Phishing is one of the most common and dangerous forms of cyber crime. For years, the deceptively simple attack method has tricked organisations and individuals into handing over sensitive information or downloading malware.
All it takes is a well-crafted email, social media post or phone message, and an employee who is too negligent or unaware to spot that its true nature.
Despite an array of technological solutions designed to counter phishing attacks – from antimalware software to password protections – the main weapon in anyone’s arsenal should be knowledge and awareness.
Cyber criminals are constantly creating new attacks methods to outwit defences, meaning that the only consistent and effective way to thwart an attack is for the individual to understand how phishing works and how to identify the signs before clicking a malicious link.
Indeed, no matter how sophisticated a phishing attack is, it always relies on its ability to make the recipient take action.
The messages often exploit people’s fears – with pretexts mentioning the need for urgent action – or their curiosity at a new opportunity, such as a special offer or an intriguingly mysterious attachment.
To protect your organisation and stay safe online, you must realise just how pervasive phishing attacks are and the damage they cause. It’s why, in this blog, we’ve collected the most crucial phishing statistics you need to understand the threat.
We’ve looked at sources such as IBM’s Cost of a Data Breach Report, Verizon’s 2023 DBIR (Data Breaches and Investigations Report) and Proofpoint’s The State of Phishing report, and found 50 essential stats to reveal the threat that phishing plays – plus we have an extra statistic to explain how you can prevent attacks.
How common are phishing attacks?
1. Phishing is the most common form of cyber crime, with several reports estimating that 3.4 billion malicious emails are sent every day.
2. Verizon’s 2023 DBIR found that 36% of all data breaches involved phishing.
3. One of the main aims of phishing is to capture people’s login credentials, and according to IBM’s Cost of a Data Breach Report, compromised credentials are the most common cause of data breaches. It found that they were used in 19% of all cyber attacks.
4. Meanwhile, it found that phishing was the second most common cause of data breaches.
5. A new phishing website is created once every 20 seconds on average, according to DataProt.
6. A Digital Guardian report found that 90% of corporate security breaches are the result of phishing attacks.
7. Research from IRONSCALES revealed that 81% of organisations around the world have experienced an increase in email phishing attacks since March 2020.
8. APWG detected 1.3 million unique phishing websites in Q4 2022, which is the most it has ever recorded.
9. Phishing is one of four main ways that a cyber criminal can compromise an organisation, and it accounts for more than 60% of all social engineering attacks, according to Verizon.
Phishing in the UK
10. The UK is the biggest target for phishing attacks in Europe, according to Proofpoint. It found that 96% of organisations in the UK were targeted by phishing last year. Spain was the second worst affected (94%), while France and Italy were among the least affected, at 85% and 79%, respectively.
11. An Office for National Statistics report revealed that UK organisations have experienced a 57% increase in “consumer and retail fraud” compared to pre-pandemic levels.
12. Research from BDO found that six in ten mid-sized organisations in the UK have been hit by fraud – with phishing and other forms of cyber attack being among the leading causes. Those attacks resulted in an average loss of £245,000.
13. BDO’s research also revealed that 40% of respondents had experienced an increase in fraud attempts compared to previous years.
14. Tessian reported that the UK has the greatest global awareness of phishing. It found that 69% of respondents in the country could correctly define phishing. By contrast, that figure was 66% in Australia and Japan, 64% in Germany, 63% in France and Spain, and only 52% in the US.
15. The UK Government’s Cyber Security Breaches Survey 2022 revealed that 83% of organisations that suffered a cyber attack in the past year said that it was caused by phishing.
16. Proofpoint found that 77% of UK organisations punish employees who interact with genuine or simulated phishing attacks. This represents a 28% increase compared to 2021.
17. The report also revealed that the UK is the most likely country to incorporate “severe” punishments, with 42% inflicting financial penalties (compared to 26% globally). Meanwhile, 29% of respondents said they terminate employees who interact with phishing, compared to 18% globally.
18. A UK government study found that half of adults said they had received a phishing message in the previous month.
Anatomy of an attack
19. Research from ESET found that the most common type of malicious files attached to phishing emails are Windows executables (47%). Other popular attack methods are script files (23%), Office documents (19%) and PDF documents (6%).
20. According to Verizon, 82% of data breaches involve a human element, such as phishing and the use of stolen credentials.
21. Verizon’s report also found that the most common target in phishing attacks are victims’ login credentials, which are compromised in 63% of successful attacks. Cyber criminals also target internal data (32%) and personal data (24%).
22. Amazon Prime Day is the most active period for phishing attacks, according to an AtlasVPN study. It found that in the 90 days leading up to last year’s sale, 1,633 fake sites targeting the event were detected.
23. Cyber criminals frequently hide malware in Microsoft Office attachments. Research by Astra Security revealed that Word is the most common, being used in 39.9% of attacks, while Excel was used in 8.7%.
24. Despite a proliferation of unusual new domains, phishing attacks are most often hosted on ‘.com’ websites. Astra Security found that this is the case for 40% of phishing websites, while ‘.net’ was only used in 3% of attacks and ‘.org’ in 1.8%.
25. Email remains by far the most common method for phishing. Verizon revealed that it’s used in 96% of phishing attacks, while 3% are conducted with malicious websites and 1% via telephone.
26. Email phishing accounts for 90% of ransomware attacks. In those instances, the average ransom payment is approximately $200,000 (£161,000), and organisations lose three weeks in downtime.
