100+ Phishing Attack Statistics You Should Know in 2024

Phishing attacks have become a menacing threat in today’s digital landscape, jeopardizing the security and privacy of organizations and individuals alike. Understanding the scope as well as the impact of these threats is critical for avoiding potentially debilitating financial loss or implementing effective cybersecurity measures.

Here we analyze the impact of phishing attacks globally: 

• Nearly 1 billion emails were exposed in 2021, affecting every 1 in 5 internet users. 

• Nearly 1.2% of all emails shared are malicious, which translates to 3.4 billion phishing emails daily. 

• Extortion of over 33 million records with a phishing attack or ransomware is expected to occur by 2024.

• A data breach that affects 10 million records costs businesses $50 million, and for 50 million compromised records, the cost can be as high as $392 million.

• Phishing statistics can serve as a reliable visual of the real threat behind phishing attacks. With disparate sources online, we’ve put together data about the overall impact of phishing attacks.

Phishing Statistics Highlights

In 2022, in the US alone, phishing attacks led to a compromise of 300,497 accounts with a loss amounting to $52,089,159. Here are some other phishing statistics highlights:

• 36% of all data breaches in the US are caused by phishing attacks.

• Each year, 83% of all organizations experience a phishing attack.

• There was a 345% increase in unique phishing sites between 2020 and 2021.

• $4.91 million is the average cost of each phishing attack for corporations.

Top Phishing Attack Statistics 2024

Keeping up-to-date with the latest phishing attack statistics helps them keep up with the ever-changing world of cybersecurity. Here are the top most eye-opening phishing attack statistics you should know in 2024. 

• When it contains familiar branding, 44% of people think an email is safe, but cybercriminals in 2022 exploited Microsoft products or branding in over 30 million malicious messages.

• There was a significant increase in telephone-oriented attack delivery attempts, with 300-400K made per day, and in August 2022, peaking at 600K per day.

• Direct financial loss in 2022 increased by 76% from successful phishing attacks.

• 75 million threats were blocked by user reporting, approximately 1 in 10

• 55% of phishing websites make use of targeted brand names, as per the F5 Labs Phishing and Fraud Report of 2020, to capture sensitive information with ease.   

• As per 84% of US-based organizations, conducting regular security awareness training has reduced the rate at which working employees fall prey to phishing attacks.

• 92% of Australian companies were breached by a successful phishing attack, a 53% rise from the year 2021. 

• Highly impersonated brands used for phishing are Google and Amazon at 13%, Whatsapp and Facebook at 9%, and Apple and Netflix at 2%. 

• As per IBM’s 2022 Data Breach Report, breaches spawned by phishing took the third longest mean time to identify and rectify at 295 days. 

• As per IBM’s 2022 Cost of Data Breach Report, the use of compromised or stolen credentials is the most recurrent cause of data breaches. In 19% of breaches this year, they were the primary attack vector – a small drop from 20% in 2021.:

• At 16% and costing $4.91m, phishing is the second most common cause of breaches.

Phishing Attacks Projections

Based on phishing statistics from the last year, we can expect a rise in a couple of key trends as we move into 2024. Here are some phishing attack projections for the year 2024.

Attacks will increase in sophistication

As per Zscaler’s ThreatLabs 2023 Phishing Report, the rapid proliferation of AI-powered software will lead to undetectable phishing attempts as AI-generation tools move closer to generating more authentic human-sounding material.

AI tools like ChatGPT can create polymorphic malware or other malicious code as well as fake login pages with minimal input or coding expertise from the user. 

There will be more focused efforts on targeted ransomware

As per Kaspersky, cybercriminals will focus on landing one big payment from major corporations rather than a number of small payments from random targets. It predicts that rapid diversification will be a key practice in hacking into IoT devices like cars, smartwatches, and TVs.

