Must-Know Phishing Statistics: Updated 2020

  • By Maddie Rosenthal
  • 25 August 2020

Phishing attacks aren’t a new threat. In fact, these scams have been circulating since the mid-’90s. But, over time, they’ve become more and more sophisticated, have targeted larger numbers of people, and have caused more harm to both individuals and organizations.

That means that this year – despite a growing number of vendors offering anti-phishing solutions – phishing is a bigger problem than ever. The problem is so big, in fact, that it’s hard to keep up with the latest facts and figures.

That’s why we’ve put together this article. We’ve rounded up the latest phishing statistics, including:

Looking for something more visual? Check out this infographic with key statistics.

“Bonus: We will be updating this article throughout 2020 with the latest phishing statistics from third-party sources and Tessian’s own research and platform data. That way, this can remain your go-to resource. (Last updated September 2020)”

If you’re familiar with phishing, spear phishing, and other forms of social engineering attacks, skip straight to the first category of 2020 phishing statistics. If not, we’ve pulled together some of our favorite resources that you can check out first to learn more about this hard-to-detect security threat. 

  1. How to Identify and Prevent Phishing Attacks
  2. What is Spear Phishing?
  3. Spear Phishing Demystified: The Terms You Need to Know
  4. Phishing vs. Spear Phishing: Differences and Defense Strategies
  5. How to Catch a Phish: A Closer Look at Email Impersonation
  6. CEO Fraud Email Attacks: How to Recognize & Block Emails that Impersonate Executives
  7. Business Email Compromise: What it is and How it Happens
  8. Whaling Attacks: Examples and Prevention Strategies 

The frequency of phishing attacks

According to Verizon’s 2020 Data Breach Investigations Report (DBIR), 22% of breaches in 2019 involved phishing. While this is down 6.6% from the previous year, it’s still the “threat action variety” most likely to cause a breach. 

The frequency of attacks varies industry-by-industry (click here to jump to key statistics about the most phished). But 88% of organizations around the world experienced spear phishing attempts in 2019. Another 86% experienced business email compromise (BEC) attempts. 

But, there’s a difference between an attempt and a successful attack. 65% of organizations in the United States experienced a successful phishing attack. This is 10% higher than the global average. 

The tactics employed by hackers

96% of phishing attacks arrive by email. Another 3% are carried out through malicious websites and just 1% via phone. When it’s done over the telephone, we call it vishing and when it’s done via text message, we call it smishing.

According to Symantec’s 2019 Internet Security Threat Report (ISTR), the top five subject lines for business email compromise (BEC) attacks:

  1. Urgent
  2. Request
  3. Important
  4. Payment
  5. Attention

Hackers are relying more and more heavily on the credentials they’ve stolen via phishing attacks to access sensitive systems and data. That’s one reason why breaches involving malware have decreased by over 40%.

“Note: Phishing is one of the top vectors to distribute malware, which is most often distributed via a “payload” of malicious programs disguised as a benign link or attachment. ”

According to Sonic Wall’s 2020 Cyber Threat report, in 2019, PDFs and Microsoft Office files were the delivery vehicles of choice for today’s cybercriminals. Why? Because these files are universally trusted in the modern workplace. 

When it comes to targeted attacks, 65% of active groups relied on spear phishing as the primary infection vector. This is followed by watering hole websites (23%), trojanized software updates (5%), web server exploits (2%), and data storage devices (1%). 

The data that’s compromised by breaches

The top five “types” of data that are compromised in a phishing attack are:

  1. Credentials (passwords, usernames, pin numbers)
  2. Personal data (name, address, email address)
  3. Internal data (sales projections, product roadmaps) 
  4. Medical (treatment information, insurance claims)
  5. Bank (account numbers, credit card information)

While instances of financially-motivated social engineering incidents have more than doubled since 2015, this isn’t a driver for targeted attacks. Just 6% of targeted attacks are motivated by financial incentives, while 96% are motivated by intelligence gathering. The other 10% are simply trying to cause chaos and disruption.

While we’ve already discussed credential theft, malware, and financial motivations, the consequences and impact vary. According to one report:

  • Nearly 60% of organizations lose data
  • Nearly 50% of organizations  have credentials or accounts compromised
  • Nearly 50% of organizations are infected with ransomware
  • Nearly 40% of organizations are infected with malware
  • Nearly 35% of organizations experience financial losses
“These costs can be mitigated by cybersecurity policies, procedures, technology, and training. Artificial Intelligence platforms can save organizations $8.97 per record. ”

The cost of a breach

According to IBM’s Cost of a Data Breach Report, the average cost per compromised record has steadily increased over the last three years. In 2019, the cost was $150. For some context, 5.2 million records were stolen in Marriott’s most recent breach. That means the cost of the breach could amount to $780 million.

But, the average breach costs organizations $3.92 million. This number will generally be higher in larger organizations and lower in smaller organizations. 

