Billions of phishing emails are sent every day – and there are no signs of these attacks slowing down anytime soon. In this article, we’ll dig into some critical phishing statistics.
1. Over 3.4 Billion Phishing Emails Are Sent Every Day
Every day, scammers send over 3.4 billion fake phishing emails. That’s over 1 trillion phishing emails a year!
2. Phishing Emails Comprise 1.2% of All Emails
In the context of all emails, though, one trillion phishing emails represent a drop in a (very large) bucket. With hundreds of billions of emails going out every day, only 1.2% of those are phishing attempts. That’s still too high for comfort.
3. Phishing Attacks Hit Record High, with 1 Million Attacks During Q1 2022
While phishing may seem comparatively old-school when looking at all possible attack vectors, its effectiveness allows it to remain one of the most popular approaches. Currently, phishing attacks are at an all-time high, with 1 million attacks occurring just in the first quarter of 2022.
4. 245,771 Phishing Sites Were Discovered in Q1 2021 Alone
Creating fake phishing websites is a common way to fool people into giving up passwords and other critical information. During the first quarter of 2021, 245,771 phishing sites were identified, representing an all-time high. That’s also an increase of 79,999 when compared to Q1 2020.
[Source: PR Newswire]
5. 80% of People Misidentify Phishing Emails
Sophisticated phishing emails can be hard to spot for most people. When given examples of phishing attempts, 80% of people involved in a survey hosted by Intel misidentified at least one phishing example as legitimate.
6. While 78% of People Understand the Risk of Unknown Links, 56% Click Anyway
Overall, 78% of internet users say they understand that links from unknown sources can be dangerous. However, 56% of email users and 40% of Facebook users have clicked on links for unknown senders anyway.
7. Between 2015 and 2021, the Cost of Phishing Scams Increased Nearly 4x
The cost of phishing scams has increased dramatically over six years. In 2015, the average cost was $3.8 million. While not small, it’s nothing compared to the cost in 2021, which averaged closer to $14.8 million. Overall, that means the cost nearly quadrupled during that six-year span.
[Source: Proof Point]
8. Social Media Phishing Attacks More Than Doubled in 2021
Over the course of 2021, social media-based attacks more than doubled. Year over year, there was a 103% increase in social media phishing activity.
[Source: Yahoo! Finance]
9. 81% of Phishing Attacks on Mobile Devices Don’t Involve Email
When it comes to mobile phishing attacks, email isn’t the biggest threat. 81% of those attacks don’t involve email. Instead, they are initiated elsewhere, such as through text messages or social media.
10. 83% of US Organizations Were Victims of Phishing in 2021
While many people are aware of the signs of phishing, that doesn’t mean many people aren’t convinced by phishing emails. Overall, 83% of US organizations experienced at least one successful phishing attack in 2021, up from 57% of organizations in 2020.
[Source: Proof Point]
11. Phishing Is Involved in 25% of All Data Breaches
With many phishing attempts, the goal is to secure login credentials, giving hackers access to critical systems and sensitive data. The attacker may assume the identity of an existing contact as a means of tricking the target. In some cases, they may claim to represent a well-known business entity.
While not all phishing attacks are successful, many do achieve their objective. That’s why phishing is part of the equation in 25% of all data breaches.
12. 83% of Spear Phishing Attacks Involve Brand Impersonation
When it comes to inspiring confidence, attackers rely heavily on brand impersonation. It’s the go-to technique for 83% of spear phishing attacks. Comparatively, only 11% of spear phishing attacks employ blackmail, and just 6% use compromised business emails.
For more information, see our full guide on spear phishing statistics.
13. Facebook Is the Most Impersonated Website, At 14% of Phishing Websites
In many cases, trust is a significant factor in phishing. As a result, hackers may mimic household names and create websites designed to mirror those people are used to seeing. Among all the brands, Facebook is the most commonly used, representing 14% of phishing websites. Microsoft – a previous leader in this space – was second, with 13% of phishing sites choosing that brand instead.
[Source: PR Newswire]
14. Amazon Is the Impersonated Brand in Phishing Emails, At 17.7%
While Facebook is the most commonly impersonated brand for phishing websites, with phishing emails, Amazon is the leader. Its wide use and familiarity make Amazon an excellent option, which is why 17.7% of phishing emails use its brand.