An increase in TrickBot activity

As per Cofense, 2024 will see emerging trends in delivery methods for TrickBot, with organizations likely to be increasingly targeted by campaigns using CHM and LNK downloaders.

New commodity downloaders are expected

As per Cofense, citing high prices for the malware downloaders currently available in the market, there will be an emergence of a new, much more affordable malware downloader that could lead to severe repercussions in the phishing landscape.

Phishing Attacks Trends 

The current trend of events highly influences the methods employed by hackers to breach data. Here are a few key trends in phishing attacks in 2024:

War In Ukraine

Scammers and other malicious attackers are taking advantage of the war in Ukraine through donations and fundraising scams. Subject lines in emails such as “ Donate to save children of Ukraine” are used to target victims. Not only money but information, as well as cryptocurrency, is also stolen as part of this trend. 

Ukraine war-related phishing statistics:

• A 7-fold increase was noticed in phishing emails in the Slavic language since the onset of the war.   

• The impersonation of legitimate domains with a few unnoticeable components was the cause of most phishing attempts. 

• Malware was placed on Ukrainian systems to wipe out the systems under the pretext of free data decryption. 

• Hacking groups attempted in a mass phishing attack to hack military personnel’s email accounts, which, if successful, was used to collect confidential information and send further fake emails.

COVID-19 

 A slew of phishing attacks targeted at innocents was noticed with the onset of the pandemic through financial support pages as well as fake claims of payments and or donations, all for accessing sensitive information from users and extorting money. 

COVID-19-specific statistics: 

• 20% of organizations in the online working scenario suffered a security breach because of their remote setup. 

• 28% of employees who work remotely admitted to the use of personal devices for work instead of using office-issued devices, thus creating a huge attack surface area for potential cyberattacks. 

• In 2020, a few of the top COVID-19-related phishing keywords were virus, quarantine, corona, and COVID. 

• During the pandemic, data-stealing malware such as Corona anti-locker ultimate and a variety of other threats were observed. 

• The pandemic was the cause of nearly 2% of all malware spam. 

Online Communication Platforms

Recent trends have also observed a rise in phishing attacks targeted at online communication platforms like Zoom, Microsoft Teams, Slack, and more. Using social media platforms, like  Instagram, is another emerging attacking trend, and more through strangers’ messages, leading to account compromise by malicious attackers. 

A few cyber attack statistics for communication platforms are: 

• For as little as $0.0020 per account, 50,000 Zoom account details were auctioned off on the dark web. 

• Mobile applications are the cause of 70% of online fraud.

• In 2019, data leakages were majorly caused by Facebook breaches.

• Phishing is the cause of nearly 8% of social media cyberattacks. 

• 47% of all social media phishing attempts are caused by LinkedIn phishing messages.

Notable Incidents

Phishing attacks are one of the major causes of data breaches. They are aimed at exploiting human errors. Some of the largest phishing attack statistics are:

Russia/Ukraine hacking

Russia has aggressively pursued digital attacks as part of its ongoing war with Ukraine. These attacks have caused blackouts, stolen data, and released malware. In response, Ukraine has been causing massive data breaches via custom malware.

Lapsus$ extortion

The group Lapsus$, relying largely on phishing, went on a hacking spree at the beginning of this year. It has been stealing sensitive and valuable data from some of the biggest organizations in the world – including Samsung, Ubisoft, Microsoft, and Nvidia – before releasing it for money-making purposes. 

Conti paralyzes Costa Rica

Costa Rica’s Ministry of Finance was attacked by another gang named Conti, which crippled the nation’s import and export businesses. The issue was declared a ‘national emergency,’ and this cyberattack has since cost Costa Rica millions of dollars. 

2021 Colonial Pipeline attack

A massive cyber attack temporarily shut down the gasoline dispersal across the east coast of the USA called the 2021 Colonial Pipeline attack. To avoid crippling shortages, this triggered a state of emergency to be declared in 18 states and a ransom of $4.4 million was demanded to regain control of their systems.

