In today’s digital landscape, phishing attacks have become a persistent threat, jeopardizing the security and privacy of individuals and organizations alike. Understanding the scope and impact of these threats is crucial for implementing effective cybersecurity measures or avoiding potentially debilitating costs.
Phishing statistics can serve as a reliable visual of the real threat behind phishing attacks. With disparate sources online, we’ve pulled together data about the overall impact of phishing attacks through the examination of phishing data on the global economy.
Phishing scams account for nearly 36% of all data breaches, according to Verizon’s 2023 Data Breach Report.
And according to a Proofpoint study, 71% of all companies experienced a successful phishing attack in 2023.
Here are some of the most common phishing attacks an organization could face:
Phishing Type | Explanation |
Email Phishing | The most prominent form of phishing.The attacker sends a deceptive email that appears to be from a legitimate source.The emails often demand sensitive information, such as login credentials, social security numbers, or financial details. |
Spear Phishing | A more targeted form of attack.The attacker does prior research on an individual to create personalized messages.This can increase the likelihood of success, as the sender appears more credible and informed. |
Whaling | Targets high-profile individuals, such as senior managers or executives.The attacker tailors correspondence to people working below their target, often encouraging the subject to transfer funds or give up other important information.This allows the attacker further access to the system. |
Pharming | Involves redirecting users to fraudulent websites that mirror the actual website.The attacker aims to get the user to enter personal information into the mirror website to gain further access. |
According to a report from the FBI’s Internet Crime Complaint Center (IC3), it received 800,944 reports of phishing, with losses exceeding $10.3 billion in 2022.
The 2022 Internet Crime Report from IC3 shows how phishing scams have become significantly more detrimental to individuals and businesses.
Personal phishing attacks target individuals through email, text messaging, or other one-on-one methods of communication. A personal phishing attack often aims to gather sensitive data from an individual to gain access to financial accounts or other data.
According to the IC3 2022 report, individuals aged between 30-39 were the most significant reporting group of phishing scams.
Citizens aged 60 and older suffered the most extensive economic loss.
Another study by the Telephone-operated Crime Survey of England and Wales (TCSEW) found that individuals between 25 and 44 were more likely to be targeted in these regions.
According to the UK-based survey, fraudulent delivery companies were the most prominent fake senders of phishing scams to individuals.
Data from the Anti-Phishing Working Group (AWPG) also show that the number of unique phishing sites (attacks) reached 5 million in 2023.
This makes 2023 the worst year for phishing on record, eclipsing the 4.7 million attacks seen in 2022.
According to a survey by IRONSCALES, email phishing is a key concern for 90% of IT professionals.
In addition, phishing scams have risen in recent years.
A comprehensive analysis from IBM in 2023 revealed that 16% of company data breaches directly resulted from a phishing attack.
In fact, phishing was both the most frequent type of data breach and one of the most expensive.
Furthermore, according to APWG, 1339 brands were targeted by phishing attacks in the fourth quarter of 2023 (Q4 2023).
This is actually down by 447 attacks compared with Q4 2022 when the number of brands targeted by phishing attacks amounted to 1786.
The most targeted industry sector in Q4 2023 was social media, comprising 42.8% of all phishing attacks.
This is an explosion from 18.9% of all attacks recorded in Q3.
Here are a few of the costs of phishing attacks:
Some examples of hidden costs include the cost of a business’s reputation, the loss of consumer trust, or a breach of personal information.
The 2022 IC3 FBI Crime report revealed a loss of roughly $52 million from phishing scams.
A Federal Trade Commission (FTC) report revealed fraud reports from 2.6 million consumers in 2023, amounting to more than $10 billion. The most prevalent type of fraud was imposters.
According to the same IC3 report, phishing was the most common 2022 crime type, with 300,497 victims.
For comparison, the second most common crime type was a personal data breach, with 58,859 victims.
IBM’s Cost of a Data Breach Report found that 60% of the studied organizations increased their prices due to a breach.
Consumers may be paying a higher price for goods and services because of the risk of phishing attacks.
Businesses face the cost of phishing attacks in two ways; the actual amount lost to phishing attacks and the amount spent trying to prevent phishing attacks.
A phishing attack costs $4.45 million, on average, for responding organizations. According to the 2023 IBM report, phishing attacks were the second costliest source of compromised credentials.
On average, dealing with the threat of a single phishing email takes 27.5 minutes at a cost of $31.32 per phishing message, as stated in IRONSCALES’s 2022 Business Cost of Phishing Report.
In addition to the monetary loss, businesses that suffer from a successful phishing attack may deal with damage to their reputation, market value, and regulatory fines, as pointed out by the 2022 IRONSCALES report.
Phishing attacks are racking up expenses between training, detection, and higher IT staffing.
The 2022 Ironscales Report found that mid-size companies (with 5 IT professionals) spend $228,630 annually on email-based attacks alone. For enterprise-sized companies with 25+ IT professionals, phishing can cost $1.1 million annually.
The USA, Brazil, and India were the most common victims of phishing through infecting users of Telegram groups, according to data collected from Group-1B.
The 2023 IBM Data Breach Report revealed that the average global cost of a data breach was $4.45 million, while the average data breach cost in the USA was $9.48 million.
Internet scam complaints have decreased from 2021 to 2022, according to the 2022 IC3 Report, while total losses have increased drastically.
In 2021, there were $6.9 billion of total losses reported, compared to $10.3 billion of total losses in 2022.
