Phishing Statistics & How to Avoid Taking the Bait

Nikolina Cveticanin

Updated: July 14, 2023

SHARE:

Do you recognize the sender’s company name? Is it spelled right? Do you know the sender?

We aren’t accustomed to thinking of email messages as dangerous. But experts say we should be paranoid about our inboxes. Spear phishers are after us. 

Phishing attacks are innocent-looking emails, pop-ups, ads, and company communications that tempt you to click so they can install spyware, viruses, and other malware on your computer or phone.

These phishing statistics will show you how pervasive and damaging these attacks can be.

You’re right to be paranoid. They are out to get you.

Key Phishing Statistics for 2023

• Nearly one-third (36%) of all data breaches in 2022 involved phishing.
• A new phishing site is created on the internet every 11 seconds.
• Their targets open more than 70% of phishing emails.
• The costliest attack costs an average of $4.9 million to recover from a phishing attack. 
•  In 2022, 83% of UK businesses suffered a phishing attack.
• Over 48% of emails sent in 2022 were spam.
• AT&T Inc. is the most frequently impersonated brand by cybercriminals.
• Only 26% of organizations have a response plan for cybersecurity incidents like phishing.

What does phishing mean? 

It means a cybercriminal thinks of you as a doorway to valuable data. Hackers send an innocent-looking message and hope that with a single click, you’ll launch a script or app that steals data from your system or infiltrates your corporate network.

Types of Phishing

Whether you are an online shopper or own a small business, you may be a hacker’s next target. There are many kinds of phishing attacks. Here are a half-dozen of the most common.

• Deceptive phishing: Targets can be individuals or companies. Hackers send a phishing email claiming to be a trusted source, asking you to provide sensitive data to verify your account. The email usually includes a link to a website where you’re supposed to provide personal data.

• Spear phishing is a more sophisticated version of plain old deceptive fishing. These emails contain personal information (name, job title, phone number) and use generic salutations to trick you into opening malware so they can get their hands on sensitive information.

• CEO fraud: In this case, the phisher impersonates a top executive who instructs the target employee to provide the login information necessary to access corporate funds.

• Pharming: This method is also known as DNS cache poisoning. Attackers change the IP addresses of the DNS servers listed in user configuration files, redirecting users to fake pages where their details can be harvested.

• Dropbox phishing: Dropbox users have been targeted with emails that appear to come from Dropbox. Users are urged to click on a link that opens an executable attachment or leads to a malicious website.

• Fake Website: Phishers often fake a website or buy ads in a well-known company’s site name so they can direct clicks to their sites. These attackers use social media platforms to provide links to fake ICO websites.

Here are some eye-opening cyber security facts that could keep you awake at night.

Phishing Growth Trends: Businesses and Organizations

Considering the speedy rise of phishing attacks on businesses and organizations and the hazardous damage it does, enough awareness of phishing growth statistics must be carried out to curtail this increase. 

1. Nearly one-third (36%) of all data breaches in 2022 involved phishing.

(Verizon)

According to Verizon’s 2022 Data Breach Investigation Report, which contains updated statistics on phishing scams, nearly 36% of all reported data breaches in 2022 involved phishing activity.

Researchers found that email fraud was also the primary tool in 78% of cyber-espionage incidents.

2. Phishing attacks result from 90% of corporate security breaches.

(Digital Guardian)

Phishing attacks are easy to mount, but that doesn’t mean stopping them is easy. They remain a significant security risk for most companies.

Corporate phishing statistics show that 90% of phishing attacks include compromised credentials. Companies invest tremendous amounts of capital in securing the IT infrastructure, but in the end, corporate systems are only as secure as corporate users.

3. The costliest attack costs an average of $4.9 million to recover from a phishing attack. 

(Tech.co)

Statistics on the success of phishing attacks show that hackers have developed highly sophisticated strategies. For example, they register an email domain that reads like the target companies. 

Still, they replace, add, or drop a character, such as a zero for the letter O. They create email accounts using the names of real corporate executives. This way, examples of phishing emails they send out seem valid to all but the most careful recipients.

The scheme doesn’t end there. Phishing campaign statistics researchers have found that these websites typically disappear after an average of 40 hours. 

Hackers need more time or incentive to maintain them after they serve their purpose, and there’s no time for cybersecurity software to find and block them.

4. Compromised business email cost companies $4.89 million in 2022.

(Tech.co)

Business emails can be compromised via phishing attacks, which cost $4.89 million for them to recover from the adverse consequences; compromised credentials of organizations’ data cost $4.5 million, on average, during recovery.

According to FBI phishing statistics, most of the funds generated in worldwide phishing attacks are wired to banks in China and Hong Kong.

5. AT&T Inc. was cybercriminals’ most frequently impersonated brand in 2022.

(Cloudflare)

AT&T was the most impersonated brand in phishing attacks in 2022. Coming second is Paypal, followed by Microsoft, DHL, and Facebook. According to Cloudflare, its network protects 20% of the global network, and its email security prevented about 2.3 billion unwanted emails from hitting inboxes in 2022.

