Chances are quite good that you have been the recipient of a phishing email. They usually “warn” you that your “account is in danger,” or that you “need to change your password immediately.” Some phishing emails are allegedly from a Nigerian prince that is asking for your help. Or, any one of thousands of other scams.
Phishing attacks use social engineering to deceive users into divulging their sensitive information about payment systems they use, such as usernames, passwords, credit card details, bank account numbers, and more. The initial contact is usually carried out by email or instant messaging.
Attacks like this are on the rise, and the bad guys are constantly on the lookout for new ways to separate you from your personal financial information and your money. Bad guys are like politicians, they never let a good crisis go to waste, meaning there may be a COVID-19 coronavirus pandemic-related phishing email headed to your inbox at this very moment.
Phishing attacks are so effective that former Secretary of Homeland Security Jeh Johnson, while speaking at a cybersecurity conference back in November 2016, told those attending that the threat his department feared the most is the lowly phishing email.
Types of Phishing Scams
Phishing scams are not a one-size-fits-all cyber threat. They come in various forms, taking a slightly different approach in their attempt to fool you into giving up your info.
A spear phishing scam is directed at a specific individual, group of users, or company. Spear phishers will collect and use personal information about their targets, using it to increase their chances of success.
Spear phishing attacks will target an organization’s employees and executives, particularly those that work in financial-related departments.
Spear phishing attempts account for the vast majority of phishing attempts today.
Whaling is just what it sounds like. These phishing attempts are targeted specifically at a senior executive or another high-value target within a business. A “whale” or a “big fish,” in other words.
A whaling attempt will use a counterfeit email communication of a website crafted specifically to target the “whale’s” role in the company or organization. Content used could include a customer complaint, a subpoena or some other legal content – any type of issue that might need dealing with by an executive-level employee.
A clone phishing attempt will use a legitimate, and previously delivered, piece of email to create an almost identical or “clone” piece of email. This cloned email will include a malicious attachment or link, which is more likely to be opened, as the victim will trust the “sender” since they have previously communicated.
Phishing Statistics, Facts, and Figures for 2023
In this section, we’ll be taking a look at the cybersecurity statistics, facts, and figures that shape the state of the phishing “industry” in 2023.
1. Phishing Attacks Are at Their Highest Level Since 2020
Phishing attacks have risen to a level that we haven’t seen since 2016. APWG’s Phishing Activity Trends Report for Q3 2022 reports there were close to 1.3 million phishing sites reported during that quarter.
These numbers are a bit discouraging, as in previous quarters, the numbers were much lower. The number of reported phishing attacks reported to APWG has more than quintupled since Q1 2020, when APWG observed a “mere” 230,554 attacks.
2. Spear Phishing Emails Are the Most Popular Phishing Method
Spear phishing emails are used by 65% of all known groups to aid them in carrying out targeted cyber attacks, says Symantec’s Internet Security Threat Report 2019. 96% of all targeted attacks are designed for the purpose of intelligence-gathering.
3. Phishing Attacks Are Changing
The Symantec study also shows that the popularity of zero-day vulnerabilities has declined in recent years, as only 23% of groups were known to exploit the zero-day cybersecurity holes, down from 2017’s 27%. (A zero-day vulnerability is an information security hole that is either unknown or unaddressed by the software vendor, allowing hackers to exploit it until the issue is fixed.)
Meanwhile, the use of destructive malware continues to grow, as 8% of known groups use destructive tools, a 25% jump from 2017.
Attackers are increasing their use of file sharing services in their phishing schemes, thanks to users’ trusting of OneDrive and other cloud file sharing services. Over 5,000 phishing emails using Sharepoint were reported in a 12-month period, while 2,000 attacks involving OneDrive were reported in the same period.
4. Well-Informed Users Are the Best Defense Against Phishing
Phishing awareness training for employees is arguably the best defense against phishing attacks. A 2019 report by Cofense mentions an example where company employees recognized a phishing attack and the security operations center was able to nip it in the bud within 19 minutes.
When considering a phishing education plan for company employees, cybersecurity professionals say not to neglect training for executive-level users. Depending on the industry, executives like CEOs can be less tech-savvy than your average intern. (Remember the “whaling” section above?)
5. Beware of the Zombie Phish
When I warn of “Zombie Phish” I am not talking about an undead version of a popular rock band, but instead I’m referring to a popular type of phishing attack.
