Phishing attacks remain one of the most popular and common social engineering attacks. But their popularity isn’t doing anything to stop them.
Digging into the data reveals the most affected industries, what demographic’s at risk, where the most phishing attacks happen, and other relevant insights.
Top 8 Phishing Statistics (Editor’s Pick)
- Mobile phone-based phishing attacks increased by 50% in 2022.
- Social media brands are the most impersonated in phishing attacks in Q1 2022.
- There were over 1 million phishing attempts in Q1 2022.
- Almost 70% of phishing emails have no subject line (2022 Study).
- 74% of companies in the United States suffered a successful phishing attack in 2022.
- 18–40-year-olds are most likely to fall victim to a phishing attack.
- Businesses lost an average of $4.91 million on phishing attacks in 2022.
- Google and Facebook lost $100 million to a single phishing attack in 2 years.
Infographic
Phishing Statistics and Facts by Types
1. Loaders account for over 50% of phishing attacks.
Credential phishing used to be the most significant source of phishing attacks in 2019 but is slowly being replaced by malware downloaders in 2022. The trend is expected to keep rising.
2. Windows “.exe” files made up 66% of phishing email attachments in 2021.
This is followed by script files (21%), office documents (4%), and PDF documents (4%).
3. Mobile phone-based phishing attacks increased by 50% in 2022.
Scams and credential theft make up the highest percentage of the applied payloads as hackers go after an increasingly mobile population.
4. Stolen or compromised credentials made up 19% of phishing attempts in 2022.
This is a 1% drop from 2021, showing that phishing attackers might be exploring other avenues.
5. 35% of those who clicked on a phishing link in 2022 expected some financial gain.
Another 30% of this study’s UK respondents claimed they were paying a bill.
Phishing Statistics and Facts by Industry
6. In 2022, 60% of organizations lost data in any phishing attack.
Over half (52%) of these organizations were affected by compromised accounts and credentials. Less than half (47%) were also infected with ransomware, while 18% incurred financial losses.
7. As of 2021, financial services are targeted 60% more than any other sector.
Higher Education is the next highly targeted sector for phishing attacks, but it’s 2x less targeted than the financial sector.
8. Social media brands are the most impersonated in phishing attacks in Q1 2022.
LinkedIn accounted for over 50% of brand impersonations in phishing attempts. WhatsApp was also in the top ten, accounting for 4% of brand impersonations, giving social media companies the unwanted lead. In Q1 2021, phishing emails impersonating LinkedIn accounted for 42% of such clicked emails.
9. Shipping companies accounted for the joint-second leading impersonated companies in Q1 2022.
DHL (impersonated 14% of the time), FedEx (6% of the time), and Maersk (1%) are suffering from the boom of the shipping industry as they’re now the second kind of companies impersonated by phishing threat actors.
Phishing Statistics and Facts by Frequency
10. 80% of 1400 organizations believe they would suffer an email-based phishing attempt.
79% of organizations noted an increase in the frequency of phishing-related emails they receive. Likewise, a third (33%) reported getting more phishing emails in 2022 than in previous years. Thus, a higher chance of falling victim.
11. Phishing texts increased by 28% between February – March 2022.
Looking at the year-on-year data, phishing texts also increased by a whopping 1024% between April 2021 and March 2022.
12. There were over 1 million phishing attempts in Q1 2022.
There were 1,025,968 phishing attacks in the first quarter of 2022. Most of these hacks (34.7%) were delivered via webmail and SaaS tools.
13. 1 in every 99 emails sent in 2021 was a phishing attempt.
That represents just under a 1% attack rate. However, other experts put the attack frequency at 1.2%. Still, this accounts for over 3 billion fake and possible phishing emails sent daily!
Social Media Phishing Statistics
14. As of May 2021, WhatsApp accounts for almost 85% of phishing attacks via messaging apps.
Telegram comes second with 5.7, and Viber (4.9%) is in third place.
