Phishing Statistics & How to Avoid Taking the Bait

DataProt is supported by its audience. When you buy through links on our site, we may earn a commission. This, however, does not influence the evaluations in our reviews. Learn More.

Don’t open that email.

Do you recognize the sender’s company name? Is it spelled right? Do you know the sender?

We aren’t accustomed to thinking of email messages as dangerous. But experts say we should be paranoid about our inboxes. Spear phishers are after us.

Phishing attacks are innocent-looking emails, pop-ups, ads, and company communications that tempt you to click so they can install spyware, viruses, and other malware on your computer or phone.

These phishing statistics will show you how pervasive these attacks are and how damaging they can be.

You’re right to be paranoid. They really are out to get you.

Key Phishing Statistics

  • Nearly one-third of all data breaches in 2018 involved phishing.
  • A new phishing site is created on the internet every 20 seconds.
  • More than 70% of phishing emails are opened by their targets.
  • 90% of security breaches in companies are a result of phishing attacks.
  • Small and mid-size businesses lose an average of $1.6 million recovering from a phishing attack.
  • Apple is the most frequently impersonated brand by cybercriminals.
  • More than 77% of organizations do not have a cybersecurity incident response plan.

What does phishing mean? It means a cybercriminal thinks of you as a doorway to valuable data. Hackers send an innocent-looking message and hope that with a single click you’ll launch a script or app that steals data from your system or infiltrates your corporate network. Here are some eye-opening cyber security facts that could keep you awake at night.

Phishing Growth Trends: Businesses and Organizations

Nearly one-third of all data breaches in 2018 involved phishing.


According to Verizon’s 2019 Data Breach Investigation Report, which contains updated statistics on phishing scams, nearly 32% of all reported data breaches that occurred in 2018 involved some kind of phishing activity.

Email fraud was also the main tool in 78% of cyber-espionage incidents, researchers found.

90% of corporate security breaches are the result of phishing attacks.

(Digital Guardian)

Phishing attacks are easy to mount, but that doesn’t mean it’s easy to stop them. They remain a major security risk for most companies.

Corporate phishing statistics show that 90% of examples of phishing attacks include compromised credentials. Companies invest tremendous amounts of capital in securing the IT infrastructure, but in the end, corporate systems are only as secure as corporate users.

Mid-size businesses lose an average of $1.6 million if they fall prey to spear phishing.


According to Cofense’s 2017 Phishing Resiliency Report, mid-sized companies lose an average of $1.6 million every time a fraudster successfully targets them.

Phishing and wire fraud statistics suggest that this is a number few can afford – especially if you take into account the steady growth in the number of internet phishing attacks since 2017.

Compromised business email cost companies $12.5 billion between October 2013 and May 2018.


Scary stats from the FBI show a 136% increase in corporate phishing losses from December 2016 to May 2018.

According to FBI phishing statistics, most of the funds generated in worldwide phishing attacks are wired to banks in China and Hong Kong.

Apple is the most frequently impersonated brand by cybercriminals – it accounts for 27.2% of all phishing attacks.


PayPal, DropBox, Microsoft, Google, Alibaba, and Wells Fargo are all among the brands whose emails and websites are frequently spoofed.

Statistics on the success of phishing attacks show that hackers have developed highly sophisticated strategies. For example, they register an email domain that reads like the target company’s, but they replace, add, or drop a character such as a zero for the letter O. They create email accounts using the names of real corporate executives. This way, examples of phishing emails they send out seem valid to all but the most careful recipients.

The scheme doesn’t end there.

Phishing campaign statistics researchers have found that these websites typically disappear after an average of 40 hours. There’s no time or incentive for hackers to maintain them after they served their purpose. And there’s no time for cybersecurity software to find and block them.

Malware accounts for 28% of attacks against businesses and organizations.


Verizon uncovered cybersecurity threats and hacking facts in more than 86 countries worldwide. The company’s phishing statistics for 2019 found that 52% of breaches involve hacking. About 33% of those involve social media attacks and 28% involve phishing emails that deliver malware payloads.