Attackers will take over an email account and pick up on an old email conversation, sending a new email that includes a phishing link or an attachment. Since the sender and the conversation is familiar to the recipient, they may be more likely to click the link or open the attachment.
6. Shortened URLs Are a Popular Trick
Another popular phishing trick is the use of shortened URLs in the email. These shortened links are available from multiple link shortening services, such as Bitly. Shortened links don’t usually get blocked by URL content filters, as the shortened links do not disclose the true destination of the link. Users may also be a bit more likely to click on a shortened link.
7. Smaller Organizations Are Popular Targets
The Symantec report I mentioned above also lays out how smaller organizations (one to 250 employees) are popular targets for phishers. Companies of that size see roughly one in every 323 emails have a malicious intention of some sort. Moving up the size ladder, organizations with 1,000 to 1,500 employees receive a phishing email every 823 emails or so.
8. Mining Companies Are the Most Popular Phishing Targets (Wait, What?)
Symantec’s report also breaks down phishing email numbers by industry. Oddly enough, mining companies are the top target, with one in 258 emails bearing the company ill will. Agriculture, forestry, and fishing tie for number two on the list, with public administration with a one in 302 average.
Manufacturing, wholesale trade, and construction are also popular targets, as are transportation and public utilities; finance, insurance and real estate; the services industry, and retail trade.
9. Saudi Arabia Is the Most Targeted Country
When it comes to countries that are targeted, Saudi Arabia takes the top spot. The Middle Eastern country’s citizens received a malicious email every 118 emails. Israel and Austria aren’t far behind, with one in 122 emails and one in 128 emails, respectively. South Africa and Serbia round out the top five with one in 131 and one in 137, respectively.
Meanwhile, U.S. targeted users are hit by a malicious email rate of one in 674, and the U.K. has a rate of one in 255. Japanese users enjoy the lowest number of phishing emails, with a one in 905 rate.
10. 22% of All Data Breaches Involve Phishing
Verizon found that the top threat action involved in data breaches is phishing. 22% of all data breaches involved phishing.
11. Baby Boomers Are Most Likely to Recognize Terms “Phishing” and “Ransomware”
While Baby Boomers (those aged 55 and above) are considered by some to be one of the least tech-savvy groups, they were most likely to recognize the terms “phishing” and “ransomware.”
Yet, when asked about the terms “smishing” (SMS Phishing) and “vishing” (Voice Phishing), the older generation was the least likely to know the definitions. (Okay, I admit it, I’m a boomer and I had to look those up.)
12. Spear Phishing Is the Most Popular Method of Distributing Ransomware Attacks
Spear phishing (a scam that is directed at a specific individual, group of users, or company) continues to be the most popular way of delivering ransomware attacks. The GandCrab and Ryuk malware strains are commonly distributed using this method.
13. Malicious Email Attachments Commonly Exploit Microsoft Office Security Holes
Many malicious email attachments included in phishing emails continue to exploit a previously patched flaw in Microsoft Office. For instance, CVE-2017-11882 is a remote code execution vulnerability that was identified in 2017 and was soon patched to fix the security flaw. Despite its patched state, 45% of malicious email attachments exploit this flaw.
Why would the bad guys continue to attempt to use an already-patched security vulnerability? Some companies are slow to update their software (and operating systems) on a regular basis, meaning the vulnerabilities are still available for exploitation.
14. Sextortion Phishing Scams Continue to Grow
NordVPN defines sextortion as when a victim receives an email from a scammer claiming to have access to one of the victim’s accounts and threatening to release to the public sexually explicit content from that account. The email may contain sensitive information obtained from a breached database.
Hackers will also use malware to take over a victim’s webcam or microphone, and even record what the user types on their keyboard. They then use the intimate footage or other information to make a monetary demand.
Other times, bad actors will gain their victims’ trust, eventually persuading them to perform sexual acts on camera, then demanding payment to not release the video to friends, family, and the general public. Unfortunately, it is estimated that 71% of sextortion victims are under the age of 18.
Cofense reports that during six months of 2019 there were more than seven million email addresses that were used in sextortion phishing scams. $1.5 million had been paid to Bitcoin wallets known to be used by sextortionists.
15. SSL No Longer Guarantees a Safe Website
Once upon a time, one of the best ways to avoid phishing sites was to check that the legitimate site had an SSL certificate by looking for “https” in the site’s URL. This signifies that the site has an SSL certificate, and is protected by encryption.
