Phishing Statistics, Facts, and Figures for 2024

Chances are quite good that you have been the recipient of a phishing email. They usually “warn” you that your “account is in danger,” or that you “need to change your password immediately.” Some phishing emails are allegedly from a Nigerian prince that is asking for your help. Or, any one of thousands of other scams.

Phishing attacks use social engineering to deceive users into divulging their sensitive information about payment systems they use, such as usernames, passwords, credit card details, bank account numbers, and more. The initial contact is usually carried out by email or instant messaging.

Attacks like this are on the rise, and the bad guys are constantly on the lookout for new ways to separate you from your personal financial information and your money. Bad guys are like politicians, they never let a good crisis go to waste, meaning there may be a COVID-19 coronavirus pandemic-related phishing email headed to your inbox at this very moment.

Phishing attacks are so effective that former Secretary of Homeland Security Jeh Johnson, while speaking at a cybersecurity conference back in November 2016, told those attending that the threat his department feared the most is the lowly phishing email.

Types of Phishing Scams

Phishing scams are not a one-size-fits-all cyber threat. They come in various forms, taking a slightly different approach in their attempt to fool you into giving up your info.

Spear Phishing

A spear phishing scam is directed at a specific individual, group of users, or company. Spear phishers will collect and use personal information about their targets, using it to increase their chances of success.

Spear phishing attacks will target an organization’s employees and executives, particularly those that work in financial-related departments.

Spear phishing attempts account for the vast majority of phishing attempts today.

Whaling

Whaling is just what it sounds like. These phishing attempts are targeted specifically at a senior executive or another high-value target within a business. A “whale” or a “big fish,” in other words.

A whaling attempt will use a counterfeit email communication of a website crafted specifically to target the “whale’s” role in the company or organization. Content used could include a customer complaint, a subpoena or some other legal content – any type of issue that might need dealing with by an executive-level employee.

Clone Phishing

A clone phishing attempt will use a legitimate, and previously delivered, piece of email to create an almost identical or “clone” piece of email. This cloned email will include a malicious attachment or link, which is more likely to be opened, as the victim will trust the “sender” since they have previously communicated.

Phishing Statistics, Facts, and Figures for 2024

In this section, we’ll be taking a look at the cybersecurity statistics, facts, and figures that shape the state of the phishing “industry” in 2024.

1. Phishing Attacks Are at Their Highest Level Since 2020

Phishing attacks have risen to a level that we haven’t seen since 2016. APWG’s Phishing Activity Trends Report for Q3 2022 reports there were close to 1.3 million phishing sites reported during that quarter.

These numbers are a bit discouraging, as in previous quarters, the numbers were much lower. The number of reported phishing attacks reported to APWG has more than quintupled since Q1 2020, when APWG observed a “mere” 230,554 attacks.

2. Spear Phishing Emails Are the Most Popular Phishing Method

Spear phishing emails are used by 65% of all known groups to aid them in carrying out targeted cyber attacks, says Symantec’s Internet Security Threat Report 2019. 96% of all targeted attacks are designed for the purpose of intelligence-gathering.

3. Phishing Attacks Are Changing

The Symantec study also shows that the popularity of zero-day vulnerabilities has declined in recent years, as only 23% of groups were known to exploit the zero-day cybersecurity holes, down from 2017’s 27%. (A zero-day vulnerability is an information security hole that is either unknown or unaddressed by the software vendor, allowing hackers to exploit it until the issue is fixed.)

Meanwhile, the use of destructive malware continues to grow, as 8% of known groups use destructive tools, a 25% jump from 2017.

Attackers are increasing their use of file sharing services in their phishing schemes, thanks to users’ trusting of OneDrive and other cloud file sharing services. Over 5,000 phishing emails using Sharepoint were reported in a 12-month period, while 2,000 attacks involving OneDrive were reported in the same period.

4. Well-Informed Users Are the Best Defense Against Phishing

Phishing awareness training for employees is arguably the best defense against phishing attacks. A 2019 report by Cofense mentions an example where company employees recognized a phishing attack and the security operations center was able to nip it in the bud within 19 minutes.

When considering a phishing education plan for company employees, cybersecurity professionals say not to neglect training for executive-level users. Depending on the industry, executives like CEOs can be less tech-savvy than your average intern. (Remember the “whaling” section above?)

5. Beware of the Zombie Phish

When I warn of “Zombie Phish” I am not talking about an undead version of a popular rock band, but instead I’m referring to a popular type of phishing attack.

Attackers will take over an email account and pick up on an old email conversation, sending a new email that includes a phishing link or an attachment. Since the sender and the conversation is familiar to the recipient, they may be more likely to click the link or open the attachment.

6. Shortened URLs Are a Popular Trick

Another popular phishing trick is the use of shortened URLs in the email. These shortened links are available from multiple link shortening services, such as Bitly. Shortened links don’t usually get blocked by URL content filters, as the shortened links do not disclose the true destination of the link. Users may also be a bit more likely to click on a shortened link.

