37+ Chillingly Scary Phishing Statistics – An Ever-Growing Threat

Updated · May 20, 2023

If you’re in the hosting industry, you’re probably keeping a vigilant eye on the latest cybersecurity trends.

At Web Tribunal, we’re doing the same, and we’ve recently explored the threats of DDoS attacks and data breaches.

Today, we’re going to have a look at phishing attacks.

But what exactly are they?

Phishing is a malicious attempt to obtain sensitive personal information – such as usernames, passwords, and credit card details. Hackers usually pretend to be respectable people or organizations in electronic communication.

It’s incredibly common and damaging to users and businesses, as you’ll see when you’ve studied the following:

Outrageous Phishing Statistics (Editor's Choice)

These impressive stats should give you an idea of just how widespread phishing is and how much companies stand to lose from successful phishing attacks.

  • Phishing is the leading cause of data breaches, accounting for a whopping 90% of them. (Source: Retruster.)
  • Nearly 1.5 million phishing sites are created each month. (Source: Dashlane blog)
  • 76% of businesses reported being a victim of a phishing attack in 2018. (Source: Proofpoint)
  • 92% of malware is delivered via email. (Source: Alert Logic)
  • In 2017, the average user received an average of 16 phishing emails per month. (Source: Alert Logic)
  • 95% of attacks on business networks are the result of successful spear phishing. (Source: ExplainHowNow)
  • The average cost of a phishing attack to a mid-sized company is $1.6 million. (Source: Dashlane blog)
  • Organizations are at risk from 100,000 phishing sites and 10,000 dangerous files daily. (Source: Graphus)

Phishing is on the rise, and hackers now target the vast majority of businesses, regardless of size. What’s more, average users are not spared either, receiving a growing amount of spam mail each week.

How Big Is Phishing in 2022?

It is big. Sadly, it is growing even bigger if historical data is any indicator for the imminent future.

Not all spam consists of phishing emails, but it’s safe to assume a spam message might be a phishing attempt. And there are tons of it, cluttering inboxes far and wide, as these phishing stats clearly show.

  • Spam was 48.03% of all emails sent in June 2021. (Source: Kaspersky Lab)
  • About 14.5 billion spam emails are sent every day. (Source: Propeller)
  • Spam costs businesses a mind-blowing $20.5 billion every year. (Source: Propeller)
  • Spain was the most targeted country by malicious mailshots in Q2 2021, with 9.28% of the total. (Source: Kaspersky Lab)
  • In January 2017, a Gmail phishing scam targeted nearly 1 billion users worldwide. (Source: Dashlane blog)
  • In Q3 2020, the anti-phishing system prevented more than 103 million redirects to phishing sites - about 30 million fewer than two years ago. (Source: Kaspersky Lab)
  • In 2017, spear-phishing emails were the most widely used infection method employed by 71% of hacker groups that carried out cyber attacks. (Source: Varonis)
  • In Q1 of 2019, 21.7% of all phishing attempts Kaspersky Labs tracked were aimed at Brazilian users. (Source: Kaspersky Lab)

Nearly half of all emails are spam, and a lot of them are malicious. Hackers have perfected targeting specific, usually high-profile individuals with customized and increasingly more sophisticated phishing attacks.

Consequently, more and more companies are relying on anti-phishing software, as phishing statistics for 2022 demonstrate.

How Frequent Is Phishing?

While it’s impossible to ascertain how many phishing emails are sent each day, we know most people receive spam mail on a more or less daily basis.

Quite a bit of it comes from hackers.

  • Phishing attempts grew by 161% between 2020 and 2021. (Source: Security Magazine)
  • 30% of phishing messages are opened by targeted users, and 12% of those users click on the malicious attachment or link. (Source: Dashlane blog)
  • The most effective phishing campaigns target Dropbox, with a 13.6% click rate. (Source: Propeller)
  • At least one person has clicked on a phishing link in 86% of organizations. (Source: CISCO)

Phishing stats and facts tell us the first known phishing technique appeared in a paper delivered to the 1987 International HP Users Group. Given how long phishing has been around, it’s surprising users still open nearly a third of phishing messages. Dropbox users are particularly vulnerable.

Let’s look at some of the most recent phishing stats, which highlight its impressive growth.