2015 FACC Whaling Attack

FACC In late 2015, an aerospace company lost $47 million after a successful ‘whaling’ attack where the hackers impersonated the CEO Walter Stephen of FACC to get an employee to send money for an ‘acquisition project.’

2014 Sony Pictures Phishing Attack

Up to 100 terabytes of data leaked in the infamous 2014 Sony cyber attack, as well as extensive damage to operational capacity and servers. Initial access was conceded through phishing emails sent to Sony executives, while malware was used to exfiltrate the data and wipe Sony’s servers. In total, an estimated $100 million was the cost paid by Sony to resolve the attack.

Most popular phishing attack methods

Cybercriminals are becoming more sophisticated than ever, but education can go a long way in safeguarding against their attacks. Here are some of the most common targets and methods employed by hackers.

• The top two assets impacted by breaches are web applications and email servers.

• Webmail and SaaS users are the biggest category targeted in phishing, accounting for 34.7% of phishing attempts.

• In Q1 of 2022, APWG recorded 1,025,968 phishing attacks.

• Phishing attacks against social media sets were recorded at 12.5% in Q1 of 2022 as compared to 8.5% in Q4 of 2021.

• Spear phishing emails have been leveraged by around 65% of cybercriminals as their primary attack vector.

• As of 2021, almost 40% of breaches featured phishing, around 22% involved hacking, and 11% involved malware.

• Email is used to deliver 94% of malware.

Phishing Attack General Statistics 

As per the FBI’s Internet Crime Complaint Center (IC3), 800,944 reports of phishing were received in 2022, with losses exceeding $10.3 billion. This goes on to show how significantly detrimental phishing attacks have become to individuals and businesses. Having a good grasp of phishing attack statistics helps identify and plan better to mitigate data breaches. Here are some general phishing attack statistics to help you identify and contain security risks:

This section will look into general phishing Attack statistics based on a number of factors, such as the cost of data breaches, frequency of occurrence, and pandemic-related increases. 

• Nearly 22% of all data breaches are a result of phishing scams, thus making it the most prevalent cybercrime in the FBI’s 2021 IC3 Report. Also, nearly 83% of companies were victims of phishing attacks in 2021. 

• Phishing was the cause for nearly 36% of all data breaches, as per Verizon’s 2022 report.

• In 2018, it was estimated that every 11 seconds, a phishing or ransomware attack will occur by 2022.

• 1.2% of all emails sent are reported malicious as per phishing email statistics, which translates to 3.4 billion phishing emails daily. Every 1 in 4,200 emails sent is definitely a phishing scam email.

• Around 88% of organizations have been a victim of spear phishing attacks, as per statistics by Norton. 

• Spear phishing is the cause for 65% of cyber-attacks, as per a 2019 Threat Report by Symantec. 

• At an average of $ 4.91 million in breach costs, phishing attacks are the costliest threat, and at 16%, it was the second most common reason for data breaches. Compromised emails with around 19,369 complaints cost an organization a loss of $ 1.8 billion, proving to be one of the most expensive phishing attacks in history. 

• Most phishing emails have a blank subject, and 68% of the latest phishing emails are emerging scams. Gmail filters blocked out nearly 100 million phishing emails, wherein 68% belonged to a previously unknown scam. The subject line is left blank for nearly 67% of all phishing emails. However, when used, the most common ones are ‘business proposal request’ (6%) and ‘Fax delivery report’ (9%). 

• The top attack vector for cybercrime is phishing, as per IBM, at 16%

• 93% of modern breaches involved phishing attacks, as per Cofense’s Q3 2021 phishing review.

• The chances of malware are increased by 30% by opening phishing emails. 

• Nearly 30% of phishing emails could lead to ransomware or malware by opening or downloading from malicious links.

• The most frequently used words for phishing emails are important updates (8%), important (5.4%), attention (2.3%), and urgent (8%). 

