Home » Phishing Statistics for 2024: Latest Figures and Trends

Phishing Statistics for 2024: Latest Figures and Trends

The Latest Phishing Stats to Know in 2024

Phishing statistics highlight that this type of attack is one of the most common and dangerous cyber threats facing organizations and individuals today. Phishing involves attackers using social engineering techniques to trick victims into disclosing sensitive information or installing malware. Successful phishing attacks can lead to data breaches, financial fraud, and ransomware infections.

With more business and personal activities moving online during the pandemic, phishing threats have also increased dramatically. Attackers exploit COVID-19 fears, work-from-home policies, and digital transformations to launch phishing scams. As phishing attacks become more advanced, organizations must educate employees, enhance email security, and leverage the latest AI cybersecurity tools.

Source Countries
Also Read: 11+ Latest SSL/TLS Certificates Statistics May 2024

Key Phishing Attack Trends

  • Phishing is the most common form of cybercrime, with an estimated 3.4 billion phishing emails sent daily by cybercriminals. This amounts to over 1 trillion phishing emails per year.
  • Email impersonation accounts for approximately 1.2% of all global email traffic.
  • 36% of all data breaches involve a phishing element.
  • 84% of organizations were targeted by at least one phishing attempt in 2022, a 15% increase from the previous year.
  • The Anti-Phishing Working Group (APWG) observed 1,350,037 total phishing attacks in Q4 2022, up from 1,270,833 in Q3.
  • In total, APWG logged around 4.7 million phishing attacks in 2022. Phishing attacks have increased by over 150% year-over-year since 2019.
Countries Targeted

Top Phishing Attack Statistics

  • GreatHorn reports that 57% of organizations face phishing attempts on a weekly or daily basis.
  • Approximately 1.2% of all emails sent are malicious, amounting to around 3.4 billion phishing emails per day globally. factors, including social engineering, mistakes, and misuse, played a role in 74% of breaches, according to industry data.
  • IBM cites phishing as the leading initial attack vector, responsible for 41% of security incidents.
  • More than 80% of reported security incidents are attributed to phishing, according to CSO Online.
  • CSO Online also estimates that phishing attacks result in $17,700 in losses every minute.

Causes of Phishing Attacks

According to the 2023 Verizon Data Breach Investigations Report (DBIR):

  • Negligence is the leading cause of data breaches, accounting for 98% of cases and making it the most prevalent type of error.
  • Stolen credentials were involved in 86% of data breaches.
  • Misdelivery, where information is sent to the wrong recipient, contributed to 43% of errors leading to data breaches.
  • Social engineering tactics were used in 17% of data breaches and 10% of security incidents.
  • On average, data breaches resulted in a financial loss of $26,000 in 7% of cases – over double the $11,500 average loss reported by the FBI in 2021.
  • Ransomware was a factor in 24% of data breaches.
  • The motivation behind 95% of data breaches was financial gain.
  • The human element played a role in 74% of data breaches.

Phishing Attacks Growth Year-by-Year

Year Number of Attacks Observed
2019 779,200
2020 1,845,814
2021 2,847,773
2022 4,744,699

Phishing Attack Frequency

  • 91% of cybersecurity breaches start with a phishing email, according to a 2022 report by Tessian. Phishing is the initial intrusion point for most cyber attacks.
  • Verizon’s 2022 Data Breach Investigations Report found 36% of breaches involved phishing. Social attacks were used in 82% of breaches analyzed.
  • Phishing sites increased from 110,554 in October 2019 to 1,186,312 sites in December 2020, according to a F5 Labs report. This is an all-time high.
  • There were 1,023,579 unique phishing sites detected in September 2024, an 11% increase from September 2023, per Check Point Research.
  • 4 billion phishing emails are sent globally per day on average. This estimate is based on a February 2024 report by Tessian which found that 1.2% of global email traffic contains phishing threats.
  • An estimated 1 in every 412 emails is a phishing attempt. Barracuda Networks arrived at this statistic after analyzing over 500 million emails.
Kaspersky Users Experiencing Attacks

