29 Must-Read Phishing Statistics & Facts – 2020

Phishing attacks are a threat to individuals and businesses alike. If cyber criminals manage to get their hands on sensitive information, they can use it for a range of purposes, including money scams, identity theft, corporate espionage, and more.

Want to know more? Here are some must-read phishing statistics and facts worth reviewing.

1. Over 3.4 Billion Phishing Emails Are Sent Every Day

Every day, scammers send over 3.4 billion fake phishing emails. That’s over 1 trillion phishing emails a year!

[Source: Vailmail]

2. Phishing Emails Comprise 1.2% of All Emails

I know, a trillion phishing emails sounds like a pretty big number. In the context of all emails, though, that’s a drop in a (very large) bucket. With hundreds of billions of emails going out every day, only 1.2% of those are phishing attempts. That’s still too high for comfort.

[Source: Vailmail]

3. Phishing Attacks Are at a 3-Year High

Nearly 140,000 phishing emails were reported to the Anti-Phishing Working Group in Q1 2020 – reaching levels that haven’t been seen since 2016. Common trends this year include Covid scammers and Zoom impersonators.

[Source: APWG]

4. 4% of Phishing Email Targets Click

While the majority of phishing email targets don’t click on the message, a startling 4% do. Since it only takes one misstep for an attacker to gain access to a system, even a single click can be devastating.

[Source: Verizon]

5. 165,772 Phishing Sites Were Detected in Q1 2020

Phishing attackers love to create fake websites to fool users into giving up passwords and other critical information. During the first quarter of 2020, 165,772 phishing sites were identified, a 3,617 increase over Q4 2019 (162,155).

[Source: APWG]

6. 83% of Spear Phishing Attacks Involve Brand Impersonation

When it comes to inspiring confidence, attackers rely heavily on brand impersonation. It’s the go-to technique for 83% of spear phishing attacks.

Comparatively, only 11% of spear phishing attacks employ blackmail, and just 6% use BEC.

[Source: Barracuda]

7. Apple is the Most Commonly Imitated Brand for Phishing

When it comes to brand phishing attempts, attackers are most likely to imitate Apple than any other brand.

[Source: Checkpoint]

8. The Average Cost of a Spear Phishing Attack on an Organization is $1.6 Million

Spear phishing attacks are costly. A single successful attack can cost an organization $1.6 million. In comparison, 12 months of preventative measures usually run just about $319,000. The prevention measures include security software, employee education, and more.

[Source: CSO]

9. Sextortion Is on the Rise, Targeting Over 7 Million Email Address in Six Months

During the first six months of 2019, over 7 million emails were targeted by a sextortion scheme. Sextortion scams usually involve threats related to sexual activity, where the attacker claims they will reveal certain details about the person unless they pay a certain amount as a ransom, usually in Bitcoin.

The most common threat involves the attacker claiming they have compromising images or videos of the target, such as footage of them accessing pornographic materials. The attacker says they will send the images or videos to family members, friends, or colleagues if they aren’t paid. While the threat is typically empty, if the email is a spear phishing attempt, there may be enough detail to make the target doubt that it’s a scam.

[Source: Cofense]

10. $1.5 Million in Bitcoin Has Been Paid Due to Sextortion Schemes

As mentioned above, some victims of sextortion email scams do believe the attacker. At least $1.5 million in Bitcoin has been paid to attackers due to this kind of scam.

[Source: Cofense]

11. 65% of Known Cyberespionage Attacker Groups Use Spear Phishing

Spear phishing is increasingly becoming the favored approach among cyberespionage groups. Overall, 65% of known attacker groups use the technique, allowing them to target individuals with personalized messages that may be harder to identify as attacks.

[Source: Symantec]

12. 96% of Spear Phishing Attacks by Known Groups Are for Intelligence Gathering

Recognized cyberespionage attacker groups typically have a goal for the majority of their spear phishing emails. Ninety-six percent are attempting to gather intelligence on an organization.

[Source: Symantec]

13. 81% of Phishing Attacks on Mobile Devices Don’t Involve Email

When it comes to mobile phishing attacks, email isn’t the biggest threat. Eight-one percent of those attacks don’t involve email. Instead, they are initiated elsewhere, such as through text messages or social media.

[Source: Wandera]

14. 75% of Phishing Sites Use SSL

SSL has long been a sign of safety for internet users. In order to create a false sense of security, phishing sites began implementing the technology. As of early 2020, about 75% of identified phishing sites had SSL implemented.

[Source: APWG]

15. 65% of U.S. Organizations Were Successfully Attacked During the Last Year

In the United States, 65% of organizations were successfully targeted by a phishing attack during the last year. That means that the attackers got what they wanted, be that information, credentials, access to a system, or anything else that related to their goal.