Cost of a phishing attack
27. Organisations lose approximately $181 (£150) for each piece of personal information stolen in a phishing attack, according to Venari Security.
28. IBM found that the average cost of a data breach rose from $4.24 million (£3.42 million) in 2021 to $4.35 million (£3.51 million) in 2022.
29. Research from APWG revealed that, in Q3 2022. the average wire transfer attempt made in BEC attacks was $93,881 (about £76,000).
Where phishing attacks come from
30. The share of spam emails sent from Russia continued to grow in 2022, according to a Kaspersky report. It revealed that 29.82% of all malicious emails originated in the country, which is more than two times as much as second-placed China (14%).
31. Scammers are increasingly using instant message platforms to spread phishing, with an IRONSCALES report learning that one third of IT professionals have experienced an increase in social engineering via communication platforms other than email.
32. The most common communication platforms (besides email) used for phishing are video conferencing software (44%), workplace messaging platforms (40%), Cloud-based file-sharing platforms (40%) and text message (36%).
33. Similarly, a Cyphere study found that 90% of phishing attacks delivered via instant message platforms came via WhatsApp.
34. LinkedIn has emerged as the social media platform used most often in scams. Research from Check Point revealed that, in phishing attacks that imitated a known brand, LinkedIn was used 52% of the time.
35. A Proofpoint study revealed that security leaders’ biggest concern about the impact of a successful phishing attack was the loss of data. It was cited in 60% of responses, ahead of compromised credentials (52%), the threat of ransomware (47%) or malware (29%), and financial losses (18%).
Who is being targeted?
36. Terranova Security’s 2022 Gone Phishing Tournament revealed that 7% of all employees are likely to click on phishing email links. That might not sound like much, but it only takes one employee to make a mistake for an organisation’s systems to be compromised, and with that figure, it will take only 8 employees receiving a phishing email to ensure that the chances of falling victim are over 50%.
37. Millennials and Gen Zers are more likely to fall victim to phishing attacks than Gen Xers. Atlas VPN found that 23% of people aged between 18–40 admitted that they’d been duped, compared to 19% of those aged 41–55.
38. APWG revealed that 34.7% of phishing attacks target webmail and software-as-a-service users.
39. A Statistica study found that, among organisations that operate predominantly online, the financial sector was most vulnerable to phishing, accounting for 23% of all successful attacks.
40. The same report found that, although cryptocurrency platforms are an often-discussed target for phishing scams, they represent only 2% of all successful attacks.
41. Phishing attacks are often considered indiscriminate and sent to hundreds, if not thousands, of people at any one time, but Slashnext’s 2022 State of Phishing Report found that 76% of all phishing attacks targeted specific individuals. These attacks, known as spear phishing, involve careful research and are therefore more likely to succeed.
42. A Symantec study revealed that small organisations are more likely to be targeted by phishing than larger ones. It found that, among organisations with 1–250 employees, approximately 1 in every 323 emails was malicious. By contrast, in organisations with between 1,001–1,500 employees, that rate was 1 in 823.
Spotting a phishing email
43. IBM revealed that phishing emails had the longest lifecycle of all cyber attacks. It takes organisations 243 days on average to identify a data breach and 84 days to contain it.
44. The most frequently used words in phishing emails are ‘urgent’ (8%), ‘request’ (5.8%), ‘important’ (5.4%), ‘payment’ (5.2%) and ‘attention’ (4.4%), according to research published in AIMS Press.
45. The same study revealed that the most common pretexts for emails were bills or invoices (15.7%), email delivery failures (13.3%) and package deliveries (2.4%).
46. By contrast, AtlasVPN learned that almost 70% of all phishing email attempts contain an empty subject line.
47. Among the emails that do have specific pretexts, fake invoices are the most common for distributing malware. This attack method was found in 7% of phishing emails claiming to be a bill or invoice.
48. Astra Security learned that 61% of respondents to its study could not differentiate between Amazon’s real login page and a phishing site designed to imitate it.
49. A Nira study revealed that employees open malware-infected attachments approximately 20% of the time.
50. The same study discovered that links to bogus websites were less successful, with employees only following the link 12% of the time. Moreover, only 4% of people enter their data on fake websites.
Preventing phishing attacks
51. A Proofpoint study found that 84% of respondents conduct regular staff awareness training to help employees understand how phishing works and reduce the rate at which they fall victim.
Of all the statistics we’ve shared in this article, this is the most important and encouraging. You should be aware by now of the threat that phishing poses and the importance of tackling the threat.
Nobody is immune from attacks, no matter what country or sector you’re in. Organisations can help address the threat as part of their overall information security structure – adopting policies to outline effective practices, installing state-of-the-art antimalware software and disciplining employees who act carelessly.
However, staff awareness must be at the centre of your activities. Regular training courses ensure that employees know how to spot a phishing email, even as fraudsters’ techniques become increasingly more advanced.
It’s only by reinforcing advice on avoiding scams that your team can develop good habits and detect signs of a phishing email as second nature.
For those looking for guidance on how to begin, IT Governance is here to help. Our Phishing Staff Awareness Training Programme provides straightforward advice that can be embedded directly into your organisation’s training strategy.
The online subscription course explains everything you need to know about phishing.
It uses real-world examples to explain how cyber criminals operate, the tactics that they use and how you can stop them in their tracks.