Most Phishing Attacked by Industries

Industry % of Attacks
Financial Institutions 27.7%
Software-as-a-Service 17.7%
Social media 10.4%
Logistics/Shipping 9.0%
Payment Services 6.0%
eCommerce/Retail 5.6%
Telecom 3.1%
Cryptocurrency 2.3%
Other 18.2%

Phishing Targets and Methods

  • 88% of organizations worldwide experienced attempted phishing attacks in 2021, according to Proofpoint’s State of the Phish report.
  • According to Check Point Research, the most impersonated brands used in phishing are Microsoft (17%), DHL (9%), Google (6%), Roblox (6%), and LinkedIn (5%).
  • The top malicious file types used in phishing emails are Microsoft Office docs (52%), compressed files (29%), executables (12%), and PDFs (7%), per Cofense.
  • Business email compromise (BEC) attacks resulted in $1.8 billion in losses in 2020, according to the FBI. These scams target employees to transfer funds to criminals.
  • The median number of users compromised per week in 2021 phishing simulations was 15, an increase from 9 in 2020, according to Terranova Security.
  • According to F5 Labs, 68% of phishing websites use compromised brand names or typosquatting domains containing brand names. This trick tricks users into impersonating trusted sites.

Phishing Impact and Costs

Phishing is hugely damaging for victim organizations:

  • The global cost of phishing could reach $250 billion in 2024, up from $147 billion in 2021, based on projections by Atlas VPN.
  • For organizations, the average cost of a phishing attack is $4.6 million per incident, according to IBM’s 2022 Cost of a Data Breach Report.
  • Businesses lost on average $200,000 from phishing attacks targeting employees in 2021, up from $164,000 in 2020, per Proofpoint.
  • Ransomware attacks, often enabled by phishing, cost organizations $4.54 million on average to recover from, per Sophos.
  • Small businesses lose on average $200,000 as a result of successful phishing attacks, according to Zix. Larger enterprises can lose millions of dollars.
  • Individual victims reported $245 million in losses from phishing attacks in 2021 in the U.S., as tracked by the FBI’s IC3 report.
  • In the U.K., phishing scams cost individuals £15.3 million in losses between August 2021 and March 2022, per UK Finance. This was a 24% increase from the prior period.

COVID-19 Phishing Trends

  • Phishing attacks with COVID-19 themes increased by 667% in the first quarter of 2020 as the pandemic spread, per Cofense.
  • 36% of organizations surveyed by BlackFog saw an increase in business email compromise (BEC) attacks tied to COVID-19 relief funding.
  • COVID-19 vaccine-related phishing attacks increased by 110% from December 2020 to January 2021 globally, according to Check Point Research.
  • Zix found that 35% of remote workers clicked on COVID-19 phishing emails, highlighting risks from employees working at home.
  • Over 450 COVID-19 financial assistance scams were reported to government agencies, per the Federal Trade Commission. Scammers impersonated agencies providing pandemic relief funds.

Defense Strategies and Tools

  • Using a phishing simulator to test employees resulted in a 76% decrease in clicks on real phishing emails, per a 2022 Meta study. Simulations help improve phishing awareness.
  • Organizations that conduct regular phishing training see 46 times fewer malware infections on average than those who do not, according to Proofpoint.
  • Implementing DMARC email authentication led to a 96% reduction in successful spoofing of an organization’s domain in phishing emails, per Valimail. DMARC helps block fakes.
  • Using AI and machine learning helps cybersecurity teams detect 95% of phishing threats, protecting employees from malicious links and attachments, per Barracuda Networks.
  • Deploying multi-factor authentication (MFA) blocks over 99% of account compromise attacks that result from phishing, as reported by Microsoft. MFA adds critical login protection.

People Also Ask About Phishing

What type of phishing attack targets specific users or groups?