[Source: Proofpoint]

16. 32% of Data Breaches Involve Phishing

When it comes to data breaches, 32% had a connection to a phishing attack. That makes phishing one of the top threats in that arena.

[Source: Verizon]

17. 1-in-323 Emails Sent to Small Organizations Is Malicious. For Large Organizations, it’s only 1-in-823

While many people assume that large enterprises are the biggest target for phishing attacks, that isn’t necessarily the case. Organizations with no more than 250 employees receive more malicious messages, with 1-in-323 being suspect. For organizations with 1001 to 1500, only 1-in-823 emails are malicious.

[Source: Symantec]

18. People Age 55+ Are Best at Recognizing Phishing and Ransomware Terms

While many would assume that younger generations would be most familiar with terms related to technology security threats, that isn’t the case. When it came to defining phishing, individuals aged 55+ were most likely to be correct, with 66% being able to accurately define the term. In comparison, only 55 percent of 23 to 28-year-olds could do the same.

The 55+ group also outperformed younger generations when it came to defining ransomware, scoring a 43%, while the 23 to 28-year-olds came in with a meager 24%.

[Source: Proofpoint]

19. 34.7% of Phishing Attacks Target SaaS and Webmail Industry

When it comes to target industries, SaaS and webmail lead the way, being the focus 34.7% of the time. Financial institutions come in second, being the target 18% of the time.

[Source: Statista]

20. Over 40% of Phishing Command and Control Servers Are Located in the U.S.

While many people would assume that command and control (C2) servers for malware are largely overseas, a significant number aren’t. Over 40% are in the United States.

[Source: Cofense]

21. 80% of People Misidentify Phishing Emails

Sophisticated phishing emails can be hard to spot for most people. When given examples of phishing attempts, 80% of people involved in a survey hosted by Intel misidentified at least one phishing example as legitimate.

[Source: Intel]

22. Spear Phishing Is the Preferred Approach for Delivering Certain Ransomware

When it comes to certain ransomware families – Ryuk and GandCrab – spear phishing is the #1 distribution technique.

[Source: McAfee]

23. 34% of Exploitable Vulnerabilities Have No Patch

Overall, there are approximately 11,000 exploitable vulnerabilities in widely used software and systems. Of those, 34% currently do not have a patch available to close the vulnerability.

[Source: TechRepublic]

24. 56 Percent of BEC Attack Payment Requests Involve Gift Cards

For BEC attacks, gift cards were the requested form of payment 56% of the time. Payroll diversion was requested in 25% of BEC attacks, while a direct transfer was the goal for 19%.

[Source: APWG]

25. Custom Phishing Pages Cost as Little as $3 to $12.

For attackers, getting a custom phishing webpage costs very little in comparison to how much value they can generate. Typically, a phishing page can be purchased for as little as $3 to $12.

[Source: Symantec]

26. Only 17% of Phishing Attempts Are Reported

Most people who have been targeted by a phishing attempt never inform anyone officially about the incident. Only 17% of attacks are reported to an appropriate authority.

[Source: Verizon]

27. Over 1.3 Million New Phishing Sites Emerge Every Month

Every month, about 1.385 million new, unique phishing sites are published. Often, a phishing website only remains active for several hours, decreasing the odds that it will be detected by anti-phishing technologies. However, even if short-lived, it can target a slew of victims, allowing it to serve its purpose without being spotted before eventually disappearing.

[Source: Webroot]

28. While 78% of People Understand the Risk of Unknown Links, 56% Click Anyway

Overall, 78% of internet users say they understand that links from unknown sources can be dangerous. However, 56% of email users and 40% of Facebook users have clicked on links for unknown senders anyway.

[Source: FAU]

29. Over 5,200 SharePoint Phishing Emails Were Identified During a 12-Month Period

Many professionals are more likely to trust certain kinds of links, a point that attackers have picked up on over recent years. During a 12-month period, 5,200 SharePoint phishing emails were identified, showcasing how attackers are leveraging trust during their attacks.

[Source: Cofense]

Bottom Line

For many, the phishing statistics and facts above are a bit enlightening. While many people understand that it’s a problem, the tidbits above really bring some interesting details to light.

Not only do the phishing statistics and facts in this list show how prevalent and damaging these attacks can be, but they also highlight many other issues. A surprising number of people are still willing to engage with links from unknown senders, even though they know the risks, for example.

Ultimately, phishing and its variants are likely to remain a threat long-term. Educating yourself regarding the techniques and viewing every message you receive with a skeptical eye is a must. That way, you can ensure that you don’t become a victim of a phishing attack.

Leave a Comment