7. Smaller Organizations Are Popular Targets

The Symantec report I mentioned above also lays out how smaller organizations (one to 250 employees) are popular targets for phishers. Companies of that size see roughly one in every 323 emails have a malicious intention of some sort. Moving up the size ladder, organizations with 1,000 to 1,500 employees receive a phishing email every 823 emails or so.

8. Mining Companies Are the Most Popular Phishing Targets (Wait, What?)

Symantec’s report also breaks down phishing email numbers by industry. Oddly enough, mining companies are the top target, with one in 258 emails bearing the company ill will. Agriculture, forestry, and fishing tie for number two on the list, with public administration with a one in 302 average.

Manufacturing, wholesale trade, and construction are also popular targets, as are transportation and public utilities; finance, insurance and real estate; the services industry, and retail trade.

9. Saudi Arabia Is the Most Targeted Country

When it comes to countries that are targeted, Saudi Arabia takes the top spot. The Middle Eastern country’s citizens received a malicious email every 118 emails. Israel and Austria aren’t far behind, with one in 122 emails and one in 128 emails, respectively. South Africa and Serbia round out the top five with one in 131 and one in 137, respectively.

Meanwhile, U.S. targeted users are hit by a malicious email rate of one in 674, and the U.K. has a rate of one in 255. Japanese users enjoy the lowest number of phishing emails, with a one in 905 rate.

10. 22% of All Data Breaches Involve Phishing

Verizon found that the top threat action involved in data breaches is phishing. 22% of all data breaches involved phishing.

11. Baby Boomers Are Most Likely to Recognize Terms “Phishing” and “Ransomware”

While Baby Boomers (those aged 55 and above) are considered by some to be one of the least tech-savvy groups, they were most likely to recognize the terms “phishing” and “ransomware.”

Yet, when asked about the terms “smishing” (SMS Phishing) and “vishing” (Voice Phishing), the older generation was the least likely to know the definitions. (Okay, I admit it, I’m a boomer and I had to look those up.)

12. Spear Phishing Is the Most Popular Method of Distributing Ransomware Attacks

Spear phishing (a scam that is directed at a specific individual, group of users, or company) continues to be the most popular way of delivering ransomware attacks. The GandCrab and Ryuk malware strains are commonly distributed using this method.

13. Malicious Email Attachments Commonly Exploit Microsoft Office Security Holes

Many malicious email attachments included in phishing emails continue to exploit a previously patched flaw in Microsoft Office. For instance, CVE-2017-11882 is a remote code execution vulnerability that was identified in 2017 and was soon patched to fix the security flaw. Despite its patched state, 45% of malicious email attachments exploit this flaw.

Why would the bad guys continue to attempt to use an already-patched security vulnerability? Some companies are slow to update their software (and operating systems) on a regular basis, meaning the vulnerabilities are still available for exploitation.

14. Sextortion Phishing Scams Continue to Grow

NordVPN defines sextortion as when a victim receives an email from a scammer claiming to have access to one of the victim’s accounts and threatening to release to the public sexually explicit content from that account. The email may contain sensitive information obtained from a breached database.

Hackers will also use malware to take over a victim’s webcam or microphone, and even record what the user types on their keyboard. They then use the intimate footage or other information to make a monetary demand.

Other times, bad actors will gain their victims’ trust, eventually persuading them to perform sexual acts on camera, then demanding payment to not release the video to friends, family, and the general public. Unfortunately, it is estimated that 71% of sextortion victims are under the age of 18.

Cofense reports that during six months of 2019 there were more than seven million email addresses that were used in sextortion phishing scams. $1.5 million had been paid to Bitcoin wallets known to be used by sextortionists.

15. SSL No Longer Guarantees a Safe Website

Once upon a time, one of the best ways to avoid phishing sites was to check that the legitimate site had an SSL certificate by looking for “https” in the site’s URL. This signifies that the site has an SSL certificate, and is protected by encryption.

Unfortunately, this is no longer true. APWG reports a mind-boggling 74% of phishing sites discovered in Q1 2020 used SSL.

16. Companies Are Filing Lawsuits to Recover Phishing Losses

Companies and their employees have begun filing lawsuits to recover losses due to phishing and email scams. Retruster reports that firms including Seagate, Microsoft, Sprouts, and Lincare have been involved in various phishing-related lawsuits.

Microsoft in 2005 filed 117 phishing lawsuits against alleged phishers that tried to scam Microsoft customers out of personal information. Microsoft used trademark law to target the phishers, who used the company’s trademarks on their emails and websites. Amazon took similar action against phishers in 2004.

Companies that have been hit by scammers have also faced litigation from their own employees for negligence. Seagate and Sprouts both faced 2016 lawsuits filed by their own employees after the HR departments of both firms were duped into handing over W2 forms and other personally identifiable information to scammers.

17. 32.4% of Organizations Could be Exposed to Phishing Emails by One-Third of the Workforce

A 2022 Phishing By Industry Benchmarking Report from cyber awareness training organization KnowBe4 states that 32.4% of organizations could be exposed to social engineering and phishing scams by a third of their employees at any time.

