Top Phishing Statistics for 2024: Latest Figures and Trends

Phishing Stats for 2023 Latest Numbers and Trends Revealed

How many people actually fall victim to phishing attacks? What kind of tricks and tools are threat actors using to get you to open those messages? What are they trying to accomplish? And how much damage do they actually cause? 

No matter how robust your firewalls and filters, phishing attempts - i.e., messages designed to dupe you into divulging information, enacting transactions, or downloading malware - can still very easily land in your inbox. 

To help you understand this cyber attack technique, here are the latest phishing statistics, including the lowdown on its impact and the effectiveness of phishing defense measures. 

Phishing Attack Trends 

The figures show that the volume of phishing attacks is on the increase, and a growing number of organizations are impacted by it. 

Phishing attacks rely on human error. Statistics suggest that although most people follow email hygiene and safe usage policies most of the time, there’s always a small proportion who forget or ignore the rules.

1. Phishing is the single most common form of cyber crime. An estimated 3.4 billion emails a day are sent by cyber criminals, designed to look like they come from trusted senders. This is over a trillion phishing emails per year. 

2. Email impersonation accounts for an estimated 1.2% of all email traffic globally. 

3. Around 36% of all data breaches involve phishing. 

4. 84% of organizations were the targets of at least one phishing attempt in 2022 - a 15% increase on the year before.

5. In Q4 2022, The Anti-Phishing Working Group, APWG, observed 1,350,037 total phishing attacks, up from 1,270,833 the previous quarter. 

6. In 2022, APWG logged ~4.7 million phishing attacks. Since 2019, the number of phishing attacks has increased by more than 150% yearly. 

7. Growth of phishing attacks by year:

Year
Number of attacks observed
2019779,200
20201,845,814
20212,847,773
20224,744,699

Global Average Phishing Email Click Rates 

8. In 2021, the average click rate for a phishing campaign was 17.8%.

9. More targeted spear phishing campaigns had an average click rate of 53.2%

Phishing Email Click Rates by Industry Sector 

10. Individuals working for educational institutions are most likely to open a phishing email. Healthcare and retail employees are the least likely to do so. 

11. Phishing email click rates worldwide by industry:

SectorClick Rate
Education27.6%
Finance & Insurance26.6%
Information Technology25.6%
Agriculture & Food21.2%
Service Providers20.2%
Not-for-profit16.3%
Energy14.8%
Manufacturing13.4%
Public Sector10.4%
Transport7.5%
Retail7.2%
Healthcare5.6%

Malicious Link Activation 

12. 3% of employees will click on a malicious link within a phishing email. 

Who Are the Phishing Targets? 

Those behind phishing attacks usually try to trick users into handing over financially-valuable information. The targets chosen by attackers reflect this.  

Industries Most Targeted 

Security organizations all have their own service and user bases. As such, when it comes to showing which sectors are targeted by phishing attacks the most, different organizations produce slightly different figures. On the whole, however, the financial sector tends to come out on top as the most attacked sector. 

13. Most attacked industries, Q4, 2022.

IndustryPercentage of phishing attacks
Financial Institutions 27.7%
Software-as-a-Service Providers17.7%
Other18.2%
Social Media Providers10.4%
Logistics / Shipping9.0%
Payment Services 6.0%
eCommerce / Retail 5.6%
Telecom 3.1%
Cryptocurrency2.3%

14. Phishing attacks by industry, Jan-June 2022.

IndustryPercentage of phishing attacks
Banks 27.7%
Online Shops17.2%
NGOs 10.7%
Educational Institutions 9.3%
Healthcare9.1%
Governmental Organizations 8.2%
Telecom 7.5%
IT Services6.6%
Insurance2.4%
Others 1.3%

Size of Organizations Targeted 

15. On average, an employee of a small business with less than 100 employees will experience 350% more phishing and other social engineering attacks than an employee of larger enterprises. 

16. For an organization with 1-250 employees, roughly one in 323 emails received will be malicious. For an organization of 1001-1500 employees, one in 823 emails is malicious. 

Individuals Targeted 

17. IT leaders identify finance professionals (27%) and IT team members (23%) as the individuals within their organizations most likely to be targeted by phishing attacks.  

