In this post we will look at phishing attack statistics for 2023. Phishing attacks are quite a common way to attempt to compromise accounts and potentially infrastructures as well depending on the accounts level of access.
Here are the most interesting statistics you should keep in mind for 2023 in relation to phishing.
- According to the F5 Labs Phishing and Fraud Report of 2020 55% of the phishing websites are based of targeted brand names so that sensitive information can be captured with ease.
- US based businesses account for 84% that carry out regular security awareness training which has helped to reduce the rate at which employees would fall for a phishing email.
- Around 92% of Australian organizations have suffered from a phishing attack. This is a 53% rise from 2021.
- Google and Amazon are the most highly impersonated brands sitting at 13%. Facebook and Whatsapp sit at 9% and Netflix & Apple at 2%.
- Phishing as the source of breaches took the 3rd longest mean time to identify sitting at around 295 days according to IBM’s 2022 Data Breach Report.
2023 Phishing Attack Statistics
Back in 2018 it was estimated that by 2022 that every 11 seconds a ransomware or phishing attack will take place.
In the subsequent sections we will look at the 2023 phishing attack statistics based on the frequency of occurance, the cost of the breach, and pandemic related increases
What Percentage Of Cyber Attacks Can Be Attributed to Phishing?
The most prevalent of cybercrimes is that of phishing scams which account for around 22% of all data breaches according to the FBI’s 2021 IC3 Report.
The report showed that in 2021 around 83% of companies experienced phishing attacks.
How Common Are Phishing Attacks?
out of al data breaches, 36% were caused by phishing according to Verizon’s 2022 report.
the report estimated that by 2022 a ransomware or phishing attack will take place every 11 seconds.
How Many Businesses Are Targeted By Spear Phishing attacks Daily?
Roughly around 88% of organizations are faced with spear phishing attacks yearly according to statistics by Norton. This means that a businesses are targeted almost daily.
In Symantec’s 2019 Threat Report it showed that 65% of cyber attacks are perpetrated through spear phishing.
What Is The Amount Of Money Lost to Email Scams Yearly?
Phishing, sitting at 16%, was the 2nd most common reasons for data breaches costing on average of $4.91 million USD in breach costs.
One of the most expensive phishing attacks was through compromised emails. This resulted in 19,369 complaints and costing around $1.8 billion USD.
Most Of The Latest Phishing Emails & New Scams Have The Subject Line Left Blank, & Sits at 68%
Gmail filters block around 100 million phishing emails, with 68% of those belonging to an unknown scam.
67% of all phishing emails have their subject lines left blank. Some of the most common ones are Fax Delivery Reports sitting at 9% and business proposal request sitting at 6%.
Phishing Is A Top Attack Vector of Cybercrime Sitting at 16%
Phishing was one of the top attack vectors in cybercrime which sits at 16% according to IBM.
These type of attacks have resulted in an average of $4.91 million USD in breach costs.
Nearly 93% of modern breaches involve phishing attacks according to the Cofense’s Q3 2023.
30% Of Opened Phishing Emails Increases The Chances Of Malware
Approximately 30% of phishing emails are opened. This in turn increases the chance of opening or downloading malicious files from the malicious links that could contain ransomware or malware.
There are some important key words that are used in phishing emails, and they are the following:
- Important at 5.4%
- Attention at 2.3%
- Urgent at 8%
- Important Updates at 8%
Business Email Compromise (BEC) 2020 To 2021 Phishing Scams
The average BEC attacks monetary requests have increased from $71,000 US Dollars in 2020 to $106,000 US Dollars in 2021.
An increase of 24% of BEC phishing scams attempted to divert employees salaries.
$4.6 Million US Dollars Has Made 2021 The Most Costly In Terms Of Phishing Attacks
Data breaches through phishing attacks made 2021 the costliest year for attacks in the past 17 years.
IBM’s Cost of Data Breach Report for 2021 found that phishing attacks were the second most expensive type of attack costing around $4.6 million US Dollars.
With Remote Working The Average Cost Of A Data Breach during remote working was $1 million US Dollars higher
Organizations which failed to evolve their IT to deal with the pandemic could have seen breach costs averaging around $5.01 million US dollars.
This is an increase of 1 million dollars over the pre pandemic situation.
Phishing Scam Percentages
Below you will see the following statistics related to Phishing.
- Phishing sites are 75% more prevalent compared to malware sites.
- around 50% of phishing websites made use of SSL certificates.
- 61% of subjects that were interviewed in a study, and they were not able to tell the difference between a real or fake Amazon login page.
- The most common reasons and motivations behind phishing attempts sits at 10% for disruption of services and 6% for financial gain.