18. Yahoo Is the #1 Imitated Company in Phishing Scams

Check Point Research’s Q4 2022 Brand Phishing Report shows that 20% of all brand phishing attempts were connected to Yahoo. The report indicates that this was due to a significant phishing campaign during Q3 2022, which “informed” victims that they had won prize money organized by Yahoo. The phishing emails asked recipients to submit their personal and banking information, claiming they would transfer the winning prize money to their account.

19. 84% of SMBs Are Targeted by Phishing Attacks

SMB (small-to-medium business) and distributed enterprise network cybersecurity solutions provider Untangle says that 84% of their channel partners said they had SMB clients that were targeted by phishing attacks during 2018. The firm says the biggest threats they anticipate seeing their clients face in 2020 are ransomware and phishing attacks.

20. COVID-19 Phishing Emails Continue to Explode

Politicians live by the adage “Never let a good crisis go to waste,” and it appears the bad guys have a similar slogan, as COVID-19 phishing scams continue to be on the rise.

Cybercriminals are exploiting COVID-19 concerns to exploit individuals who are searching for information about the pandemic. Help Net Security says the Omicron variant contributed to a 521% rise in COVID test-related scam emails during the period between October 2021 and January 2022.

The most common scams included offers to sell counterfeit COVID tests, as well as other medical supplies, including masks or gloves.

How Can I Avoid a Phishing Scam?

Remember how I said the best defense against phishing scams is well-informed users? I’m aware that not everyone has the time or money to go through a training class, so I’d like to share some ways you can help avoid a phishing scam.

• Stay alert for suspicious emails and text messages: Do you know the sender? Were you expecting an email from this person? Does the email fit in with your job role? Be suspicious if the sender is soliciting personal information.
• Be suspicious of email attachments and links: Never open email attachments or click link addresses in emails from parties you don’t know, and always double-check email addresses when it appears as if the email is from a known party. Opening email attachments or clicking links can install malware on your computer without you realizing it.
• Don’t send sexual content to people you don’t know: This may sound like a rule users would already be following, but many users still fall into this trap. If you either don’t know or barely know the person and have never met face-to-face, don’t send them sexual content, including videos and photos.
• Use strong passwords: Never use the same password for any of your accounts, and make sure to update your passwords on a regular basis. Many attacks happen due to exposed passwords. Use long, secure passwords that include letters, numbers, and special characters. Use a password manager to create and remember passwords.
• Consider using a Virtual Private Network (VPN): A VPN routes your internet traffic through an encrypted tunnel, keeping all of your online activities safe from prying eyes. A VPN also hides your real IP address, ensuring that it is not linked to your real location or your identity.

Phishing Predictions for 2024

Now that we have a historical view of phishing attacks, the methods threat actors use to separate you from your personal information and money, and who phishing attacks affect, let’s look at a few predictions for what will happen in the world of phishing in 2024.

• Phishing attacks will continue to be a preferred method of cyber attack. This is due to one main reason: they work. The continuing failure of organizations to educate their employees and customers about the dangers of clicking links and opening attachments found in unsolicited emails will allow the bad guys to continue their success.
• Election-related phishing scams will increase. 2024 is a presidential election year in the U.S., offering scammers the opportunity to increase their ill-gotten gains by sending scam emails that appear to be from presidential candidates or that are related to the election. When I wrote this, it was 2023, which is usually when candidates begin coming out of the woodwork to get an early jump on making themselves well-known and to begin fundraising.
• Email will be the weakest link in online election security. Peter Goldstein, CTO and co-founder of Valimail, says the majority of states in the U.S. are overlooking email vulnerabilities as they look for ways to thwart interference with elections. Yet, in May 2019 it was learned that Russian hackers had breached two county election systems in the state of Florida by way of a spear phishing campaign.
• Phishing attacks will continue to move beyond email. While email will remain close to scammers’ hearts (if they indeed have a heart), they will increasingly use other attack vectors, such as messaging on social media and gaming platforms, or SMS text messaging. (Via Check Point)
• Mobile malware attacks will continue to increase. There was a 50% increase in mobile banking malware attacks in the first half of 2019 when compared to 2018. As users continue to move to banking on their iPhone or Android device, malware incidents will continue to grow. The bad guys will be looking to steal login credentials, payment-sensitive data, and of course money from victims’ accounts. (Via Check Point)
• Cloud phishing will increase as a primary tactic for Advanced Persistent Threats. Phishing attempts will begin launching in greater numbers through cloud applications in place of emails. Users trust cloud applications due to their use in their workplace, making them more vulnerable to phishing attempts. Cloud app usage on mobile devices continues to grow, making them attractive targets for phishers. (Via Government Technology)

In Closing

As we’ve seen, phishing has been, and will continue to be, a significant cyber threat to businesses and individuals alike. This means individual users need to educate themselves on the risks of phishing email threats, while companies need to increase their safeguard against phishing schemes, which needs to include employee education as well as hardware and software solutions.

Phishing Threats FAQs