18. Remote workers may be more likely to be targeted than office-based employees. 80% of infosec professionals say they’ve seen increased security threats since the shift to remote working. 62% said that phishing attacks had increased more than any other type of threat.  

Countries Targeted 

19. According to DMARC, the Netherlands was targeted with the highest volume of phishing attacks in 2022 (17.7% of all attacks). Russia, Moldova, the USA, and Thailand follow. 

Countries Targeted

20. Kaspersky data suggests that device users in Vietnam are statistically the most likely to encounter a phishing attack. 

Top 10 Countries Kaspersky Users Are Experiencing Attacks

Who Are Committing Phishing Attacks? 

More than half of phishing attacks originate from just three countries. Mostly, threat actors are driven by financial gain, although a small number of attacks appear to be politically-driven. 

Source Countries

21. In 2022, 29.82% of spam emails were sent from Russia. Mainland China is the second most common source of malicious spam (14%), followed by the United States (10.71%)

Source Countries

Threat Actors and Motives 

22. 95% of social engineering attack motivation is financially driven

23. 35% of ransomware attacks are delivered via email

24. Hacktivism and political motivations account for a very low proportion of phishing activity globally. However, there has been an inevitable rise in politically-motivated phishing linked to the war in Ukraine

25. Google’s Threat Analysis Group (TAG) reports that from January to March 2023, Ukraine received ~60% of phishing attacks originating from Russia. Top campaign goals include intelligence collection and operational disruptions against critical infrastructure. 

Phishing Delivery Techniques 

26. Email is overwhelmingly the most popular method of conducting a phishing attack. An estimated 91% of all cyber attacks begin with a phishing email

27. 91% of bait emails are sent via Gmail accounts. Reasons for the popularity of Gmail with threat actors are thought to include the ability to set up large numbers of accounts quickly and for free and the availability of Google’s inbuilt “read receipts” function. 

28. Notwithstanding the dominance of email, a third of IT professionals report an increase in other message-related platforms. 

29. 44% of respondents have experienced phishing via video conferencing platforms, 40% via workplace management platforms, 40% via file-sharing platforms, and 36% via text messages.  

Common Phishing Attacks 

Highly-targeted attacks make up a small proportion of phishing traffic overall. However, compared to generic attacks, they have a much higher success rate. 

Spear Phishing 

Definition: Sending messages - ostensibly from a known or trusted party - to induce specifically targeted individuals to reveal information to take specific actions. 

30. Spear phishing campaigns make up only 0.1% of all email-based phishing attacks, but they are responsible for 66% of all breaches. 

31. 50% of large organizations were targeted with spear phishing in 2022, receiving an average of five spear-phishing emails a day. 

Whaling

Definition: Also known as big phishing and CEO-fraud, this involves using precisely-engineered spoofing emails to trick senior figures within organizations into disclosing credentials, money, or information. 

32. Incidences of whaling and executive impersonations increased significantly following the shift to remote work in 2020. Between Q1 2020 and Q1 2021, the number of reported whaling attacks increased by 131%.  

Common Features of Scams 

A large proportion of attackers use fake messages that look as if they are from well-known companies. A growing number of attackers also seem to be putting AI to work to make their messages sound more convincing.   

Top Phishing Brands 

33. 55% of phishing attacks use established brand names to build credibility in their messages. 

34. According to Check Point Research, LinkedIn is the brand most frequently imitated to lure phishing victims into disclosing credentials/ information. 

35. Top 10 most frequently imitated companies in brand-related phishing attempts: 

Company
Percentage of all branded phishing attempts globally
LinkedIn 52%
DHL14%
Google7%
Microsoft6%
FedEx6%
WhatsApp4%
Amazon2%
Maersk1%
AliExpress0.8%
Apple0.8%

Phishing Trigger Words 

36. The most frequently-used keywords used by phishing scammers in email subject lines:

  • Invoice 
  • New
  • Message
  • Required
  • File
  • Request
  • Action
  • Document
  • Verification 
  • eFax
  • VM

(Tip: for more info on how these keywords are put to work, check out our article, Top Phishing Keywords Revealed).  