When it comes to second place, that dubious honor goes to DHL. The shipping company is used in 16.5% of all email phishing attempts.
[Source: Tech Radar]
15. 65% of Known Cyberespionage Attacker Groups Use Spear Phishing
Spear phishing is increasingly becoming the favored approach among cyberespionage groups. Overall, 65% of known attacker groups use the technique, allowing them to target individuals with personalized messages that may be harder to identify as attacks.
16. 96% of Spear Phishing Attacks by Known Groups Are for Intelligence Gathering
Recognized cyberespionage attacker groups typically have a goal for the majority of their spear phishing emails. 96% are attempting to gather intelligence on an organization.
17. 74% of US Organizations Were Targeted by Smishing in 2021
Similar to phishing emails, smishing uses text messages to try and trick potential victims into downloading malicious software or providing login credentials and similar sensitive data. The attack vector is becoming far more popular, too, with 74% of organizations being targeted in 2021 compared to just 61% in 2020.
[Source: Proof Point]
18. Over 1.3 Million New Phishing Sites Emerge Every Month
Every month, about 1.385 million new, unique phishing sites are published. Often, a phishing website only remains active for several hours, decreasing the odds that it will be detected by anti-phishing technologies. However, even if short-lived, it can target a slew of victims, allowing it to serve its purpose without being spotted before eventually disappearing.
19. Custom Phishing Pages Cost as Little as $3 to $12.
For attackers, getting a custom phishing webpage costs very little in comparison to how much value they can generate. Typically, a phishing page can be purchased for as little as $3 to $12.
20. 4% of Targets Click on Phishing Emails
While the majority of phishing email targets don’t click on the message, a startling 4% do. Since it only takes one misstep for an attacker to gain access to a system, even a single click can be devastating.
21. The Average Cost of a Spear Phishing Attack on an Organization is $1.6 Million
Spear phishing attacks are costly. A single successful attack can cost an organization $1.6 million. In comparison, 12 months of preventative measures usually run just about $319,000. The prevention measures include security software, employee education, and more.
22. People Age 55+ Are Best at Recognizing Phishing and Ransomware Terms
While many would assume that younger generations would be most familiar with terms related to technology security threats, that isn’t the case. When it came to defining phishing, individuals aged 55+ were most likely to be correct, with 66% being able to accurately define the term. In comparison, only 55% of 23-to-28-year-olds could do the same.
The 55+ group also outperformed younger generations when it came to defining ransomware, scoring a 43%, while the 23-to-28-year-olds came in with a meager 24%.
23. The Financial Industry Is the Most Targeted Industry, With 24% of All Phishing Attacks
The financial industry is a prime target for attackers. Along with reaching sensitive data, gaining access to internal systems could allow for more direct theft, such as stealing money from accounts. As a result, the financial sector sees the most phishing activity, representing 23.6% of all organization attacks. Second is software-as-a-service and webmail with 20.5%, followed by e-commerce and retail at 14.6%.
24. Over 40% of Phishing Command and Control Servers Are Located in the U.S.
While many people would assume that command and control (C2) servers for malware are largely overseas, a significant number aren’t. Over 40% are in the United States.
25. 83% of Phishing Sites Use SSL
SSL has long been a sign of safety for internet users. In order to create a false sense of security, phishing sites began implementing the technology. Overall, about 83% of identified phishing sites had SSL implemented.
26. 62% of Americans Worry About Web Security at Home, But Only 32% Worry About It at Work
Whether a person is concerned about data and security can influence whether they’re likely to fall for phishing scams or take risks that could compromise sensitive information. Being at work can give people a false sense of security, often because they believe they’re protected by various cybersecurity mechanisms when using a browser. Overall, only 32% of Americans are concerned about data and security when at work, compared to 62% when at home.
27. The Average CEO Is Targeted By 57 Phishing Attacks a Year
CEOs are prime targets for phishing attacks for several reasons. First, they typically have access to all company data and systems. Second, it’s easy to figure out who the CEO of a company is, and even if their email address isn’t public, figuring it out isn’t typically tricky. As a result, CEOs are targeted by phishing attacks an average of 57 times every year.
However, IT professionals within an organization are also common targets. Since they have higher access privileges, they typically have access to systems that aren’t reachable by your typical employee. That’s why they often face 40 phishing attempts annually.
