Phishing attacks grew rapidly during the Covid pandemic and are still high, with over a million unique attack URLs in one quarter of 2022. A VPN like ExpressVPN can alert you if you’re about to interact with a suspicious URL. You can try ExpressVPN for free with a 30-day money-back guarantee.
Phishing is an online scam that involves posing as a legitimate authority to extract personal information from unsuspecting marks. To defend yourself against this potentially life-altering grift, it helps to start with up-to-the-minute phishing statistics.
Phishing is one of the most insidious internet scams because no amount of firewalls or passive cybersecurity can defend against it. There’s no reason for hackers to battle layers of security and execute complex attacks when they can just trick someone into handing them the keys.
The threats from phishing attempts grow more diverse by the day. Some phishing attacks result in files and systems being held hostage by ransomware. Some rely on carefully built fake websites. There’s “spear phishing,” where the scammer uses information on the mark to make the phishing more believable, and “whaling,” which goes after high-value targets.
- Best to prevent phishing
However, you stay safe from this nautical menagerie of cybercrime by educating yourself. Use our phishing statistics article as a starting point for readying yourself against phishing attacks. Let’s get into it.
How common is phishing today?More phishing attacks occurred in the first quarter of 2022 than any other point in history. APWG counted over one million unique phishing URLs in three months.1
How often do people fall for a successful phishing attack?In a survey, 45% of corporate employees said they opened emails from cyber attackers despite considering them suspicious.9
How many phishing emails are sent each day?
15 Phishing Statistics You Need to Know
We’ve hand-picked the following phishing attack statistics to give you a clear picture of phishing in 2022.
Statistics: Frequency of Phishing Attacks
It can feel like a new large-scale cyberattack hits every other day, but is this overblown? How often do phishing attacks actually occur?
1. The first quarter of 2022 was the worst ever for phishing
Threat researchers already knew the COVID-19 pandemic had created a fertile environment for a phishing attack boom, but early phishing attack statistics from 2022 drive that point home.
The Anti-Phishing Working Group (APWG) — a sort of supergroup of cybersecurity experts working to present a unified front against the world’s phishing attempts — tracks three main indicators of the spread and severity of phishing attacks.
These include the number of phishing sites, the number of email subject lines used for phishing and the range of companies attacked. All three indicators were extremely high in the first quarter of 2022.1
2. Phishing scammers used over a million unique URLs in three months
Many successful phishing attacks involve diverting the victim to a web page that looks nearly identical to a legitimate site. The victim then gives their credentials to the scammer without knowing they’ve been duped. This causes a massive amount of high-profile data breaches.
In Q1 2022, APWG noted a total of 1,025,968 unique phishing URLs.1 To put that into perspective, the same report in Q1 2020 saw less than 100,000.
3. The most common phishing subject lines involved password security, COVID-19 and dress codes
Phishing emails rely on a scary subject line to create a sense of urgency that bypasses your BS detector. Phishing email subject lines are often tailored to basic information the attacker has on you (these targeted attacks are called spear-phishing emails).
APWG recorded 53,638 subject lines in Q1 of 2022.1 Some of the most common subjects that got past spam filters2:
- “Password Check Required Immediately”
- “Vacation Policy Update”
- “COVID-19 Remote Work Policy Update”
- “Important: Dress Code Changes”
- “You have been added to a team in Microsoft Teams”
4. Over 1,900 companies were targeted by phishing in Q1 2022
APWG also tracks how many brands are targeted by phishing attacks. Over 600 brands were attacked each month in Q1 2022 for a total of 1,902 different companies.1
So, yes, it’s bad out there. The cost of a data breach is often too high to calculate. Simply existing on the internet demands more diligence from the individual than ever before, but the attacks aren’t evenly distributed.
5. More phishing attacks targeted the financial industry than any other sector
APWG also compiled the phishing attack statistics on which industry sectors suffered the most phishing attacks. Not for the first time, the financial industry led the field, accounting for 23.6% of attacks.1 That holds true even when payment and cryptocurrency are broken out into their own categories.