Unfortunately, this is no longer true. APWG reports a mind-boggling 74% of phishing sites discovered in Q1 2020 used SSL.
16. Companies Are Filing Lawsuits to Recover Phishing Losses
Companies and their employees have begun filing lawsuits to recover losses due to phishing and email scams. Retruster reports that firms including Seagate, Microsoft, Sprouts, and Lincare have been involved in various phishing-related lawsuits.
Microsoft in 2005 filed 117 phishing lawsuits against alleged phishers that tried to scam Microsoft customers out of personal information. Microsoft used trademark law to target the phishers, who used the company’s trademarks on their emails and websites. Amazon took similar action against phishers in 2004.
Companies that have been hit by scammers have also faced litigation from their own employees for negligence. Seagate and Sprouts both faced 2016 lawsuits filed by their own employees after the HR departments of both firms were duped into handing over W2 forms and other personally identifiable information to scammers.
17. 86% of Email Attacks Don’t Involve Malware
It’s a bit surprising, but most email attacks don’t use malware. April-June 2019 data from FireEye shows only 14% of email-based attack schemes during that period used malware. Instead, the bad guys used other schemes, including spear phishing, impersonation tactics, and CEO fraud.
18. 32.4% of Organizations Could be Exposed to Phishing Emails by One-Third of the Workforce
A 2022 Phishing By Industry Benchmarking Report from cyber awareness training organization KnowBe4 states that 32.4% of organizations could be exposed to social engineering and phishing scams by a third of their employees at any time.
19. Yahoo Is the #1 Imitated Company in Phishing Scams
Check Point Research’s Q4 2022 Brand Phishing Report shows that 20% of all brand phishing attempts were connected to Yahoo. The report indicates that this was due to a significant phishing campaign during Q3 2022, which “informed” victims that they had won prize money organized by Yahoo. The phishing emails asked recipients to submit their personal and banking information, claiming they would transfer the winning prize money to their account.
20. 84% of SMBs Are Targeted by Phishing Attacks
SMB (small-to-medium business) and distributed enterprise network cybersecurity solutions provider Untangle says that 84% of their channel partners said they had SMB clients that were targeted by phishing attacks during 2018. The firm says the biggest threats they anticipate seeing their clients face in 2020 are ransomware and phishing attacks.
21. COVID-19 Phishing Emails Continue to Explode
Politicians live by the adage “Never let a good crisis go to waste,” and it appears the bad guys have a similar slogan, as COVID-19 phishing scams continue to be on the rise.
Cybercriminals are exploiting COVID-19 concerns to exploit individuals who are searching for information about the pandemic. Help Net Security says the Omicron variant contributed to a 521% rise in COVID test-related scam emails during the period between October 2021 and January 2022.
The most common scams included offers to sell counterfeit COVID tests, as well as other medical supplies, including masks or gloves.
How Can I Avoid a Phishing Scam?
Remember how I said the best defense against phishing scams is well-informed users? I’m aware that not everyone has the time or money to go through a training class, so I’d like to share some ways you can help avoid a phishing scam.
- Stay alert for suspicious emails and text messages: Do you know the sender? Were you expecting an email from this person? Does the email fit in with your job role? Be suspicious if the sender is soliciting personal information.
- Be suspicious of email attachments and links: Never open email attachments or click link addresses in emails from parties you don’t know, and always double-check email addresses when it appears as if the email is from a known party. Opening email attachments or clicking links can install malware on your computer without you realizing it.
- Don’t send sexual content to people you don’t know: This may sound like a rule users would already be following, but many users still fall into this trap. If you either don’t know or barely know the person and have never met face-to-face, don’t send them sexual content, including videos and photos.
- Use strong passwords: Never use the same password for any of your accounts, and make sure to update your passwords on a regular basis. Many attacks happen due to exposed passwords. Use long, secure passwords that include letters, numbers, and special characters. Use a password manager to create and remember passwords.
- Consider using a Virtual Private Network (VPN): A VPN routes your internet traffic through an encrypted tunnel, keeping all of your online activities safe from prying eyes. A VPN also hides your real IP address, ensuring that it is not linked to your real location or your identity.
Phishing Predictions for 2023
Now that we have a historical view of phishing attacks, the methods threat actors use to separate you from your personal information and money, and who phishing attacks affect, let’s look at a few predictions for what will happen in the world of phishing in 2023.