Webmail service companies were the most frequent targets of phishing attacks in 2019.


Spear phishing statistics show that software-as-a-service users and webmail service companies continue to be the biggest targets for phishing software scams. Phishers harvest credentials at email servers to help them make their fraudulent emails more convincing when they attack SaaS companies.

Phishing attacks against cloud storage and file hosting sites are somewhat less popular, and attacks against cryptocurrency, gaming, insurance, and healthcare companies were negligible in 2019.

More than 77% of organizations do not have a cybersecurity incident response plan.

(Ponemon Institute)

Phishing statistics in the US show that a vast majority of organizations are not prepared to respond to cybersecurity threats. Researchers from the Ponemon Institute surveyed more than 3,600 security and IT professionals, and 77% indicated they do not have a CSIR plan in place.

In spite of the fact that studies regularly report on recent phishing attacks and emphasize that fast response can help contain and minimize the damage, shortfalls in proper cybersecurity protection have remained consistent over the past four years.

It takes nearly seven months for companies to detect a data breach.


Statistics of phishing scams reveal that cyber attacks are an increasingly serious risk for organizations, but many senior staffers seem to believe that their organizations won’t be targeted.

Why? Some say their organizations are too small to appear on hackers’ radars. Some say they don’t have anything worth attacking. The truth is, neither of these is a deterrent. Cybercriminals are indiscriminate when selecting targets.

This is why internet phishing and fraud statistics show that it takes companies an average of 206 days to detect a data breach in their organizations. While breaches are ideally identified immediately, cybersecurity experts recommend that the goal should be to identify them within 100 days.

Phishing Methods by the Numbers

Disparate phishing attack techniques efficiently obtain personal and corporate information from victims. As technology advances, cybercriminals’ techniques evolve along with them. Email security filters are effective at ensuring that spam messages never make it to the inbox. But they have little or no effect when it comes to blocking phishing. The messages bypass security filters and target simple human curiosity – as you can see in these scary phishing statistics.

Phishing became a widely recognized phenomenon in 2012. That year, 90% of targeted cyberattacks began with a spear phishing email.

(Trend Micro)

Trend Micro researchers found that in 2012, almost all targeted attacks were launched from spear phishing communications.

When it comes to spear phishing attacks, statistics show that was just the beginning. The hackers’ methods have become much more devious.

48% of malicious email attachments are Microsoft Office Files.


A recent email phishing scams report from Symantec discloses that nearly half of the malicious email attachments sent to unsuspecting recipients in 2018 were created with Office. That’s a jump from just 5% in 2017.

49.4% of phishing sites use SSL certificates.


Almost half of all phishing sites had SSL certificates in the first quarter of 2019, PhishLabs says.

How does phishing work? It plays on trust. And nothing says trustworthy like a URL that begins with HTTPS.

More to the point, nothing says not-trustworthy like a Google Chrome warning page that says “Not Secure” and requires a second click before you visit a non-SSL site.

Phishing statistics keep going up because hackers get better and better at impersonating legitimate communications and websites.

Nearly half of phishing attacks are of the credential-harvesting type and 41% look for sensitive information and payment data.


Cybercriminals know that compromising a user’s identity and credentials is the best way to get access to bank accounts, personal information, and corporate data. That’s the avenue that accounts for the most famous social engineering attacks, and the most promising avenue for future phishing.

Credential harvesting has become the base of most cyber attacks, according to phishing attacks statistics. The use of the stolen data varies from case to case.

Some fraudsters use the data for subsequent attacks where the goal is gaining access to bigger system or networks. Some monetize them by taking over bank accounts or simply selling them on the dark web

51% of phishing attacks contain links to malware.


Avanan researchers have found that more than half of phishing emails contain links to some sort of malware.

This type of attack is the most common by far. Identity theft phishing statistics reveal that the purpose of these attacks is usually to hijack one’s device, steal data, launch a DDoS attack, or commit fraud.

What makes malware so harmful? The answer is that it comes in many variations and it spreads incredibly quickly. All fraudsters need is a single click on a malicious link and the whole organization is compromised.