Software-as-a-service was targeted second most, attracting 20.5%. Retail and e-commerce came in third (14.6%), followed by social media (12.5%), cryptocurrency (6.6%), payments (5.0%), and shipping and logistics (3.8%). All other industries made up the remaining 13.4%.1
6. Fraud against businesses is on the rise
A survey of 500 medium-sized businesses in the U.K. found that 39% saw fraud attempts increase in 2020, and that a total of 60% were targeted overall. Of the businesses surveyed, 22% felt the danger of fraud, particularly spear-phishing emails, had increased “significantly.”3
Many of the survey respondents believed shifting their staff to work-from-home exposed them to additional fraud. More on those particular phishing attack statistics later.
7. Phishing is a major headache for IT professionals
As you might imagine, this surge in phishing and related cybercrimes has put a lot of strain on IT staff members. In October 2021, 52% of surveyed IT professionals said they spent as much time handling phishing attacks as they did on all other security tasks. More than a third said their jobs now entailed nothing else.4
Why is phishing sucking up so much of IT’s time and energy? Each data breach, or potential data breach, is taking longer than ever to correct: 74% of survey respondents said they spent 30 minutes or more responding to each phishing attack, and 10% took longer than two hours.4
Statistics: Phishing Attack Vectors
The classic form of phishing is the fake email with a link to an equally fake website. But phishing emails aren’t the only form of phishing — it takes as many forms as actual fish do.
8. Phishing was the top cybercrime vector in 2021
Research by IBM security revealed that phishing was responsible for 41% of hacks in 2021, more than any other vector. Vulnerability exploitation, which formerly held the lead, took second place with 34%.5
Phishing dominates the cyber threat scene right now, and it’s still seeing rapid growth. A year before, in 2020, phishing accounted for only 33% of cyberattacks.5
9. Vishing attacks are 3x more effective than other phishing forms
There are several alternative kinds of phishing that use platforms other than email. The use of realistic-seeming fake text messages is called smishing (SMS phishing).
Then there’s vishing, or voice phishing, which adds a convincing voicemail to the mix — sometimes even simulating a trusted contact with the help of deepfake technology. IBM’s security force found that adding voice to a phishing campaign made it three times more likely to succeed (17.8% without voice, 53.2% with voice).5
Vishing likely owes its increased effectiveness to its novelty. It’s much harder to disbelieve a live voice than words on a screen. As more people become aware of voice phishing and deep fakes, this attack vector will hopefully lose some of its power.
10. Credential phishing is now much more common than malware
Cofense, another organization monitoring the phishing threat, investigated phishing emails reported by its network of 25 million users. The results demonstrated that phishing scammers are moving away from using bogus emails as trojan horses to get malware onto victims’ computers.
Cofense found that 57% of phishing emails reported by its users were examples of credential phishing — trying to lead marks to give their credentials to hackers, who could then use them to compromise a system.6
These emails often used spear-phishing attacks to research and ensnare people with privileged access. In contrast, only 12% delivered malware via malicious email attachments.6
11. Microsoft and Apple top the list of spoofed brands
We’ve talked a lot about how a phishing attack involves stolen trust. In the corporate world, this often means attackers impersonate co-workers or bosses whose credentials they’ve taken. But phisher-folk also target members of the public by posing as companies you probably do business with.
According to IBM, scammers most often choose to impersonate familiar tech companies or big banks. In 2021, these five brands were the most likely to be spoofed by a phishing email5:
- BMO Harris Banking
Using well-known brands helps the phisher capture that all-important sense of urgency. If they’re pretending to be from Microsoft, and you have a Microsoft account, your likelihood of clicking that email goes way up.
12. Many phishing lures exploit current events
Whenever I encounter the notion that cybercriminals are somehow today’s Robin Hood figures, I try to push back. Case in point: any highly publicized catastrophe inevitably becomes a subject for a new phishing attack.