- Phishing attacks will continue to be a preferred method of cyber attack. This is due to one main reason: they work. The continuing failure of organizations to educate their employees and customers about the dangers of clicking links and opening attachments found in unsolicited emails will allow the bad guys to continue their success.
- Election-related phishing scams will increase. 2024 is a presidential election year in the U.S., offering scammers the opportunity to increase their ill-gotten gains by sending scam emails that appear to be from presidential candidates or that are related to the election. When I wrote this, it was 2023, which is usually when candidates begin coming out of the woodwork to get an early jump on making themselves well-known and to begin fundraising.
- Email will be the weakest link in online election security. Peter Goldstein, CTO and co-founder of Valimail, says the majority of states in the U.S. are overlooking email vulnerabilities as they look for ways to thwart interference with elections. Yet, in May 2019 it was learned that Russian hackers had breached two county election systems in the state of Florida by way of a spear phishing campaign.
- Phishing attacks will continue to move beyond email. While email will remain close to scammers’ hearts (if they indeed have a heart), they will increasingly use other attack vectors, such as messaging on social media and gaming platforms, or SMS text messaging. (Via Check Point)
- Mobile malware attacks will continue to increase. There was a 50% increase in mobile banking malware attacks in the first half of 2019 when compared to 2018. As users continue to move to banking on their iPhone or Android device, malware incidents will continue to grow. The bad guys will be looking to steal login credentials, payment-sensitive data, and of course money from victims’ accounts. (Via Check Point)
- Cloud phishing will increase as a primary tactic for Advanced Persistent Threats. Phishing attempts will begin launching in greater numbers through cloud applications in place of emails. Users trust cloud applications due to their use in their workplace, making them more vulnerable to phishing attempts. Cloud app usage on mobile devices continues to grow, making them attractive targets for phishers. (Via Government Technology)
As we’ve seen, phishing has been, and will continue to be, a significant cyber threat to businesses and individuals alike. This means individual users need to educate themselves on the risks of phishing email threats, while companies need to increase their safeguard against phishing schemes, which needs to include employee education as well as hardware and software solutions.
Phishing Threats FAQs
Why Do Phishing Attack Statistics Vary So Much?
Phishing attack statistics can vary depending on who is reporting the statistics, where the statistics are sourced from, and the industry that is making the report.
For example, while some statistics may come from reports by security personnel that would have ready access to exact figures, other statistics may have been collected from interviews with company executives or management, who may not have ready access to exact figures.
How Effective Are Phishing Attacks?
While it can depend on the type of phishing attack, the fact remains that the bad guys do get enough results from such attacks, or they would move on to other ways of illegally gleaning information.
Phishing attacks are effective due to their use of familiar elements to fool users into offering up information or tricking them into clicking links or attachments. Such attacks will continue as long as employees and executives are not trained on how to recognize phishing attempts.
Can You Stop Phishing Emails?
While there are anti-phishing solutions, such as secure email gateways that do a decent job of filtering phishing emails from users’ inboxes, there are always phishing emails that sneak through. As long as scammers continue to come up with ways to make emails look legitimate and play on human weaknesses, phishing emails will continue to inflict damage on companies.
How Do I Stop Apple Phishing Emails?
Apple’s Support Website offers a number of tips for helping to stop Apple phishing emails. These include forwarding any suspected phishing email to Apple, reporting all suspicious emails or spam you receive in your iCloud.com inbox to Apple, and reporting any suspicious messages you might receive through iMessage. The link above includes the addresses to report these to.
How Can I Protect my Business Against Phishing Attacks?
While a secure email gateway is an excellent way to protect against phishing attacks, there are other measures you can take to lessen the chances of a successful phishing attack against your business.
Educate your employees as to the risks of phishing emails, text messages, and phone calls. Teach them how to recognize phishing and educate them on what to do when they think they’ve been targeted.
Make sure to keep your operating systems and apps updated. Updates fix security holes that hackers use to attack your network and other systems. Also, change passwords on a regular basis. Make sure the passwords you use are secure and unique. Use multi-factor authentication whenever possible.
- Types of Phishing Scams
- Phishing Statistics, Facts, and Figures for 2023
- How Can I Avoid a Phishing Scam?
- Phishing Predictions for 2023
- In Closing
- Phishing Threats FAQs
- Why Do Phishing Attack Statistics Vary So Much?
- How Effective Are Phishing Attacks?
- Can You Stop Phishing Emails?
- How Do I Stop Apple Phishing Emails?
- How Can I Protect my Business Against Phishing Attacks?