  • In 2018, phishing and fraud intensified in October, November, and December, with incidents jumping over 50% from the annual average. (Source: F5)
  • An F5 Labs report from 2018 found phishing to be the root cause of 48% of breach cases. (Source: F5)
  • Stripe, a popular payment processor, witnessed a 1267% growth in phishing targeting in September-October 2018, making it the top target. (Source: F5)
  • AppRiver identified over 1 million Business Email Compromised messages in the first six months of 2018. (Source: HOXHUNT)

Phishing attacks in 2018 were a leading cause of data breaches. Payment processors are among the most targeted businesses.

Why tho, you might be wondering?

They simply give attackers the best ROI for their time and effort. A successful cyber attack on a payment processor can provide hackers with sensitive credit card details. Then they can get that Netflix subscription for free.

What’s more, phishing attacks in the US tend to peak during the holiday season, mirroring the corresponding consumer spending patterns.

How Costly Is Phishing?

Given how common and frequent phishing attacks are, you shouldn’t be surprised at their staggering cost.

  • The average cost of a phishing attack to a mid-sized company is $1.6 million. (Source: Dashlane blog)
  • Phishing emails are responsible for 94% of ransomware and $132,000 per business email compromise incidents. (Source: Phish Insight)
  • In 2018, a breach that involved tampering with or unauthorized access to an application cost $2 million more than a personally identifiable information breach on average. (Source: F5)
  • North Korean national Park Jin Hyok carried out a successful multi-layer attack using phishing as its initial attack vector and stole $81 million from a Bangladesh bank. (Source: F5)
  • In 2018, Google and Facebook lost $100 million as a result of an email phishing scheme. (Source: Inc.)
  • In the US, the average cost of phishing attacks reached $14.8 million in 2021. (Source: CYBERSECURITYDRIVE)
  • Large companies pay roughly $790,000 a year in ransom. (Source: CYBERSECURITYDRIVE)

Successful high-profile attacks don’t just count towards phishing crime stats – they usually make the headlines.

Even so, small and mid-sized companies suffer just as much. Ransomware can be particularly damaging, with a high ransom demand per cyber attack.

Types of Phishing

There are several different types of phishing. Let’s go over some of them.

  • Phishing scams target personal identity and financial information.
  • Brand phishing targets consumer credentials.
  • IT/SaaS phishing targets access to organizations’ credentials and data.
  • Spear phishing, the most common type of phishing, targets individual users.
  • Office 365 identified 8 million business compromise attempts between January and September 2018. (Source: Microsoft)
  • Office 365 blocked 5 billion phishing emails in 2018. (Source: Microsoft)

As we’ve already mentioned, and as spear phishing statistics show – well-tailored, comprehensive spear phishing strategies can be especially devastating. In order to offer better protection to its customers, Office 365 has had to develop equally sophisticated defense methods. They delivered some impressive results in 2018.

Phishing Impact on Businesses and Prime Targets

Even though spear phishing attacks might mostly target high-profile individuals, no industry is safe from cybercriminals’ malicious intent. Let’s check out some more phishing attack stats to see who the chief targets are.

  • 76% of businesses reported being a victim of a phishing attack in 2018. (Source: Proofpoint)
  • Global internet portals were the most targeted business category in Q2 2021, with 20.85% of all attacks. (Source: Kaspersky Lab)
  • Online stores were the second most targeted business category in Q2 2021, with 19.54% of all attacks. (Source: Kaspersky Lab)
  • Banks were the third most targeted business category in Q2 2021, with 13.82% of all attacks. (Source: Kaspersky Lab)
  • Payment Systems were the fourth most targeted business category in Q2 2021, with 8.05% of all attacks. (Source: Kaspersky Lab)
  • In Q3 2018, SecureList registered attacks against 131 universities in 16 countries worldwide. (Source: Kaspersky Lab)
  • Guatemala was the country with the highest percentage of users attacked in Q3 2018, with 19%. (Source: Kaspersky Lab)

If you’ve come across phishing facts before, you may know there is a long history of hackers targeting global internet portals.

For example:

Back in the mid-1990s, AOL was closely associated with the “warez” community that used to distribute unlicensed software and computer games. Nowadays, global internet portals remain the top target of phishing attacks, followed by financial services and IT companies.

Universities around the world were also popular targets for phishing scams in 2019.

Primary Reasons for Phishing Attacks

So, why do hackers launch so many phishing attacks?

  • According to Intel, 97% of people around the world are unable to identify a sophisticated phishing email. (Source: Dashlane blog)
  • Only 33% of US companies are looking into adopting automated email analysis to counter phishing attacks. (Source: Teiss)
  • 23% of UK companies report more than 500 suspicious emails each week. (Source: Teiss)

These are some massive phishing statistics.