Extortion of individuals is the goal of 8% of phishing attacks, while attacks on high-level corporate staffers account for 0.4%.


Credit card phishing statistics point to a rapid decline in extortion attacks. Phishing has come to encompass many different types of scams, but it remains primarily a phishing vs pharming email-based mechanism. There are many ways attacks are conceived and executed, but ultimately hackers are always after acquiring something of value.

From 2013 to 2018, phishing and ransomware statistics show that these incidents resulted in global monetary losses of totaling $12.5B.

96% of all ransomware attacks targeted medical centers in 2016.


Phishing attack statistics show that medical centers are very vulnerable to cyberattacks. Hackers are aware that medical institutions must address security breaches promptly because people’s lives and sensitive medical data are on the line.

Hospital staff members are generally not aware of the dangers of phishing emails, so most of them open the latest phishing email. Statistics on phishing scams show that more than 75% of medical centers in the US, are currently affected with some type of malware.

4,800 eCommerce sites a month were victims of form-jacking software in 2018.


When fraudsters want to harvest credit card details from shoppers at eCommerce sites, they replace shopping card pages or payment-validation blocks with code from their own phishing websites. This is also known as formjacking, and it is the latest trend among cyber attackers.

“Online shopping” phishing statistics reveal that a single user’s credit card data can be sold for $45 on the dark web.

Phishing: General Statistics

A new phishing site is created every 20 seconds.


Those attacks, more and more often, target smartphones. “Users on a mobile device are 18 times more likely to be exposed to phishing than to malware,” says Dr. Michael J. Covington, product VP at mobile security vendor Wandera.

Recent phishing statistics show that mobile phishing is relentless within enterprise networks, and experts don’t expect this to change any time soon.

Unsuspecting victims are encouraged by tempting phishing strategies and continue to click links or run files with malicious code.

Nearly 86% of all phishing attacks targeted US entities in 2018.


PhishLabs says most phishing attacks target American users and companies. Statistics on phishing attacks in 2018 show some countries experienced decreased number of phishing attacks – countries like Canada, France and Italy.

Countries that had the greatest volume of fishing email activity in 2018 include India, Colombia, and the United Arab Emirates.

Phishing targets open 70% of phishing emails they receive.


Despite the ever-evolving sophistication with which phishing scammers innovate, phishing strategies can never be 100% successful. They are pretty close, however. Phish stats show that spear-phishing emails work because they are believable. More often than not, the user on the receiving end doesn’t know what to watch out for.

Phishing scam statistics reveal that users open only 3% of their spam emails, while 70% of them open and read their phishing emails. More than 50% of those who open spear-phishing emails click on malicious links within an hour of receipt.

The Emotet Trojan is sent to as many as 1 million potential phishing victims per day.


Emotet is particularly dangerous because it installs a Trojan that can harvest all the banking information on your computer – including account numbers, user names, and passwords. Phishing facts and statistics make it clear that users should be extremely careful with this malware. The Trojan has continued to evolve since it was first detected in 2014. The current version makes it one of the scariest emails you can receive, since it scans not only your browser history but all your email data as well.

Mobile users are three times more likely to become a victim of a phishing attack than desktop users.

(Security Intelligence)

Fraud statistics make it apparent that phishing exploits targeting mobile devices are growing in number and sophistication. With more than 57% of all internet traffic coming from mobile devices, it should come as no surprise that smartphones have attackers’ undivided attention. Phishing attack on social media statistics have shown growth rates even faster than the explosive growth in the installed base of mobile devices.

90% of all security breaches are due to human error.

(Chief Executive)

Deeper investments in cybersecurity systems and improvements in defensive technology may seem the most logical measures against cybercrime, but effective staff education about the harmful effects of a phishing attempt could be the best investment a CEO can make.

Phishing statistics would finally show some progress for the good guys if companies trained employees not to fall for hackers’ manipulative tricks.

1 in 13 URLs passing through Symantec-secured internet gateways lead to malware – up 3% from 2016.


More than 1 billion URLs are processed and analyzed each day by Symantec’s Secure Web Gateway solutions. The software helps prevent the transmission of malware and helps create an increase in phishing attacks statistics.

