Step Into The Future of Cybersecurity — Save your spot at the Human Layer Security Summit and hear from experts at Cisco, Forrester, PeaceHealth, and Aflac.

Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

Must-Know Phishing Statistics: Updated 2021

  • By Maddie Rosenthal
  • 16 September 2021

Tessian’s mission is to secure the human layer by empowering people to do their best work, without security getting in their way.

Looking for something more visual? Check out this infographic with key statistics.

The frequency of phishing attacks

According to the FBI, phishing was the most common type of cybercrime in 2020—and phishing incidents nearly doubled in frequency, from 114,702 incidents in 2019, to 241,324 incidents in 2020. 

The FBI said there were more than 11 times as many phishing complaints in 2020 compared to 2016.

According to Verizon’s 2021 Data Breach Investigations Report (DBIR), phishing is the top “action variety” seen in breaches in the last year and 43% of breaches involved phishing and/or pretexting.

The frequency of attacks varies industry-by-industry (click here to jump to key statistics about the most phished). But 75% of organizations around the world experienced some kind of phishing attack in 2020. Another 35% experienced spear phishing, and 65% faced BEC attacks.

But, there’s a difference between an attempt and a successful attack. 74% of organizations in the United States experienced a successful phishing attack. This is 30% higher than the global average, and 14% higher than last year.

ESET’s Threat Report reveals that malicious email detections rose 9% between Q2 and Q3, 2020. This followed a 9% rise from Q1 to Q2, 2020.

⚡  Want to learn how to prevent successful attacks? Check out this page all about BEC prevention.

How phishing attacks are delivered

96% of phishing attacks arrive by email. Another 3% are carried out through malicious websites and just 1% via phone. When it’s done over the telephone, we call it vishing and when it’s done via text message, we call it smishing. The increase in phishing attacks means email communications networks are now riddled with cybercrime. Symantec research suggests that throughout 2020, 1 in every 4,200 emails was a phishing email.

According to Sonic Wall’s 2020 Cyber Threat report, in 2019, PDFs and Microsoft Office files (sent via email) were the delivery vehicles of choice for today’s cybercriminals. Why? Because these files are universally trusted in the modern workplace. 

When it comes to targeted attacks, 65% of active groups relied on spear phishing as the primary infection vector. This is followed by watering hole websites (23%), trojanized software updates (5%), web server exploits (2%), and data storage devices (1%). 

The most common subject lines

According to Symantec’s 2019 Internet Security Threat Report (ISTR), the top five subject lines for business email compromise (BEC) attacks:

  1. Urgent
  2. Request
  3. Important
  4. Payment
  5. Attention

Analysis of real-world phishing emails revealed these to be the most common subject lines in Q4, 2020:

  1. IT: Annual Asset Inventory
  2. Changes to your health benefits
  3. Twitter: Security alert: new or unusual Twitter login
  4. Amazon: Action Required | Your Amazon Prime Membership has been declined
  5. Zoom: Scheduled Meeting Error
  6. Google Pay: Payment sent
  7. Stimulus Cancellation Request Approved
  8. Microsoft 365: Action needed: update the address for your Xbox Game Pass for Console subscription
  9. RingCentral is coming!
  10. Workday: Reminder: Important Security Upgrade Required

The prevalence of phishing websites

Google Safe Browsing uncovers unsafe URLs across the web. The latest data shows a world-wide-web rife with phishing websites.

  • Since 2016, phishing has replaced malware as the leading type of unsafe website. While there were once twice as many malware sites as phishing sites, there are now nearly 75 times as many phishing sites as there are malware sites.
  • Google has registered 2,145,013 phishing sites as of Jan 17, 2021. This is up from 1,690,000 on Jan 19, 2020 (up 27% over 12 months).
  • This compares to malware sites rising from 21,803 to 28,803 over the same period (up 32%).

Here you can see how phishing sites have rocketed ahead of malware sites over the years.

This chart - pulled from Google Safe Browsing - shows the steep increase in the number of websites deemed unsafe between January 2016 and January 2021.

Research from Cofense suggests phishing emails are slightly more like to contain a link to a malicious website (38%) than a malicious attachment (36%).

Further reading:

How to Identify a Malicious Website

The most common malicious attachments

Many phishing emails contain malicious payloads such as malware files. ESET’s Threat Report reports that in Q3 2020, these were the most common type of malicious files attached to phishing emails:

  1. Windows executables (74%)
  2. Script files (11%)
  3. Office documents (5%)
  4. Compressed archives (4%)
  5. PDF documents (2%)
  6. Java files (2%)
  7. Batch files (2%)
  8. Shortcuts (>1%)
  9. Android executables (>1%)

You can learn more about malicious payloads here.

