is email phishing.
- 29% of businesses and 25% of charities in the UK do security awareness training and mock phishing assessments to train the staff.
Data breaches due to phishing attacks in 2022
How did it happen?
The threat actor sent out mass phishing emails to Drop Box’s employees with an impersonated CircleCI login page in order to steal credentials and gain malicious access.
With the stolen credentials, the attacker gained access to Dropbox’s Github and stole 130 code repositories along with public and confidential data.
Allegheny Health Network
How did it happen?
Employees were targeted with a spear phishing email having malicious website links leading to account compromise.
Through the account’s compromised credentials, the threat actor gained access to sensitive files containing patient data such as date of birth, diagnosis information, addresses, phone numbers, medical history, email addresses, conditions, and treatments.
How did it happen?
An 18-year-old attacker impersonated someone affiliated with the company and used a spear phishing attack to trick employees with higher privileges in internal systems into sharing their login credentials.
The attacker gained access to Uber’s internal systems and slack server.
How did it happen?
Threat actors impersonated a support agent to gain access to customers’ accounts.
Sensitive information was breached and exposed to threat actors, including name, address, telephone number, username, PIN code, account security questions and answers, cox.net email address, and cox’s account number.
Other most expensive data breaches due to phishing attacks
How did it happen?
Cybercriminals impersonated the bank’s CEO and asked an employee for a fund transfer.
The bank suffered a loss of €75.6 million due to CEO fraud.
How did it happen?
The attacker spoofed as CEO of FACC (an aerospace company specialising in aircraft components and systems) and asked employees to transfer funds.
As a result, the company lost $47 million.
Phishing remains a significant threat to every type of industry. No matter how expensive security solutions a business gets, they can only be useful if employees are trained enough to identify whether or not an incoming email, SMS, or call is a phishing email, SMS or call. These phishing statistics can be very helpful in protecting businesses from increasingly sophisticated methods of email-based attacks.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.