6. 83% of businesses and organizations studied have suffered more than one breach.

(IBM)

Globally, cyberattacks rose by 38% in 2022 compared to 2021. Verizon uncovered cybersecurity threats and hacking facts in more than 86 countries worldwide. The Cloud Security Report by Snyk shows that 80% of organizations experienced at least one severe cloud security incident in 2022. 

According to the IBM Cost of Data Breach Report 2022, 83% of organizations studied suffered more than one data breach. 

7. Financial institutions were the most frequent targets of phishing attacks in 2022.

(Statista)

In the first quarter of 2022, financial institutions, with 23.6%, were the top targets of phishing attacks, followed by web-based software services and webmail, accounting for 20.5% of phishing attacks.

Spear phishing statistics show that software-as-a-service users and webmail service companies remain the biggest targets for phishing software scams. Phishers harvest credentials at email servers to help them make their fraudulent emails more convincing when they attack SaaS companies.

8. Only 26% of organizations have a response plan for cybersecurity incidents like phishing.

(IBM)

Cybersecurity Incident Response Plan or CSIRP helps in remediating cyberattacks on companies. It consists of plans companies should do in case of a data breach or cyberattack. Companies can better understand how to handle attacks when applied and tested consistently. 

Even though studies regularly report on recent phishing attacks and emphasize that fast response can help contain and minimize the damage, shortfalls in proper cybersecurity protection have remained consistent over the past four years.

9. Over 3.4 billion phishing emails are sent daily.

(Get Astra)

Phishing email statistics show that nearly 1.2% of emails are malicious. The implication of this is that 3.4 billion phishing emails are sent daily. Thus, 1 out of 4,200 emails sent is a phishing scam email.

10. It takes over 9 months for companies to detect a data breach in 2022.

(IBM)

Statistics of phishing scams reveal that cyber attacks are an increasingly severe risk for organizations, but many senior staffers seem to believe that their organizations won’t be targeted.

Why? Some say their organizations are too small to appear on hackers’ radars. Some say they don’t have anything worth attacking. The truth is, neither of these is a deterrent. Cybercriminals are indiscriminate when selecting targets.

This is why IBM statistics show that it takes companies 277 days to detect a data breach in their organizations and 75 days to contain it. An average breach cycle takes 287 days.

Phishing Methods by the Numbers for 2023

Disparate phishing attack techniques efficiently obtain personal and corporate information from victims. As technology advances, cybercriminals’ techniques evolve along with them. 

Email security filters effectively ensure that spam messages never reach the inbox. But they have little or no effect when it comes to blocking phishing. The messages bypass security filters and target simple human curiosity – as seen in these scary phishing statistics.

11. 48% of malicious email attachments were Microsoft Office Files in 2022.

(EFT Sure)

Scammers that send malicious email attachments send them in various forms, such as Word documents, PowerPoint presentations, or Excel spreadsheets. Using Microsoft Office formats to seem more genuine, thus increasing open rates; that is why about 48% of malicious email attachments are Microsoft Office Files.

12. 90.5% of phishing sites use SSL certificates.

(Key Factor)

PhishLabs reported that in the second quarter of 2021, 83% of phishing sites used Domain Validated (DV) SSL Certificates—a significant increase to today. How does phishing work? It plays on trust. And nothing says trustworthy like a URL that begins with HTTPS.

More to the point, nothing says not-trustworthy like a Google Chrome warning page that says “Not Secure” and requires a second click before you visit a non-SSL site. Phishing statistics keep increasing because hackers better impersonate legitimate communications and websites.

13. About 76% of the phishing attacks were credential-harvesting in 2022.

(Digital Information World)

Cybercriminals know that compromising a user’s identity and credentials is the best way to access bank accounts, personal information, and corporate data. That’s the avenue that accounts for the most famous social engineering attacks and the most promising avenue for future phishing.

According to phishing attack statistics, credential harvesting has become the base of most cyber attacks. The use of stolen data varies from case to case.

Some fraudsters use the data for subsequent attacks where the goal is to gain access to more extensive systems or networks. Some monetize them by taking over bank accounts or simply selling them on the dark web

14. 11% of phishing attacks contain links to malware.

(Egress)

Verizon’s 2021 DBIR Master Guide stated that in 2021, 11% of phishing emails contained malware, while 22% contained hacks.

This type of attack is the most common by far. Identity theft phishing statistics reveal that the purpose of these attacks is usually to hijack one’s device, steal data, launch a DDoS attack, or commit fraud.

What makes malware so harmful? The answer is that it comes in many variations and spreads incredibly quickly. All fraudsters need is a single click on a malicious link, and the whole organization is compromised.

15. Phishing accounts for 22% of all data breaches in 2021.

(AAG IT Services)

According to the FBI’s 2021 IC3 Report, there were 300,497 reports from phishing victims in the U.S., with business email compromise attacks costing U.S. victims more than $2.7 billion.

