Phishing Attack Statistics

We use the internet for so many aspects of our daily lives these days, whether it’s working remotely, shopping and banking online, or just talking to friends that live in a different city. As a result, online data has become more valuable than ever. 

Both individuals and businesses need to take steps to protect themselves from cybersecurity attacks, which have become more common than ever.

In particular, phishing has become a very popular strategy for cybercriminals to gain access to passwords and other valuable forms of data. During a phishing attack, a cybercriminal will pose as a trusted source in order to gain your trust and ultimately gather valuable information from you.

Chances are you’ve received phishing emails before, even if they’ve ended up in your spam folder. In recent years, phishing attacks have become increasingly sophisticated, and they’ve also become the most common form of cybercrime.

We’ve rounded up some of the most fascinating and alarming phishing statistics to illustrate the prevalence of these attacks. Understanding what phishing attacks are and how to spot them can help you avoid them in your online life.

Key Takeaways

• Phishing attacks are the most common form of cyberattack globally.
• There are many different types of phishing attacks, ranging from traditional email phishing to spear phishing and whaling attacks on specific individuals.
• Anyone can be the victim of a phishing attack, but small businesses are particularly common targets.
• The healthcare and financial industries are particularly common targets of phishing attacks.

What Are Phishing Attacks?

Phishing attacks are a form of online fraud where cybercriminals impersonate legitimate organizations in an attempt to trick individuals into revealing sensitive information, such as passwords, credit card numbers, and social security numbers. 

For example, these criminals might pose as your bank, a social media platform, or a popular e-commerce retailer like Amazon.

While other forms of cybercrime use hacking and other brute-force strategies, phishing attacks use social engineering to manipulate and deceive victims. Most phishing attempts happen via email, but they can also happen via social media, text messages, or any other digital communication channel.

Many phishing scams create a sense of urgency or play on the victim’s sense of empathy. Some phishing attacks also use ransomware or other forms of malware by placing a link or attachment in the email.

Because they exploit social vulnerabilities, phishing attacks are hard to prevent with firewalls and anti-virus software alone. Instead, individuals need to proactively watch for the signs of a phishing attack and avoid interacting with those emails.

During the pandemic, stay-at-home orders meant that people were working from home more often. They were also relying heavily on the Internet to make essential purchases and handle their personal finances. 

As a result, many threat actors decided to focus on phishing attacks, and the rate of cybercrime overall increased during this period of time.

Types of Phishing Attacks

There are several different common phishing campaigns. As these cyber attacks have become more sophisticated, cybercriminals have learned how to target specific types of people or gain access to specific types of information.

Email Phishing

Email phishing is the most common type of phishing attack. As the name implies, these attacks take place using malicious emails. They target both individuals and companies.

Email phishing attacks often pose as major corporations like Google, Microsoft, Amazon, Meta, or any other entity that the user would trust. Historically, email phishing attacks have often been characterized by poor spelling and grammar, making them easy to avoid. However, in recent years, hackers have gotten better at imitating these trusted entities, making these attacks harder to avoid.

• There was a 29% increase in detected phishing emails between 2021 and 2022. (TrendMicro)
• 30% of data breaches stem from phishing attacks. (Verizon, 2021)
• Gmail blocks approximately 15 billion spam emails every day. (Google, 2022)
• A 2015 study tested individuals from around the world on their ability to identify phishing emails. Only 3% of respondents were able to correctly identify all phishing attempts. (Intel Security/Business Wire)
• 44% of people think an email is safe if it contains familiar branding. (ProofPoint, 2023)

Spear Phishing

Spear phishing is a specific type of phishing that targets a specific person, group, or business. Most email phishing attacks are generic messages that get sent en masse to an email list. However, spear phishing emails are more personalized to increase the chances of getting a response.

Cybercriminals spend more time learning about the target’s name, work, and interests to create a more targeted approach. Many of these attacks use the business email compromise (BEC) strategy, which happens when a scammer impersonates a company employee.

• 65% of phishing attacks are targeted, using spear phishing techniques to reach a specific individual or business. (SlashNext)
• 70% of spear phishing targets open and read their phishing emails. 50% of recipients clicked on a malicious link within an hour of receiving the email. (FireEye/N-Able, 2021)
• Spear phishing emails make up less than 0.1% of all emails sent, but are responsible for 66% of all breaches. (Barracuda, 2023)

Whaling

Whaling takes the concept of spear phishing a step further by targeting senior executives and other high-value individuals. These targets are typically very financially successful and often have access to high-level data at their organizations. These targeted attacks are particularly devastating and are also particularly lucrative for scammers.

• Whaling attacks resulted in more $12.5 million in losses during 2021. (FBI)
• 59% of organizations reported that an executive was targeted by a whaling attack in 2021. (GreatHorn/Security Magazine)
• The most popular whaling and spoofing techniques include linking to malicious sites and gift card requests. (GreatHorn/Security Magazine, 2021)

Pharming

Pharming is a unique type of phishing that does not use email or social media messages. Instead, this attack places malicious code on the target’s computer or mobile device. 

This code redirects the victim from a trusted website to a counterfeit phishing website, where they will often have to enter their password or other secure information. Many phishers have switched to using this strategy because it doesn’t require targets to click a malicious link.

• Many hackers are using ChatGPT for their pharming attacks. Over the course of 6 days in March 2023, ChatGPT deployed malware to over 2,000 people per day via fake browser plugins. (Network Assured/Dark Reading)
• The largest and most famous pharming attack happened in 2007, when hackers targeted 50 banks around the world. (ComputerWorld)

Who’s Targeted in Phishing Attacks?