It turns out the vast majority of people worldwide can’t tell the difference between a well-crafted phishing email and the real McCoy!

To make matters worse, US companies are slow to adopt automated anti-phishing techniques, even if their European counterparts are more proactive (59%).

If you run a business, make sure to pick email hosting with a spam filter. Even if you're sure you won't fall for phishing, you can't always account for your employees.

What are some of the ways hackers try to trick you into opening that malicious email? Phishing statistics highlight these as some of the most common phishing lures you should keep an eye out for:

  • Over 50% of phishing attacks in 2018 used SSL certificates. (Source: SECTIGO)
  • Users of the mobile Facebook site were hit by a URL padding phishing attack in June 2017. It involved padding the URL with hyphens to mask the real website that was being visited. (Source: SpamTitan)
  • The Cofence Intelligence platform identified the use of “attached invoice” as the top phishing lure in Q3 2018, with 4,796 reported emails. (Source: SpamTitan)
  • The Cofence Intelligence platform identified the use of “payment notification” as the second most popular phishing lure in Q3 2018, with 2,267 reported emails. (Source: SpamTitan)
  • The KnowBe4 Platform identified “You have a new encrypted message” as the most common real-world phishing attack in Q3 2018. (Source: SpamTitan)
  • The KnowBe4 Platform identified “IT: Syncing error – Returned incoming messages” as the second most common phishing attack in Q3 2018. (Source: SpamTitan)

Pretty much everyone has come across some version of the “Nigerian prince would like to offer you $60 million if you give him your bank details” email scam.

Cybercriminals tend to rely on lures mentioning payment of some kind to excite users and manipulate their emotions.

Some Scam Stats

Scams are another potential threat associated with phishing.

  • Russia generated the most spam in Q2 2021, with 26.07% of the total. (Source: Kaspersky Lab)
  • In 2016, 3% to 7% of Airbnb’s 80 million stays ran into trouble, with 15.4% due to scams. (Source: Business Insider Australia)
  • According to phishing statistics, .com was the top phishing TLD in 2021, with 31.67%. (Source: Kaspersky Lab)
  • .org was the second most popular phishing TLD in 2021. (Source: Kaspersky Lab)
  • .xyz  was the third most popular phishing TLD in 2021. (Source: Kaspersky Lab)
  • .cn (the country code for China) was the fourth most popular phishing TLD in 2021. (Source: Kaspersky Lab)
  • .net was the fifth most popular phishing TLD in 2021. (Source: Kaspersky Lab)

Dot-com apart, what do these domains have in common?

First, they’re the country codes of somewhat lesser-known countries from the developing world.

Second, they’re free, so anyone can get one without paying a single dime. Great news if you’re a scammer! If you’re not, you should take these statistics on phishing attacks seriously and beware of country codes you’re unfamiliar with.

How to Stay Safe from Phishing

These are some of the top tips to follow in order to avoid falling prey to a phishing attack:

  • In 2018, companies which that ran 11 or more training campaigns on phishing awareness reduced the click-through rate to 13%. (Source: F5)
  • Security software can be a highly effective, easy-to-implement email filtering solution. It blocks more than 99.9% of spam and phishing emails and 100% of known malware through dual antivirus engines. (Source: SpamTitan)
  • According to Email scam stats, emails that ask you to confirm personal information, do not appear to have genuine addresses, are poorly written, have suspicious attachments, or intend to make you panic have a high chance of being phishing emails. (Source: StaySafeOnline)

Companies that commit to systematically raising their employees’ awareness of scams and phishing clearly reap the benefits. When paired with the use of security software, it can significantly reduce the risk of successful cyber attacks.

For their part, individual users should learn to recognize the warning signs.

And on that note, it’s time for a quick:

Be Mindful

Phishing attacks in 2022 are a growing threat to users and businesses alike.

Here’s the bottom line:

No one is safe from hackers’ fraudulent attempts – not even the richest, most influential enterprises like Google and Facebook.

What to do about it?

Raising employee awareness and investing in anti-phishing software is a good place to start. And be sure to run offsite backups in case disaster does strike your facility. Without a doubt, these mind-blowing phishing statistics will provide you with plenty of food for thought in that regard.

Nick Galov
Nick Galov

Unaware that life beyond the internet exists, Nick is poking servers and control panels, playing with WordPress add-ons, and helping people get the hosting that suits them.