The data that’s compromised in phishing attacks

The top three “types” of data that are compromised in a phishing attack are:

  1. Credentials (passwords, usernames, pin numbers)
  2. Personal data (name, address, email address)
  3. Medical (treatment information, insurance claims)

When asked about the impact of successful phishing attacks, security leaders around the world cited the following consequences

  • 60% of organizations lost data
  • 52% of organizations had credentials or accounts compromised
  • 47% of organizations were infected with ransomware
  • 29% of organizations were infected with malware
  • 18% of organizations experienced financial losses
“These costs can be mitigated by cybersecurity policies, procedures, technology, and training. Artificial Intelligence platforms can save organizations $8.97 per record. ”

The cost of a breach

RiskIQ estimates that businesses worldwide lose $17,700 every minute due to phishing attacks—and that top companies lose $25 per minute to cybercrime.

IBM’s 2021 research into the cost of a data breach ranks the causes of data breaches according to the level of costs they impose on businesses. 

Phishing ranks as the second most expensive cause of data breaches—a breach caused by phishing costs businesses an average of $4.65 million, according to IBM.

And Business Email Compromise (BEC)—a type of phishing whereby the attackers hijack or spoof a legitimate corporate email account—ranks at number one, costing businesses an average of $5.01 million per breach.

That’s not the only way phishing can lead to a costly breach—attacks using compromised credentials were ranked as the fifth most costly cause of a data breach (averaging $4.37 million). And how do credentials get compromised? More often than not, due to phishing.

On the plus side, IBM found that businesses with AI-based security solutions experienced a significant reduction in the costs associated with a data breach. In fact, AI security solutions were found to be the biggest factor in cutting breach costs, from $6.71 million to $2.90 million.

According to Verizon, organizations also see a 5% drop in stock price in the 6 months following a breach.

Losses from business email compromise (BEC) have skyrocketed over the last year. The FBI’s Internet Crime Report shows that in 2020, BEC scammers made over $1.8 billion—far more than via any other type of cybercrime.

And, this number is only increasing. According to the Anti-Phishing Working Group’s Phishing Activity Trends Report, the average wire-transfer loss from BEC attacks in the second quarter of 2020 was $80,183. This is up from $54,000 in the first quarter.

This cost can be broken down into several different categories, including:

  • Lost hours from employees
  • Remediation
  • Incident response
  • Damaged reputation
  • Lost intellectual property
  • Direct monetary losses
  • Compliance fines
  • Lost revenue
  • Legal fees

Costs associated remediation generally account for the largest chunk of the total. 

Importantly, these costs can be mitigated by cybersecurity policies, procedures, technology, and training. Artificial Intelligence platforms can save organizations $8.97 per record

The most targeted industries

Last year, Public Administration saw the most breaches from social engineering (which caused 69% of the industry’s breaches), followed by Mining and Utilities and Professional Services. But, according to another report, employees working in Wholesale Trade are the most frequently targeted by phishing attacks, with 1 in every 22 users being targeted by a phishing email last year. 

According to yet another data set, the most phished industries vary by company size. Nonetheless, it’s clear Manufacturing and Healthcare are among the highest risk industries.

The industries most at risk in companies with 1-249 employees are:

  1. Healthcare & Pharmaceuticals
  2. Education
  3. Manufacturing

The industries most at risk in companies with 250-999 employees are:

  1. Construction
  2. Healthcare & Pharmaceuticals
  3. Business Services

The industries most at risk in companies with 1,000+ employees are:

  1. Technology
  2. Healthcare & Pharmaceuticals
  3. Manufacturing

But there’s another way in which phishing impacts organizations differently across industries—resilience. Some industries are more susceptible to phishing than others.

By considering factors like awareness, susceptibility, and reporting rate Cofense estimates the following ranking of industries according to their resilience to phishing attacks:

  1. Agriculture
  2. Mining
  3. Professional services
  4. Finance
  5. Utilities
  6. Retail
  7. Trade
  8. Construction
  9. Public
  10. Entertainment
  11. Information
  12. Manufacturing
  13. Transport
  14. Education
  15. Other services
  16. Real estate
  17. Healthcare
  18. Management
  19. Administrative
  20. Accommodation

As noted, healthcare has been hit particularly hard by phishing and other cybercrimes throughout the pandemic.

According to the HIPAA Journal, an average of 58.8 data breaches occurred among U.S. healthcare providers between August 2020 and July 2021—around 3.70 million records were breached per month.

Many of these breaches were caused, directly or indirectly, by phishing. In July 2021, one phishing attack on an Orlando-based family physicians’ practice affected nearly half a million individuals.

Phishing by country

Not all countries and regions are impacted by phishing to the same extent, or in the same way.

Here are some statistics from another source showing the percentage of companies that experienced a successful phishing attack in 2020, by country:

  • United States: 74%
  • United Kingdom: 66%
  • Australia: 60%
  • Japan: 56%
  • Spain: 51%
  • France: 48%
  • Germany: 47%

Phishing awareness also varies geographically. Here’s the percentage of people who correctly answered the question: “What is phishing?”, by country:

  • United Kingdom: 69%
  • Australia: 66%
  • Japan: 66%
  • Germany: 64%
  • France: 63%
  • Spain: 63%
  • United States: 52%

As you can see, there’s no direct correlation between phishing awareness and phishing susceptibility, which is why security training isn’t enough to prevent cybercrime.