Spear phishing targets specific individuals or groups with emails that appear highly customized and relevant to them. Spear phishing represented 31% of attacks in 2021, per Proofpoint.

How many phishing attacks in 2022?

The number of global phishing attacks detected in 2022 reached 1.12 million on average per month, a 22% increase from 2021, according to PhishLabs. This reflects an upward trend in phishing volume.

What percentage of emails are phishing scams?

About 1.2% of global email traffic contains phishing threats, equal to around 3.4 billion phishing emails sent per day, according to Tessian’s analysis of mail volumes.

What is the most common phishing email subject line?

“Payment invoice”, “Update your invoice”, and “Outstanding payment” are among the most common phishing email subject lines aimed at getting users to disclose financial account details, per Cofense research.

How much does phishing cost businesses?

The average cost of a phishing attack is $4.6 million for enterprises, according to IBM’s 2022 report. Small businesses lose around $200,000 on average per phishing attack. Overall losses to phishing range in the billions of dollars annually.

What is the #1 cyber attack?

Phishing is the number one initial attack vector used in cybersecurity breaches, with 91% of successful data breaches starting with a phishing email, according to a 2022 report by Tessian. Ransomware, malware, and BEC scams often stem from phishing.

How do you detect phishing emails?

Key ways to detect phishing include looking for spelling errors, assessing the sender’s address for authenticity, hovering over hyperlinked text to inspect the URLs, and scrutinizing any requests for sensitive information or urgent action. AI tools that analyze millions of data points can also accurately detect phishing emails and impostor domains.

What is the best way to prevent phishing?

A multi-layered defense is the most effective approach to prevent phishing, including security awareness training for employees, advanced email security tools, website authentication measures, and vigilant IT teams. Enforcing strong passwords, enabling multi-factor authentication, and encouraging reporting of suspicious emails also significantly help thwart phishing attacks.

How do you stop a phishing attack?

Immediately report any suspected phishing emails to IT security teams before responding or clicking. Do not enter login credentials or sensitive info, and do not open attachments. IT can block the sender, take down phishing sites, and strengthen email filters. Employees should also flag the email as phishing in their inbox to train AI defenses.

What makes you susceptible to phishing?

Stress, distraction, uncertainty, lack of cybersecurity awareness, and a rushed pace all contribute to human susceptibility to phishing. Attackers exploit natural cognitive biases people have, like obeying authority figures and fearing loss. Effective security training builds critical thinking to counter these psychological triggers behind successful phishing.

How often do phishing tests occur?

According to Terranova Security, 66% of organizations perform phishing simulations and security awareness training for employees either monthly or quarterly. 13% conduct tests weekly. Only 7% do annual phishing tests. More frequent tests lead to higher user resilience against phishing over time.

How do you identify and report a phishing email?

Carefully check the sender’s email address, inspect hyperlinks by hovering over them, watch for poor spelling/grammar, and look for urgent requests or threats. Report phishing via your email provider’s “report spam” function, by forwarding to your IT/security team, or through plug-ins. Delete the email after reporting.

What percentage of emails is spam?

On average, spam constitutes around 55% of all global email traffic, according to estimates by security firms F-Secure and Symantec based on observed traffic volumes. The vast majority of spam is phishing attempts, advertising/marketing, or malware distribution. Less than 5% of incoming emails are legitimate for most inboxes.

How do you communicate with employees about phishing?

Create anti-phishing awareness campaigns via email newsletters, intranet notifications, training events, and posters. Send simulated phishing tests and inform employees afterwards. Build a workplace culture focused on secure email habits through ongoing education, not just punitive warnings. Encourage phishing reporting.

How do you recover from a successful phishing attack?

If users fall victim to phishing, initiate incident response plans. Contain the attack by resetting passwords, disabling accounts, and blocking suspicious IP addresses. Analyze root causes for vulnerabilities. Restore affected systems from clean backups. Learn from post-mortems to boost defenses against future phishing.