A malware campaign beginning in August 2021 (and still going as of March 2022) has planted viruses on victims’ computers by appealing to their confusion about COVID travel restrictions, along with topics as specific as regional aid in Greece and new EU regulations.7
The war in Ukraine is another popular phishing attack subject. Some of the world’s worst people don’t even bother with anything as sophisticated as phishing — they just ask you to send money to a fake charity.8
Never forget that there are many ways for phishing attacks to instill a false sense of urgency. Pretending to be a well-known company is one, but appealing to your best instincts is another. Be kind, but don’t let scammers manipulate you for it!
13. LinkedIn is the most common social media phishing site
Finally, what about social media phishing? Social sites with messaging features — which is most of them — are also vectors for successful phishing attacks. Facebook, Twitter and Instagram aren’t immune, but the most popular site might not be your first guess.
According to KnowBe4, a full 47% of phishing messages on social media are sent via LinkedIn.2 The rate of these attacks ballooned in 2020 and 2021 as tens of millions of people suddenly found themselves in precarious working situations. Most of the phishing attacks in recent years have been work-related, so LinkedIn is a natural choice.
Statistics: Why People Fall for Phishing Attacks
Of course, we all think we’d never fall for a phishing attack. Just like we think we’d never get that bug that’s going around, or lose all our savings investing in a school that teaches mixed martial arts to chimpanzees.
There’s no reason to feel ashamed if you fall for a phishing scam. Cybercriminals are really good at getting you to click. If they ever went straight, they’d all be hired by ad agencies in a heartbeat. In this section, we’ve collected a few statistics on why phishing remains so effective.
14. Almost half of employees open suspicious emails
Research by security firm Mimecast reached the disturbing conclusion that training employees isn’t always enough to prevent data breaches. Mimecast surveyed about 1,000 people who use work-issued devices for their jobs: 96% claimed to know what phishing was, and 64% said they had received at least some security training.9
Despite that, 45% of respondents said they opened emails they found suspicious.9 The results prove that simply training your employees in operational security isn’t enough — you have to build an environment that makes them more comfortable reporting suspicious emails than opening them because they “might be important.”
15. Almost half of social media attacks involve impersonating executives
Phishing attacks are increasingly likely to use social media as a vector. According to APWG, one key driver of this trend is scammers impersonating corporate executives by taking over their social media accounts. The rate of impersonation attacks shot up from 27% in Q4 2021 to 47% in Q1 2022.1
Stealing executive credentials is known as “whaling” — when the phishing attack seeks to compromise one extremely valuable target. An executive social account definitely qualifies. A creative scammer can do a lot with a stolen social media password, from simple pranks to serious fraud.
Fake executive announcements can tank a company’s stock prices with fraudulent announcements or gain access to large swaths of the company’s employees and/or customers in mass data breaches. The executive is a trustworthy, verified voice, making impersonation into a social engineering attack writ large.
Conclusion: Phishing Statistics
Phishing is a frightening phenomenon, especially given the cost of a data breach to individuals and businesses. But it doesn’t have to scare you off the internet. The vast majority of data breaches and phishing attempts can be prevented by common sense.
Learn to trust your instincts and recognize common phishing scams and you’ll be safe from most of what’s out there. Don’t rely on your spam filters to do the work for you. Sound off in the comments with your favorite tips on catching and avoiding phishing scams. As always, thanks for reading!
- APWG Trends Report 2022
- Q4 2020: KnowBe4 Finds Work From Home-Related Phishing Email Attacks on the Rise
- Has COVID-19 made your business more vulnerable to corporate fraud?
- IRONSCALES Releases Findings from State of Cybersecurity Survey
- X-Force Threat Intelligence Index 2022
- Cofense Annual Report 2021
- Mustang Panda’s Hodur: Old tricks, new Korplug variant
- Beware of charity scams exploiting war in Ukraine
- Mimecast Research: Half of Workers Admit to Opening Emails They Considered Suspicious
- More Than 3 Billion Fake Emails Are Sent Worldwide Every Day, Valimail Report Finds