Virtually anyone can be the target of a phishing attack. Senior executives and wealthy individuals are the most common targets of these attacks, but the average consumer is often targeted by them as well. This is because virtually all types of personal data have financial value in the right context.

Small businesses have become a particularly common target of phishing messages. While their assets are substantial enough to be valuable, small businesses usually don’t have the robust cybersecurity strategies in place that larger companies do. This makes them a particularly attractive target for many hackers.

• The most common domains for phishing links in 2022 were Amazon AWS, Sharepoint, and Google. (Cofense)
• LinkedIn is one of the most popular social media platforms for phishing scams. In 2022, 52% of businesses in the US experienced at least one LinkedIn scam. (NordLayer)
• Small businesses are more likely to be targeted by phishing emails than large businesses. Businesses with less than 250 employees receive 1 phishing email for every 323 emails, while organizations with 1000-1500 employees receive 1 phishing email for every 823 emails. (Symantec, 2019)
• Companies with a 50% or more remote workforce take an average of 19 hours longer to detect and 12 hours longer to respond to email security issues. (Barracuda, 2023)

The Cost of Phishing Attacks

A successful phishing attack can be financially devastating. The financial losses from identity theft take time to recover for both individuals and businesses, making it difficult to get back on your feet.

• In 2022, phishing victims in the US lost a total of $52,089,159 (FBI/Forbes)
• Phishing attacks cost large organizations nearly $15 million per year. (Ponemon, 2021)
• The average cost of a phishing-related data breach is $4.91 million (IBM, 2021)
• Organizations that use zero-trust architecture as part of their security strategy save an average of $1 million in data breach costs. (IBM, 2021)
• The average amount requested in a wire transfer BEC attack in Q4 2022 was $132,559, up 41 percent from just the previous quarter. (APWG)
• Individual consumers in the US lost a total of $40 million to phishing scams in 2022. (TrueCaller)

Phishing Attacks in the US

As one of the world’s largest economic powerhouses, the US is a major target for phishing attacks. It’s important for Americans to be vigilant when it comes to cybersecurity and online communications to avoid falling victim to these attacks.

• Over 500 million phishing attacks were reported in the United States in 2022. (FBI/Forbes)
• The state most affected by phishing attacks is Nevada, with a rate of 13.58 attacks per 100,000 residents in 2022. (FBI/Forbes)
• The states that are least affected by phishing scams are Kansas, Mississippi, and Iowa. (FBI/Forbes)
• The US had the highest percentage of C2 server nodes delivering phishing campaigns in Q1 2023, at 68.8%. (Cofense)

Phishing Attacks Globally

Phishing attacks can happen to anyone in the world with an internet connection. Many phishing attack trends are informed by current geopolitical and economic events.

• Phishing attacks globally have increased at a rate of over 150% per year between 2019 and 2022. (APWG)
• After the United States, the countries with the most C2 nodes delivering phishing campaigns were Great Britain, Canada, Germany, and France in Q1 2023. (Cofense)
• 95% of global cybersecurity problems can be attributed to human error, including phishing attacks. (World Economic Forum, 2020)
• There are an estimated 3.4 billion spam emails sent every day. (AAG, 2023)
• 24.77% of spam emails globally in 2021 originated in Russia. (Statista)

Phishing Attacks by Industry

Some industries are particularly big targets for phishing attacks because they deal with a high volume of valuable data. All employees working in these industries should have extensive training on how to spot and avoid phishing attacks.

Healthcare

Healthcare organizations are a particularly big target for phishing scammers because of the high volume of personal information they store. Many hackers specifically target HIPAA-protected information.

• In 2021, 45 percent of healthcare organizations reported that they had experienced a phishing attack in the previous 12 months. (Statista)
• Between October 2009 and December 2021, there were 800 phishing-related healthcare breaches, which accounted for 18% of total data breaches in the healthcare industry. (Department of Health and Human Services)

Financial

Many cybercriminals target financial organizations in order to gain access to credit cards, bank account information, investment accounts, and more.

• The financial sector was the most targeted of any industry in 2022, accounting for 27.7% of all phishing attacks. (APWG)
• 83% of data breaches are financially motivated. (Verizon, 2023)

Pharmaceuticals

Like the healthcare industry, companies in the pharmaceutical industry have access to a large volume of personal information from their customers, which makes them a target for phishing attacks.

• There was a 189% increase in phishing attacks targeting the pharmaceutical industry between December 2020 and February 2021). (Onapsis/HIT Consultants)
• 53% of data breaches in the pharmaceutical industry happen as a result of malicious activity. (IBM/Forbes, 2021)

Technology

The technology industry is another common phishing target for a variety of reasons. Hackers often target technology companies in an attempt to access their proprietary technology and intellectual property. Additionally, technology companies also collect a large volume of customer data as part of their operations.

• SaaS was the industry targeted by phishing attacks second-most often in 2022, with e-commerce, social media, and cryptocurrency all highly targeted as well. (Statista)

Energy

Energy companies are some of the largest and most valuable companies in the world. Because of this, many executives at these companies are targeted by whaling attacks.

• Spear phishing accounted for 20 percent of digital threats against energy companies in 2022. (Security Intelligence)
• 10.7% of tracked cyberattacks targeted the energy sector in 2022. (Security Intelligence)
• Mobile phishing attacks targeting the energy sector rose by 161% between 2020 and 2021. (BleepingComputer)