Email Phishing Statistics
15. Secure Email gateways are also prone to phishing attacks.
Q1 2022 data shows that 35% of malicious .pdf files and 30% of phishing-related .html extensions will reach secure email gateway users.
16. Almost 70% of phishing emails have no subject line (2022 Study).
Of those with subject lines, 9% use “Fax Delivery Report,” 6% use “Business Proposal Request,” and 4% use “Request.”
17. Email accounts for 96% of phishing attack delivery models.
A 2022 study found that only 3% of attacks are done directly via malicious websites. In comparison, a meager 1% are carried out via phone messages (smishing) and calls (vishing).
18. In 2021, 76% of phishing emails did not contain an attachment.
Internet users are becoming sensitive to attachments in emails as a form of phishing. Thus, phishing attacks are getting more sophisticated to not need an attachment payload.
Website Phishing Statistics
19. 897 Amazon spam websites were live during the retailer’s 2022 Prime Day.
Amazon also had 1,600+ websites impersonating it during a 90-day coverage period, making it the most impersonated retail brand for phishing. Worse still, 61% of a study’s subjects couldn’t tell a fake Amazon login page from a real one.
20. The “.com” domains accounted for over 50% of phishing scam links in 2022.
The “.net” domain is the second most common, only accounting for 8.9% of all phishing scam domain websites.
21. Phishing sites are nearly 75% more rampant than malware sites.
More than 50% of phishing sites also use SSL certificates, making them appear more trustworthy to spam filters and users. This number was just under 32% in 2020.
Phishing Statistics and Facts by Demographic
22. Phishing attacks behave differently based on IP address.
Phishing attack payloads may act benign or malicious depending on the IP address where they are opened. Hackers can configure such payload to attack users on an IP range or certain geo-locations.
23. 74% of companies in the United States suffered a successful phishing attack in 2022.
In contrast, 66% of UK companies were successfully breached, while 60% of Australian companies fell to phishing scammers. The numbers drop for Japan (56%), Spain (51%), and Germany (47%).
24. In 2022, 69% of UK respondents were more aware of phishing than any other country.
The US is far off, with 52% of respondents demonstrating knowledge of phishing. The numbers are better for Australia/Japan (66%), Germany (64%), and France/Spain (63%).
25. In 2021, Russia accounted for over 24% of spam emails believed to be phishing emails.
The closest region is Germany, accounting for almost half of Russia’s tally at 14.12%. The USA accounts for 10.46% of such spam emails, while a smaller 8.73% are sent from China.
26. 18–40-year-olds are most likely to fall victim to a phishing attack.
Millennials and Gen Z are 23% more likely to suffer a phishing attack. In contrast, only 19% of Gen X internet users risk falling victim to phishing scams.
27. Australians reported 11,000+ BEC scams in H1 2022 alone.
In the same period, there were total losses of $12.3 million from these claims. The reported amount lost to phishing scams in Australia at the end of 2022 amounted to $24.6 million.
28. 83% of organizations experienced phishing attacks in some form in 2021.
Still, about six billion more attacks than in 2021 were expected to occur in 2022.
29. Over 6% of UK dwellers have clicked a phishing link in the past 12 months.
6.42% of UK residents clicked a phishing link in the previous 12 months of 2021. But it’s worse in Brazil (12.39%), France (12.21%), and Portugal (11.4%).
30. Individuals over 65 years are the most targeted for phishing attempts in Australia.
Over 17,200 seniors above 65 years old reported phishing scams in Australia in 2022 alone. Hackers also made away with more than $9.2 million as proceeds of such crimes from the older demographic in Australia.
31. 8.2% of Kaspersky users in different countries and regions experienced a phishing attack in 2021.
Fortunately, the online security and privacy service blocked over 253.3 million phishing links its users encountered in that period.