• The average number of BEC attacks between 2020 and 2021 requesting wire transfers rose from $71,000 to $106,000. Diverting employee payroll deposits was the key objective for nearly 24% of all BEC phishing scams in 2021.

• At around $4.6 million in the last 17 years, 2021 was one of the costliest years in data breaches through phishing attacks. 

• At around $4.6 million, phishing attacks were the second most expensive type of attack, as per IBM’s Cost of Data Breach Report for 2021.

• During remote work, the average cost of a data breach went higher by $1 million.

• The average cost of a data breach was $5.01 million for organizations that did not upgrade their IT to cope with the pandemic.

Percentage of Phishing Scams

Here are a few Phishing Scams by percentage:

• Phishing sites are 75% higher in presence as compared to malware sites. 

• SSL certificates were used in 50% of phishing websites. 

• 61% of subjects in a survey conducted could not differentiate between a fake and a real Amazon login page.

• The most common reasons cited as motivations for phishing are 6% for financial gains and 10% for disruption of site services. 

• The usage of stolen personal information obtained through brute-force or phishing attacks was responsible for 62% of attacks. 

• 96% of threat actors used spear-phishing to gather intelligence.

• HTTPS was used in 2020 by nearly 32 percent of phishing websites to portray an image of assured security.

• According to AICPA (2018), 26% of Americans were targeted through phishing emails out of the 60% that have been exposed to fraud schemes.

• Over 5.2 million guests’ personal information was compromised in the 2020 Marriot hack. 

• A hacker stole 20 GB worth of guest information from Marriott again in June 2022. 

Cost of Phishing Attacks 

Through the years, the cost of phishing attacks on organizations has increased significantly. The $100 million loss faced by Google and Facebook in 2017 perhaps being one of the most infamous examples. Other such incidents include: 

• Statistics showed that in 2018, for each compromised record, the average cost per data breach was around $150. 

• In 2020, with a recorded loss that exceeded 4.1 billion dollars, IC3 received about 7,91,790 complaints.

• The difference in cost between largely compliant organizations and those that are non-compliant was close to $2.3 million. 

• At $9.05 million in 2021, the USA has the highest rate of costly data breaches, according to IBM. 

Sectors Affected

Financial institutions were the most targeted online industry, as per figures from APWG, by phishing attacks. Different industries present different challenges in the cybersecurity landscape. Having knowledge of industry-specific stats will help you identify risks particular to your sector. Here are some industry-specific phishing stats:

1. Technology

Technology-related businesses are expected to have an impeccable security system in place that guards against phishing and other scams. 

However, resource allocation varies severely in tech companies depending on their goals. Hence, it is the highest priority for tech companies to ensure that their staff and corporate data are protected. 

Here are some phishing statistics for technology: 

• Software supply chain securities are considered weak by nearly 82% of CIOs. 

• On corporate networks globally in 2021, cyber-attacks were 50% more per week. 

• Between July 2019 and December 2021, global losses increased by 65%. 

•  In 2021, per minute, nearly 1.7 billion were lost businesses. 

• Phishing attacks contribute to 80% of reported cyber crimes in the technology sector. 

2. Healthcare

Healthcare is one of the prime targets of phishing scams. In some scenarios, private patient information is very valuable, and its loss may lead to insurance fraud, identity theft, and more. 

Here are some healthcare phishing attack statistics: 

• 90% of healthcare institutions in the previous few years have experienced at least one security breach. 

• A 75% increase has been seen in phishing and other kinds of cyber attacks in 2021. 

• Large hospitals are responsible for 30% of most data breaches with a record of exposing patients’ private health information. 

3. SMEs

Rather than targeting big, known, and well-established companies prone to have high-end security facilities, small and medium-sized enterprises are targeted more by scammers as they prove to be much easier targets. These companies serve as appetizing targets due to comparatively fewer security measures implemented to thwart such attacks effectively. 