[Source: Source: ZD Net]
28. 29% of Phishing Sites Use a Brand Name as Part of the Domain
Featuring a known brand in a domain name is another way to build trust and convince victims to hand over sensitive data – like login credentials – or download malicious files. Since that’s the case, it shouldn’t be a surprise that 29% of phishing sites include a brand name as part of the domain.
29. Sextortion Is on the Rise, Targeting Over 7 Million Email Address in Six Months
During the first six months of 2019, over 7 million emails were targeted by a sextortion scheme. Sextortion scams usually involve threats related to sexual activity, where the attacker claims they will reveal certain details about the person unless they pay a certain amount as a ransom, usually in Bitcoin.
The most common threat involves the attacker claiming they have compromising images or videos of the target, such as footage of them accessing pornographic materials. The attacker says they will send the images or videos to family members, friends, or colleagues if they aren’t paid. While the threat is typically empty, if the email is a spear phishing attempt, there may be enough detail to make the target doubt that it’s a scam.
30. $1.5 Million in Bitcoin Has Been Paid Due to Sextortion Schemes
As mentioned above, some victims of sextortion email scams do believe the attacker. At least $1.5 million in Bitcoin has been paid to attackers due to this kind of scam.
31. 1 in 323 Emails Sent to Small Organizations Are Malicious
While many people assume that large enterprises are the biggest target for phishing attacks, that isn’t necessarily the case. Organizations with no more than 250 employees receive more malicious messages, with 1 in 323 being suspect. For organizations with 1001 to 1500, only 1 in 823 emails are malicious.
32. Spear Phishing Is the Preferred Approach for Delivering Certain Ransomware
When it comes to certain ransomware families – Ryuk and GandCrab – spear phishing is the #1 distribution technique.
33. 34% of Exploitable Vulnerabilities Have No Patch
Overall, there are approximately 11,000 exploitable vulnerabilities in widely used software and systems. Of those, 34% currently do not have a patch available to close the vulnerability.
34. 56% of CEO Impersonators Ask For Gift Cards
For CEO impersonation attacks, gift cards were the requested form of payment 56% of the time. Payroll diversion was requested in 25% of BEC attacks, while a direct transfer was the goal for 19%.
35. Only 17% of Phishing Attempts Are Reported
Most people who have been targeted by a phishing attempt never inform anyone officially about the incident. Only 17% of attacks are reported to an appropriate authority.
36. Over 5,200 SharePoint Phishing Emails Were Identified During a 12-Month Period
Many professionals are more likely to trust certain kinds of links, a point that attackers have picked up on over recent years. During a 12-month period, 5,200 SharePoint phishing emails were identified, showcasing how attackers are leveraging trust during their attacks.
37. 86% of Organizations Had at Least One Employee Click a Phishing Link
In some cases, phishing emails, texts, and social media messages are persuasive. Overall, 86% of organizations have had a least one employee click a phishing link. While every click didn’t result in an attack, it shows how vulnerable organizations can be regardless of training efforts.
38. 87% of Spear Phishing Attacks Occur During the Workweek
Spear phishing is generally a weekday activity in the eyes of attackers, with 87% of attacks occurring during a traditional Monday through Friday workweek. A mere 13% of spear phishing attacks occur on weekends.
The likely reason is that most spear phishing attacks focus on companies and corporate assets. As a result, it’s more effective to reach out when people are in the office. Additionally, if the attacker is masquerading as a legitimate business professional, spear phishing attempts during odd hours could signal the target that something is amiss.
39. Tuesday Is the Most Popular Day for Spear Phishing
While it’s only slightly more popular for attacks, more spear phishing attempts occur on Tuesdays than any other day. It’s possible that it’s somewhat favored since people may be dealing with a backlog of workplace email on Monday, making it seem less opportune.
Among the weekdays, Friday is the least popular day at 14%. However, that’s still twice the activity as people see on Saturdays, as it only has 7% of attacks. Sunday is the least popular day, with 6% of the activity.
The Bottom Line
Ultimately, phishing and its variants are likely to remain a threat long-term. Educating yourself regarding the techniques and viewing every message you receive with a skeptical eye is a must. That way, you can ensure that you don’t become a victim of a phishing attack.