Emerging Impact of AI in Phishing Attacks

In Q1 2023, Darktrace has reported a 135% increase in malicious email campaigns demonstrating advanced linguistic deviation in syntax, semantics, grammar, and sentence structure. 

This development corresponds with the widespread availability of tools such as ChatGPT, providing a possible earlier indicator of the potential of generative AI in creating more sophisticated and convincing phishing attacks.

Impact of Phishing 

Phishing statistics demonstrate how important it is for organizations to adopt an assume breach stance: i.e., to follow best practice when it comes to perimeter defenses and user training, but also to assume that notwithstanding these measures, successful phishing attempts are only to be expected.   

Business Impact of Phishing Attacks 

37. Phishing is the most common method for delivering ransomware, responsible for 45% of all ransomware attacks. 

38. For enterprises, the average cost of a ransomware attack, including downtime and remediation, is estimated at ~$1,500,000

39. Phishing attacks cost large organizations $15 million annually, or more than $1,500 per employee.

40. For each item of customer-related personally identifiable information extracted via a phishing attack, the average cost to the business is $180.

41. Of security leaders who have experienced phishing attacks, the most commonly cited consequences are as follows: 

Consequence of phishingPercentage of security leaders who experience it
Lost/stolen data60%
Compromised credentials and accounts50%
Ransomware45%
Other malware30%
Direct financial loss20%

Defense Against Phishing Attacks  

42. IT and Security teams take an average of 27.5 minutes to handle a single phishing email. 

43. The estimated cost of discovering and mitigating a single phishing email is $31.32

44. Without proper training, 32.4% of employees are susceptible to falling for phishing scams

45. Almost 1 in 5 organizations only provide phishing awareness training to employees once per year

46. Many employees are not provided with updated security training when new technologies are introduced into the organization. 47% have received no security training for instant messaging platforms or communication applications. Almost 1 in 5 fail to remember or find the relevant information.  

47. Human error contributes to 95% of successful cyber security breaches. 

48. An estimated 58% of employees ignore cyber security guidelines, and 39% admit they are unlikely to report a security incident in the workplace. 

49. 90% of confirmed phishing email attacks took place in organizations with Secure Email Gateways (i.e., measures such as firewalls, email scanning tools, and filters) in place. 

Notable Recent Phishing Campaigns 

Recent high-profile attacks and threats highlight how susceptible users can be to targeted scams. A couple of years ago, we saw hackers take advantage of Covid assistance schemes to dupe victims. In the US, there’s a risk of something similar occurring in relation to student loans. 

BlackCat attack on Reddit 

The ransomware group, BlackCat gained access to 80GB of data from Reddit in February 2023. The group demanded a $4.5 million payout, along with a rollback on its planned API pricing changes, in exchange for the return of their data. 

Reddit blamed the attack on a “sophisticated and highly-targeted” phishing attack against employees…

Activision Breach 

Activision, the makers of Call of Duty, was hit by data theft in December 2022 as the result of an unsuspecting employee’s credentials being stolen in an SMS phishing attack (called smishing). Data stolen included employee information and content release schedules.

Student Loans Forgiveness Scams 

With the US Student Loan Forgiveness procedure now in place, the FBI has issued a warning against fraud and phishing schemes designed to swindle borrowers out of information or cash.

Conclusion 

It’s clear from the phishing statistics that this cyber attack technique remains a persistent threat, and it’s also pretty clear why. 

Even with filtering and threat intelligence solutions in widespread use, some malicious messages will always find their way into inboxes. There will always be some individuals who open those messages. And there will always be a handful of employees who go on to hand over credentials or click on those malicious links. 

It shows that hackers only have to get lucky with phishing a few times to make their endeavors worthwhile. It also highlights the value of penetration testing: i.e., testing a network’s perimeters, finding out who is most vulnerable to phishing - and closing the gaps to reduce the chances of a successful attack. 

Frequently Asked Questions

Sources

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Gary Smith

    Gary spends much of his working day thinking and writing about professional and personal development, as well as trends and best practice in IT recruitment from both an organizational and employee perspective. With a background in regulatory risk, he has a special interest in cyber threats, data protection, and strategies for reducing the global cyber skills gap.

  • […] to phishing statistics on Station X, the number of phishing attacks is increasing year by year, with more than 4 million people being […]

  • >