The most impersonated brands

New research found the brands below to be the most impersonated brands used in phishing attacks throughout Q4, 2020.

In order of the total number of instances the brand appeared in phishing attacks:

  • Microsoft (related to 43% of all brand phishing attempts globally)
  • DHL (18%)
  • LinkedIn (6%)
  • Amazon (5%)
  • Rakuten (4%)
  • IKEA (3%)
  • Google (2%)
  • Paypal (2%)
  • Chase (2%)
  • Yahoo (1%)

The common factor between all of these consumer brands? They’re trusted and frequently communicate with their customers via email. Whether we’re asked to confirm credit card details, our home address, or our password, we often think nothing of it and willingly hand over this sensitive information.

But it’s not just consumer brands that scammers impersonate. Public bodies are also commonly mimicked in phishing scams.

Between August 2020 and July 2021, the UK’s tax authority (HMRC) reported:

  • Over than 450 COVID-19-related financial support scams
  • More than one million reports of “suspicious contact” (namely, phishing attempts)
  • More than 13,000 malicious web pages (used as part of phishing attacks)

The rates of phishing and other scams reported by HMRC more than doubled in this period.

Facts and figures related to COVID-19 scams

Because hackers tend to take advantage of key calendar moments (like Tax Day or the 2020 Census) and times of general uncertainty, individuals and organizations saw a spike in COVID-19 phishing attacks starting in March. But, according to one report, COVID-19 related scams reached their peak in the third and fourth weeks of April.

And, it looks like hackers were laser-focused on money. Incidents involving payment and invoice fraud increased by 112% between Q1 2020 and Q2 2020. It makes sense, then, that finance employees were among the most frequently targeted employees. In fact, attacks on finance employees increased by 87% while attacks on the C-Suite decreased by 37%.

Further reading:

COVID-19: Screenshots of Phishing Emails

How Hackers Are Exploiting the COVID-19 Vaccine Rollout

⚡ Coronavirus and Cybersecurity: How to Stay Safe From Phishing Attacks.

Phishing and the future of work

The move to remote work has presented many challenges to business—and the increased range, frequency, and probability of security incidents are among the most serious.

New working habits have contributed to the recent surge in phishing because IT teams have less oversight over how colleagues are using their devices and can struggle to provide support when things go wrong.

According to Microsoft’s New Future of Work Report

  • 80% of security professionals surveyed said they had encountered increased security threats since the shift to remote work began. 
  • Of these, 62% said phishing campaigns had increased more than any other type of threat.
  • Employees said they believed IT departments would be able to mitigate these phishing attacks if they had been working in the office

Furthermore, an August 2021 survey conducted by Palo Alto Networks found that:

  • 35% of companies reported that their employees either circumvented or disabled remote security measures
  • Workers at organizations that lacked effective remote collaboration tools were more than eight times as likely to report high levels of security evasion
  • 83% of companies with relaxed bring-your-own-device (BYOD) usage led to increased security issue

Further reading:

⚡ The Future of Hybrid Work 

7 Concerns Security Leaders Have About Permanent Remote Working

“Humans shouldn’t be the last line of defense. That’s why organizations need to invest in technology and other solutions to prevent successful phishing attacks.”

What can individuals and organizations do to prevent being targeted by phishing attacks?

While you can’t stop hackers from sending phishing or spear phishing emails, you can make sure you (and your employees) are prepared if and when one is received.

You should start with training. Educate employees about the key characteristics of a phishing email and remind them to be scrupulous and inspect emails, attachments, and links before taking any further action.

  • Review the email address of senders and look out for impersonations of trusted brands or people (Check out our blog CEO Fraud Email Attacks: How to Recognize & Block Emails that Impersonate Executives for more information.)
  • Always inspect URLs in emails for legitimacy by hovering over them before clicking
  • Beware of URL redirects and pay attention to subtle differences in website content
  • Genuine brands and professionals generally won’t ask you to reply divulging sensitive personal information. If you’ve been prompted to, investigate and contact the brand or person directly, rather than hitting reply

But, humans shouldn’t be the last line of defense. That’s why organizations need to invest in technology and other solutions to prevent successful phishing attacks. But, given the frequency of attacks year-on-year, it’s clear that spam filters, antivirus software, and other legacy security solutions aren’t enough.

That’s where Tessian comes in. By learning from historical email data, Tessian’s machine learning algorithms can understand specific user relationships and the context behind each email. This allows Tessian Defender to not only detect, but also prevent a wide range of impersonations, spanning more obvious, payload-based attacks to subtle, social-engineered ones.

Further reading:

Tessian Defender: Product Data Sheet


Maddie Rosenthal