16. Healthcare organizations were the most targeted sector of ransomware attacks in 2022.

(Statista)

Phishing attack statistics show that medical centers are very vulnerable to cyberattacks. Hackers know that medical institutions must promptly address security breaches because people’s lives and sensitive medical data are on the line.

The U.S. Internet Crime Complaint Center (IC3) received 210 complaints indicating ransomware attacks on healthcare organizations worldwide in 2022. The second most victimized sector was the manufacturing industry, followed by  Government facilities.

Phishing: General Statistics for 2023

The general phishing statistics outlined below show how fast new phishing sites are created, the open rate of phishing emails, and the different types of phishing attacks as of 2023.

17. A new phishing site is created every 11 seconds.

(Get Astra)

Those attacks, more and more often, target smartphones. “Users on a mobile device are 18 times more likely to be exposed to phishing than malware,” says Dr. Michael J. Covington, product VP at mobile security vendor Wandera.

Recent phishing statistics show that mobile phishing is relentless within enterprise networks, and experts don’t expect this to change any time soon. Unsuspecting victims are encouraged by tempting phishing strategies and continue to click links or run files with malicious code.

18. Phishing targets open 70% of phishing emails they receive.

(N-able)

Despite the ever-evolving sophistication with which phishing scammers innovate, phishing strategies can never be 100% successful. They are close. However, phishing stats show that spear-phishing emails work because they are believable. More often than not, the user on the receiving end doesn’t know what to watch out for.

Phishing scam statistics reveal that users open only 3% of their emails, while 70% of them open and read their phishing emails. Over 50% of those who open spear-phishing emails click on malicious links within an hour of receipt.

19. The Emotet Trojan is sent to as many as 1 million potential phishing victims per day.

(CISA Gov)

Emotet is particularly dangerous because it installs a Trojan to harvest your computer’s banking information – including account numbers, user names, and passwords. Phishing facts and statistics clarify that users should be cautious with this malware. 

The Trojan has continued to evolve since it was first detected in 2014. The current version makes it one of the scariest emails you can receive since it scans your browser history and email data.

20. Millennials and Gen-Z are more likely to be phishing victims at 23%, compared to Gen X at 19%.

(AAG IT Services)

The statistics are due to Millenials and Gen-Z having more access to bank or financial emails than Gen X. Most phishing emails also impersonate banks or financial institutions, as well as one of the main targets of phishing.

21. 88% of all security breaches are due to human error.

(CISO Mag)

Deeper investments in cybersecurity systems and improvements in defensive technology are the most logical measures against cybercrime. Still, effective staff education about the harmful effects of a phishing attempt could be the best investment a CEO can make.

Phishing statistics would finally show some progress for the good guys if companies trained employees not to fall for hackers’ manipulative tricks.

22. A data breach with a lifecycle under 200 days costs $1.2 million less to remedy than those that last more than 200 days.

(IBM)

Despite statistics on phishing attacks and articles covering this complex subject, protecting against a data breach continues to be challenging for many organizations. The average cost of a data breach rose to $4.91 million in 2022.

Among the leading contributors to the cost and the number of cyber attacks per year is the time it takes to detect and contain a breach. This is known as the data breach lifecycle.

The average data breach lifecycle is around 300 days. On average, organizations that detect breaches within 200 days experience costs of $1.2 million less. Phishing loss statistics make it clear that this difference cannot be ignored.

23. Unfilled cybersecurity positions worldwide will reach 3.5 million by 2023.

(Network Perception)

As America aims to drive the next wave of advanced technologies, the country should consider strengthening the cyber workforce a national priority. 

This starts by encouraging those seeking a cybersecurity career to fill the 300,000 currently vacant cybersecurity job openings. Phishing attack examples and further education about protection would be available to more companies if they could fill the positions.

According to recent statistics on phishing, there will be as many as 3.5 million unfilled positions in the cybersecurity industry by 2023. This will put victims in a tight spot. Hackers surely won’t mind the gap.

24. Cybercrime-related damage is projected to cost victims $8 trillion annually by 2023.

(Cybersecurity Ventures)

So, how much money is lost to email scams every year? Damage cost projections are based on historical cybercrime figures, adjusted to follow year-over-year growth in hacking. Analysts believe the cybereconomy will be an order of greater magnitude in 2023 than in 2021.

Global cybercrime damage costs will grow by 15% yearly over the next three years, reaching $10.5 trillion annually by 2025.

Conclusion

In an ideal world, web browsers could always identify and block phishing sites and associated content. Unfortunately, it is an arms race, and statistics on phishing are not giving encouraging results. Hackers are getting more sophisticated every day. They bypass last month’s best defenses with ease.

Like it or not, users play a significant role in these battles. When email phishing scams slip through the cracks of network perimeters, people are the last line of defense.

“Should I or should I not click this link?” That’s the right question at this critical moment. Statistics of phishing scams suggest that security awareness training could provide adequate education to help at these decision points.

The best way to enhance security and avoid being a part of next year’s phishing statistics article is to train, test, retrain, and repeat. Don’t get phished.