32. The majority of cyber-attacked UK businesses reported phishing.
Only 39% of UK businesses reported a cyber-attack in 2022. Of these, 83% were carried out via phishing attempts. Likewise, charities reported 87% of the attacks they faced in the reporting time frame were also phishing.
Phishing Statistics and Facts by Financial Impact
33. Businesses lost an average of $4.91 million on phishing attacks in 2022.
That accounts for 16% of data breach costs, coming only second to stolen or compromised credentials (19%). The cost breakdown includes loss of productivity, intellectual property losses, damaged reputation, and direct monetary losses, among others.
34. Google and Facebook lost $100 million to a single phishing attack in 2 years.
The two massive US companies later sued the perpetrator in the US. Still, they reclaimed less than half ($$49.7 million) of the lost amount.
35. Sony lost over $100 million to hackers in a 2014 phishing scam.
The email-perpetrated phishing scam saw Sony lose unreleased files, user data, and financial records that amounted to $100 million in damage.
36. Financial gains aren’t the top focus for phishing attacks.
Surprisingly, 10% of phishing attacks are directed toward engineering service disruptions, while 6% are solely motivated by financial gains. Likewise, 96% of threat actors infiltrate organizations to collect intelligence with spear-phishing rather than to seek monetary gains.
Don’t Get Hooked!
Phishing attempts can be challenging to decipher, but they’re possible to catch. Whether you’re an individual or an organization, now is the time to invest in quality phishing attack training and detection exercises.
While at it, you can follow this guide to anti-fraud tips for at-risk seniors and grab a VPN with Threat Protection to scan sites you visit for malware/possible phishing.
- https://get.cofense.com/2022-Q1-Phishing-Intelligence-Trends-Review-Global-Q122
- https://atlasvpn.com/blog/study-almost-70-of-email-scammers-leave-the-subject-line-empty
- https://atlasvpn.com/blog/amazon-related-phishing-sites-approach-900-on-amazon-prime-day
- https://www.verizon.com/business/en-gb/resources/reports/dbir/
- https://www.tessian.com/blog/phishing-statistics-2020/
- https://www.ibm.com/uk-en/reports/data-breach
- https://umbrella.cisco.com/info/2021-cyber-security-threat-trends-phishing-crypto-top-the-list
- https://www.proofpoint.com/uk/resources/threat-reports/state-of-phish
- https://blog.checkpoint.com/2022/04/19/social-networks-most-likely-to-be-imitated-by-criminal-groups-with-linkedin-now-accounting-for-half-of-all-phishing-attempts-worldwide/
- https://www.cnbc.com/2019/03/27/phishing-email-scam-stole-100-million-from-facebook-and-google.html
- https://www.computerworld.com/article/2913805/sony-hackers-targeted-employees-with-fake-apple-id-emails.html
- https://aag-it.com/the-latest-phishing-statistics/
- https://clario.co/blog/phishing-statistics/
- https://www.slashnext.com/the-state-of-phishing-2022/
- https://www.scamwatch.gov.au/scam-statistics?scamid=31&date=2022
- https://get.eftsure.com.au/statistics/phishing-statistics-2022/
- https://newsroom.ibm.com/2022-07-27-IBM-Report-Consumers-Pay-the-Price-as-Data-Breach-Costs-Reach-All-Time-High
- https://docs.apwg.org/reports/apwg_trends_report_q1_2022.pdf
- https://truelist.co/blog/phishing-statistics/
- https://www.theportugalnews.com/news/2022-05-04/one-in-99-emails-is-phishing/66795
- https://etactics.com/blog/phishing-statistics
- https://www.getastra.com/blog/security-audit/phishing-attack-statistics/
- https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2022/cyber-security-breaches-survey-2022#chapter-5-incidence-and-impact-of-breaches-or-attacks
- https://securelist.com/spam-and-phishing-in-2021/105713/
- https://www.ons.gov.uk/peoplepopulationandcommunity/crimeandjustice/articles/phishingattackswhoismostatrisk/2022-09-26