A few phishing statistics for SMEs are: 

• A cyber security plan is implemented by only 14% of SMEs. 

• A 15% increase in cybercrime costs is expected in the next five years, thus totaling 10.5 trillion by 2025. 

• 43% of cyber attacks are targeted at small businesses annually. 

• SMEs lose an average of $25,000.

Besides phishing, other kinds of common cyber attacks on SMEs include making use of stolen devices and credential theft. 

4. Educational Sector

The educational sector serves as a prime target as it is a hub of personal data storage. From identification documents to passwords and addresses, nearly every educational institution stores them. Universities might also have intellectual property in addition to personal data. 

• Cyber-attacks in educational institutions rose by 75%. 

• Currently, the Educational Sector is affected by most malware scams, largely making them an at-risk sector. 

• Educational institutions rank last in terms of security against such phishing scams. 

Types of Phishing Attacks

As per Verizon’s 2022 Data Breach Report, Phishing scams account for nearly 36% of all data breaches. And 83% of all companies, according to a Proofpoint study, experienced a phishing attack in 2021. 

Here are some common kinds of phishing attacks an organization could face: 

Email Phishing	The most common form of phishing A deceptive email is sent from a seemingly legitimate source The emails often ask for sensitive information, such as social security numbers, login credentials, or financial details
Spear Phishing	A more targeted kind of attack The attacker creates personalized messages with prior research on an individual As the sender appears more credible and informed, this can increase the likelihood of success
Whaling	Used to target high-profile individuals, such as senior executives or managers The attacker often encourages the subject to transfer funds or share sensitive information by tailoring correspondence to people working below their target This enables the attacker to gain further access to the system
Pharming	Users are redirected to fraudulent websites that mirror the actual website Users enter personal information into the mirror website, which helps hackers gain further access

Prevention Strategies

Despite Google’s cyber security measures preventing 99.9% of phishing attempts, globally, 323,972 internet users fell victim to phishing attacks in 2021. This implies further steps need to be taken to ensure individual as well as organization’s safety.

Here are some phishing attack prevention strategies:

Enable Multi Factor Authentication

Drastically reduce cyber risks by enabling two or multifactor authentication and avoid falling prey to phishing attacks. This is because even if a phishing attempt is successful, due to the further authentication steps in place, the data obtained becomes redundant. 

Cybersecurity Software

Detect and block phishing attempts by opting for experienced and well-established cyber security software, thereby keeping the company and its data secure. 

Employee Training

Giving organizations’ employees regular training on secure data handling practices, having a top-notch security system in place for their devices, tips to look out for in recognizing phishing emails, and other similar measures can drastically minimize the chances of being prey to a phishing scheme. 

Be Cautious Regarding Suspicious Emails

Always be cautious and ask yourself a few questions about emails received. Check for spelling mistakes, company details, immediate requirement subject lines, whether it is trustworthy, and whether an email has formerly been received from the same address. When checking emails that look suspicious, these are some of the questions and points that one should take note of. 

Conclusion

It is important to know the figures and facts related to phishing and other scams. With the cybersecurity landscape changing ever so constantly, it is imperative for organizations to have deep insights into their cybersecurity posture. Phishing campaigns, social engineering attacks, and credential phishing emails are some of the common phishing attacks that could lead to email compromise and pave the path to future security threats.

In the new normal (hybrid and remote work environments), visibility across the organization is paramount. To keep your users and the business secure, you need to continually discover, analyze, and mitigate risk across your digital attack surface.

Cybersecurity leaders should use SaaS-based platform security and compliance automation tools, like Sprinto, to gain comprehensive visibility and address any security gaps. These tools can help you move faster than your adversaries and safeguard business operations with key capabilities such as attack surface management, power purpose-built XDR, and zero-trust capabilities.

Learn more about cybersecurity trends and statistics with 100+ Cybersecurity Statistics you should know in 2024.