- Around 62% of attacks did not originate from a cyber security mistake or misuse, they were carried out using stolen personal data that was obtained through a phishing or brute force attack.
- 96% of malicious threat actors use spear phishing to gather intelligence.
- Around Half of the phishing email attachments that are sent are in the form of Microsoft Word documents sitting at 39.3%, Executables at 19.5%, Rich Text Format Files at 14% and Excel files at 8.7%.
- 40% of phishing websites were hosting on .com domains, others used .org at 1.8% and .net at 3%.
- Roughly 32% of phishing websites used HTTPS in 2020 to portray phishing websites as secure.
- In a 2018 AICPA article, about 60% of Americans have been exposed to fraud schemes, 26% of those were due to phishing emails.
- Hotel chain Marriot in 2020 was hacked. This resulted in the leak of 5.2 million guests’ personal information.
- June 2022 the Marriot hotel chain was hacked for a second time by a hacker that stole 20 Gigabytes worth of guest information.
Cost Of Phishing Attacks
The costs of phishing attacks has increased significantly as time has gone by. In 2017 both Facebook & Google each faced a loss of $100 million US Dollars. Some other examples include the following:
- In 2018 statistics showed that the average cost per breach was around $150 USD for each compromised record.
- IC3 in 2020, IC3 got around 791,790 complaints with losses recorded at $4.1 billion USD.
- There is a difference of about $2.3 million USD between companies that are largely compliant versus those that are non compliant.
- The USA had the costliest data breaches in 2021 which amounted to $9.05 million USD according to IBM.
Covid 19 Phishing
With the onset of the Covid 19 pandemic there were major shifts from offline setups to online platforms. This had led to a result of higher phishing attacks as can be seen in the below statistics.
- Almost 43% of all breaches since 2019 have all had to do with web applications.
- Over 450 Covid 19 related financial support scams occurred.
- People that were looking for information about Covid facts and other details such as testing and treatment were target of phishing attempts.
- Globally known medical bodies such as the CDC (US Centre For Disease Control) & the UN’s WHO (World Health Organization) were impersonated to carry out a wide range of scams during the pandemic.
- There was a 400% increase in scams since March 2020 which made Covid one of the largest security risks ever.
Industries Commonly Targeted & Their Impact
Technology
It is assumed that technology businesses will always have strong security measures in place to help prevent phishing and other scams.
However, the resource allocation for technology companies can vary depending on the goals they want to achieve. It is crucial for tech companies to make sure their staff and data are given the highest priority to be protected.
Technology phishing statistics:
- About 82% of CIO’s feel like their software supply chain securities are weak.
- There were 50% more weekly cyber attacks in 2021 on global corporate networks.
- there was an increase in global losses of 65% between July 2019 through to December 2021
- Approximately 1.7 billion were lost businesses per minute in 2021.
- 80% of the reported cyber crimes can be attributed to phishing attacks in the technology sector.
Healthcare
A Prime target for phishing scams is the healthcare sector. The threats to this sector have greatly increased during the pandemic.
Patient’s private information is some of the most valuable information that is stored. This information can be used to commit identity theft, insurance fraud, etc.
Healthcare is one of the oldest fields that has been gathering patient health data even before the advent of digitalization.
Transitioning now from paper to digital storage paves the way for its own security issues.
Phishing statistics in the healthcare sector:
- Around 90% of healthcare organizations have had at least one security breach in the past few years.
- Phishing along side other types of cyber attacks increased by 75% in 2021.
- 30% of the data breaches take place in large hospitals that have a record of exposing a patients’ private health information.
SME's
Scammers instead of targeting large organizations with high end cyber security facilities in place, they are now targeting small and medium enterprises since they are easier targets.
This is due to these smaller companies not having as robust security measures in place to fend off such attacks effectively.
These companies might not have their cyber security roles filled or might not have the necessary resources in place to make their security measures effective.
SME phishing statistics are as follows:
- 14% of SME’s have a cyber security plan in place.
- Over the next 5 years there will be an increase of 15% in relation to cybercrime costs which should reach $10.5 US Dollars by 2025.
- 43% of cyber attacks annually are on small businesses.
- On average, $25,000 US Dollars is lost by SME’s.
- Besides phishing attacks, credential theft and making use of stolen devices are other common types of cyber attacks that take place on SME’s.
Education Sector
The education sector is another hub of personal data storage making them a prime target for phishing and scams.
Addresses to passwords and identification all get stored by almost all educational institutions.
Its important to note that this is not the only sensitive information restricted to student and faculty information. Sensitive information from research institutes as well is also stored.
As a result this makes phishing scams more prevalent in relation to this sector.