Symantec found that there has been an increase in phishing emails that inject malware. The company reports that the attacks are becoming increasingly common.

A data breach with a lifecycle under 200 days costs $1.2 million less to remedy than those that last more than 200 days.


In spite of statistics on phishing attacks and articles covering this problematic subject, protecting against a data breach continues to be a challenging issue for many organizations. The average cost of a data breach rose to $3.92 million in 2019.

Among the leading contributors to the cost and the number of cyber attacks per year is the time it takes to detect and contain a breach. This is known as the data breach lifecycle.

The average data breach lifecycle is around 300 days. Organizations that detected breaches within 200 days experience costs that are $1.2 million less, on average. Phishing loss statistics make it clear that this difference cannot be ignored.

The app categories with most cybersecurity issues are lifestyle apps – accounting for 27% of malicious attacks.


The biggest security threat comes from lifestyle apps. Symantec data shows that more than a quarter of all malicious apps target lifestyle programs and websites. Phishing in the United States statistics show that music apps are next in line at 20%.

Unfilled cybersecurity positions worldwide will reach 3.5 million by 2021.


As America aims to drive the next wave of advanced technologies, the whole country should consider strengthening the cyber workforce a national priority. This starts by encouraging those who seek a career in cybersecurity to fill the 300,000 currently vacant cybersecurity job openings. Phishing attack examples and further education about protection would be available to more companies if they could fill the positions.

According to recent statistics on phishing, there will be as many as 3.5 million unfilled positions in the cybersecurity industry by 2021. This will put victims in a tight spot. Hackers surely won’t mind the gap.

Damage related to cybercrime is projected to cost victims $6 trillion annually by 2021.

(Herjavec Group)

So, how much money is lost to email scams every year? Damage cost projections are based on historical cybercrime figures, adjusted to follow year-over-year growth in hacking. Analysts believe the cybereconomy will be an order of greater magnitude in 2021 than in 2019.

According to Herjavec Group, cybercrime damages will cost over $6 trillion annually per year. Phishing statistics graphs present a jump from 2015’s $3 trillion estimate.

Types of Phishing

Whether you are an online shopper or you own a small business, you may be a hacker’s next target. There are many kinds of phishing attacks. Here are a half-dozen of the most common.

  • Deceptive phishing: Targets can be individuals or companies. Hackers send a phishing email claiming to be a trusted source, asking you to provide sensitive data to verify your account. The email usually includes a link to a website where you’re supposed to provide personal data.
  • Spear phishing: This is a more sophisticated version of plain old deceptive fishing. These emails contain personal information (name, job title, phone number) and use generic salutations to trick you into opening malware so they can get their hands on sensitive information.
  • CEO fraud: In this case, the phisher impersonates a top executive who instructs the employee target to provide the log-in information necessary to get access to corporate funds.
  • Pharming: This method is also known as DNS cache poisoning. Attackers change the IP addresses of the DNS servers listed in user configuration files, redirecting users to fake pages where their personal details can be harvested.
  • Dropbox phishing: Dropbox users have been targeted with emails that appear to come from Dropbox. Users are urged to click on a link that opens an executable attachment or leads to a malicious website.
  • Fake Website: Phishers often fake a website or buy ads in a well-known company’s site name so they can direct clicks to their own sites. These attackers use social media platforms to provide links to fake ICO websites.

In an ideal world, web browsers could always identify and block phishing sites and associated content. Unfortunately, it is an arms race, and statistics on phishing are not giving encouraging results. Hackers are getting more sophisticated every day. They bypass last month’s best defenses with ease.

Like it or not, users play a significant role in these battles. When email phishing scams slip through the cracks of network perimeters, people are the last line of defense.

“Should I or should I not click this link?” That’s the right question at the critical moment. Statistics of phishing scams suggest that security awareness training could provide effective education to help at these decision points.

The best way to enhance security and avoid being a part of next year’s phishing statistics article is to train, test, retrain, and repeat. Don’t get phished.

Leave a Comment

Scroll to Top