Losses from business email compromise (BEC) have skyrocketed over the last year. The FBI’s Internet Crime Report shows that in 2019, BEC scammers made nearly $1.8 billion. That’s over half of the total losses reported by organizations.

And, this number is only increasing. According to the Anti-Phishing Working Group’s Phishing Activity Trends Report, the average wire-transfer loss from BEC attacks in the second quarter of 2020 was $80,183. This is up from $54,000 in the first quarter.

This cost can be broken down into several different categories, including:

  • Lost hours from employees
  • Remediation
  • Incident response
  • Damaged reputation
  • Lost intellectual property
  • Direct monetary losses
  • Compliance fines
  • Lost revenue
  • Legal fees

Costs associated remediation generally account for the largest chunk of the total. 

Importantly, these costs can be mitigated by cybersecurity policies, procedures, technology, and training. Artificial Intelligence platforms can save organizations $8.97 per record

The most targeted industires

While the Manufacturing industry saw the most breaches from social attacks (followed by Healthcare and then Professional services), employees working in Wholesale Trade are the most frequently targeted by phishing attacks, with 1 in every 22 users being targeted by a phishing email last year.  

According to a different data set, the most phished industries vary by company size. Nonetheless, it’s clear Manufacturing and Healthcare are among the highest risk industries.

The industries most at risk in companies with 1-249 employees are:

  1. Healthcare & Pharmaceuticals
  2. Education
  3. Manufacturing

The industries most at risk in companies with 250-999 employees are:

  1. Construction
  2. Healthcare & Pharmaceuticals
  3. Business Services

The industries most at risk in companies with 1,000+ employees are:

  1. Technology
  2. Healthcare & Pharmaceuticals
  3. Manufacturing

The most impersonated brands

Earlier this year, Check Point released its list of the most impersonated brands. These vary based on whether the attempt was via email or mobile, but the most impersonated brands overall for Q1 2020 were:

  1. Apple
  2. Netflix
  3. Yahoo
  4. WhatsApp
  5. PayPal
  6. Chase
  7. Facebook
  8. Microsoft
  9. eBay
  10. Amazon

The common factor between all of these consumer brands? They’re trusted and frequently communicate with their customers via email. Whether we’re asked to confirm credit card details, our home address, or our password, we often think nothing of it and willingly hand over this sensitive information.

But, after the outbreak of COVID-19 at the end of Q1, hackers changed their tactics and, by the end of Q2, Zoom was the most impersonated brand in email attacks. Read on for more COVID-related phishing statistics.

Facts and figures related to COVID-19 scams

Because hackers tend to take advantage of key calendar moments (like Tax Day or the 2020 Census) and times of general uncertainty, individuals and organizations saw a spike in COVID-19 phishing attacks starting in March. But, according to one report, COVID-19 related scams reached their peak in the third and fourth weeks of April.

And, it looks like hackers were laser-focused on money. Incidents involving payment and invoice fraud increased by 112% between Q1 2020 and Q2 2020. It makes sense, then, that finance employees were among the most frequently targeted employees. In fact, attacks on finance employees increased by 87% while attacks on the C-Suite decreased by 37%.

“Humans shouldn’t be the last line of defense. That’s why organizations need to invest in technology and other solutions to prevent successful phishing attacks.”

What can individuals and organizations do to prevent being targeted by phishing attacks?

While you can’t stop hackers from sending phishing or spear phishing emails, you can make sure you (and your employees) are prepared if and when one is received.

You should start with training. Educate employees about the key characteristics of a phishing email and remind them to be scrupulous and inspect emails, attachments, and links before taking any further action.

  • Review the email address of senders and look out for impersonations of trusted brands or people (Check out our blog CEO Fraud Email Attacks: How to Recognize & Block Emails that Impersonate Executives for more information.)
  • Always inspect URLs in emails for legitimacy by hovering over them before clicking
  • Beware of URL redirects and pay attention to subtle differences in website content
  • Genuine brands and professionals generally won’t ask you to reply divulging sensitive personal information. If you’ve been prompted to, investigate and contact the brand or person directly, rather than hitting reply

We’ve created several resources to help employees identify phishing attacks. You can download a shareable PDF with examples of phishing emails and tips at the bottom of this blog: Coronavirus and Cybersecurity: How to Stay Safe From Phishing Attacks.

But, humans shouldn’t be the last line of defense. That’s why organizations need to invest in technology and other solutions to prevent successful phishing attacks. But, given the frequency of attacks year-on-year, it’s clear that spam filters, antivirus software, and other legacy security solutions aren’t enough.

That’s where Tessian comes in. By learning from historical email data, Tessian’s machine learning algorithms can understand specific user relationships and the context behind each email. This allows Tessian Defender to not only detect, but also prevent a wide range of impersonations, spanning more obvious, payload-based attacks to subtle, social-engineered ones.

To learn more about how tools like Tessian Defender can prevent spear phishing attacks, speak to one of our experts and request a demo today.

Maddie Rosenthal