- A 75% increase in cyber attacks was seen by educational institutions.
- Most malware scams target the education sector.
- The education sector ranks last in terms of cyber security measures against phishing scams.
Phishing Scam Trends
Covid 19
With the onset of the pandemic there were a wide range of phishing attacks that were aimed at innocent victims. These victims were targeted with fake donation claims, as well as payments and financial support pages. All these pages were gathering sensitive information from users & stealing their money.
Covid 19 statistics:
- 20% of businesses that had adopted online working faced a security breach due to a remote worker.
- About 28% of remote employees admitted to using personal devices for work than work issued devices. This in turn created a huge area for the potential of a cyber attack to take place.
- Some of the top phishing keywords related to Covid were the following
Virus
Corona
Quarantine
Covid - A wide range of threats were observed during the pandemic such as data stealing malware such as the Corona anti-locker.
- Almost 2% of all malware spam was in relation to the pandemic.
Ukraine War
The war in Ukraine has been another major issue scammers and other malicious threat actors are taking advantage of through donations and fundraising scams.
Subject lines used are ones like the following:
“Help save children form Ukraine”
These are used to target victims via email. Not only money but also cryptocurrency and personal information is stolen as part of this trend.
Ukraine War phishing statistics are as follows:
- With the onset of the Ukraine war, there was a 7 fold increase in phishing emails written in Slavic languages.
- The majority of the phishing attempts were made through impersonation of legitimate domains, but by changing some unnoticeable components.
- Ukrainian systems had malware put on them under the false claim of free data decryption. The intention was to wipe out the systems.
- Hacking groups tried to hack military personnel’s email accounts in a massive phishing campaign. If it proved to be successful it would have collected confidential information used to send further phishing emails.
Online Communication Platforms
Trends have also shown an increase in phishing campaigns targeting online communication platforms such as Zoom, Slack, & Microsoft Teams to name just a few.
Another type of attack is via social media using platforms such as Instagram etc by sending messages as a stranger which would end up leading to accounts being taken over by the malicious threat actors.
Some statistics include:
- Over 50,000 Zoom account credentials were sold on the dark web for as low as $0.0020 US cents per account.
- Around 70% of all online fraud is carried out via mobile applications.
- Facebook breaches were the major cause of data leaks in 2019.
- Around 8% of all social media attacks took place through a phishing attack.
- 47% of all social media phishing attempts are LinkedIn phishing messages.
Types Of Phishing Attacks
Spear Phishing
Standard phishing campaigns use websites you have never been to or bought from. As a result it is much easier to recognize.
With a spear phishing campaign, emails are not generic emails but specific and targeted to ones personal needs or designed to look like they came from a legitimate brand that you have bought from or their site you have visited. These are much harder to identify as a phishing scam before its too late.
- Around 65% of malicious threat actors chose spear phishing as their primary method of attack.
- Approximately 71% of all the targeted attacks are done using spear phishing tactics.
- 90% of cyber attacks were through spear phishing in 2012/
Extension & Credential Phishing
Extensions, which are rather popular, such as pdf, html, and htm along side brands such as Adobe & Google are widely used in phishing schemes.
It is important to note that Adobe & Google are mainly used for credential phishing, where users sign in credentials are stolen from users.
- In 2020 there was a major increase in the number of malicious PDF files that were sent. Over 5 million users had been sent these files.
- The use of PDF files in phishing attacks used a fake CAPTCHA to lure users.
- Around 52% of companies in 2021 had credentials compromised in order to access confidential or private information.
- Around 14% of total malicious file extensions are PDF files where as zip and jar files account for 37%.
Prevention Of Phishing Attacks
Enable Multifactor Authentication (MFA)
Ensuring accounts have MFA enabled can greatly reduce and help to avoid falling for phishing attacks.
This is due to the fact that any data that is gotten through a successful phishing attacks ends up redundant with the additional authentication steps that get put in place.
Cybersecurity Software
Ensuring you have strong cybersecurity measures in place will help to ensure such phishing attempts are blocked ensuring ones corporate data is kept secure.
Employees
Continuous training is important to help your staff know what to look out for when it comes to phishing attempts especially as phishing tactics evolve.
On top of this training have strong security measures in place for devices and other measures for workstations etc. can greatly reduce the chances of an employee becoming a victim of a phishing attack.
Employees
Being cautious about what emails you get is important.
Here are some things to keep in mind to help you understand if an email you have gotten is malicious or not.
- Are there spelling Mistakes?
- Does the subject line stress a matter of urgency?
- Does it ask for company details?
- Have you previously gotten an email from this email address?
- Is the email from a trustworthy source?
Leave a Reply