Phishing scams have also drastically increased, with a 1,139% increase in reported phishing attacks from 2018 to 2022.
An Office of National Statistics (ONS) survey found that over half of UK individuals received a phishing message, and only about 3% clicked on the link.
There has been a 900% increase in “advance fee fraud” compared to pre-pandemic levels.
Advance fee fraud is a type of scam where the individual has to pay a fee prior to receiving some promised monetary gain, which is never given.
As of January 2024, 29 million scams have been reported to the UK National Cyber Security Centre (NCSC).
As a result, 168,000 scams have been removed across 306,400 URLs.
In 2022, the Canadian Anti-Fraud Centre received a total of 70,878 fraud and cybercrime reports.
Phishing was the most reported type of fraud, followed by extortion and personal information scams.
Victim losses totaled $530 million in 2022, a 40% increase from 2021.
Investment, romance, and spear-phishing scams were the three with the highest levels of victim losses.
Online phishing frauds also made it to the top three types of scams in Canada via an Ipsos poll.
The survey found phishing scams to be the third-most common type of reported scam in the country (8% of reported fraud), following credit and debit card fraud.
65% of people received a scam request in 2022-2023 in Australia, compared to 55% in 2021, according to the Personal Fraud Survey conducted by the Australian Bureau of Statistics (ABS).
Scams over the phone were the most common type of fraud (48%), and text messaging scams were the second most common (47%) in Australia.
This phishing data differs from other international data that point to email being one of the most common forms of phishing attacks.
In 2023, Australian consumers lost $25.9 million in Australia due to scams, with 108,636 reports, according to data from the Australian Competition & Consumer Commission (ACCC).
A comprehensive study from Group-IB, found India to be the third most targeted country globally and the most targeted country in Asia.
Another study from Microsoft shows that Indian consumers are more likely to be financially impacted by cyber scams compared to global data.
300 million people in India are vulnerable to phishing attacks, of which 500,000 people are deceived by these scams, according to a discussion at the Mobile World Congress in Barcelona and detailed in the India Times.
The same report shows that only about 7% of individuals who get scammed report it to the appropriate authorities.
As of 2023, a total of 3,589 potential phishing domains were registered with the intent to impersonate Brazilian organizations, according to a SOCRadar report.
The top-most targeted industries for phishing in Brazil are:
The IBM X-Force Threat Intelligence Index 2024 also notes that 68% of all cases X-Force responded to in Latin America were from Brazil.
According to data from the 2023 IBM Cost of a Data Breach Report, these were the five most financially affected industries by data breaches:
Healthcare has remained the number one most costly industry for data breaches for 13 years, while other sectors are experiencing a switch in momentum.
For example, technology made 4th position in 2022, but was replaced by energy and industrial in 2023. Furthermore, the pharmaceutical and financial industries reported a slight decrease in costs.
In 2023, the average cost of a data breach in the financial sector was $5.9 million, according to IBM.
This makes it the sector suffering the second-highest cost of a data breach, only outranked by the healthcare sector.
The Carbanak phishing campaign was first detected in 2015 and proved to be one of the largest heists of global financial institutions in history.
The group targeted over 100 banks and institutions worldwide, using advanced spear-phishing emails and malware.
According to the 2015 Visa Security Threat Statement, it is estimated that up to $1 billion was lost in total, between $2.5 million and $10 million per bank targeted.
In 2023, the average cost of a data breach in the healthcare sector was $10.9 million, according to IBM.
This makes it the sector suffering the highest cost of a data breach. It has maintained this ranking for 13 years.
In a survey conducted by the Healthcare Information and Management Systems Society (HIMSS), the majority (59%) of respondents said that general email phishing was the initial point of compromise of their organization’s most significant security incident.
The types of phishing reported in the survey and their prevalence were:
The WannaCry ransomware attack began in May 2017. An article published in The Journal of Law & Cyber Warfare explains that the ransomware attack occurred in over 150 countries. It exposed some inadequacies in the UK’s National Health Service (NHS) when over 40 hospitals were hit simultaneously.
The attack began with a phishing email to hospital staff and employees. Once successful, the scam could access and gain complete control of valuable data and functions. The perpetrators withheld access to this essential data and functionality until a ransom was paid.
While the WannaCry attack did not result in a significant economic loss for the hospitals, it showcased the weak points in the sector.
Moreover, it illustrated how a phishing email could quickly escalate to something more.
The University of Vermont Medical Center was hit by an extensive phishing attack in 2020. The attack began with a phishing email sent to UVM employees.
Even though UVM did not pay the hackers any ransom, the incident cost around $50 million.
According to reports from the Healthcare Compliance Association (HCCA), the phishing attack caused the UVM system to go down for 28 days, and employees were forced to clear 1,300 servers of malware.
According to the IBM Cost of a Data Breach report, the industrial sector experienced $4.73 million in losses in 2023.
In fact, manufacturing was once again the top-attacked industry in 2023 for the third year in a row, according to the IBM X-Force Threat Intelligence Report.
It represented 25.7% of incidents within the top 10 attack industries.
In 2016, ThyssenKrupp experienced a significant cyberattack that began with spear-phishing emails that contained malicious attachments sent to specific company figures. Once opened, the hackers had access to sensitive information and secret designs.
According to several reports, top-secret designs were uncovered, and project data was stolen from several divisions. There was no direct theft of company funds in this phishing attack, but it is an example of how phishing can lead to indirect financial loss.
According to the Phishing Activity Trends Report from APWG, phishing attacks against social media platforms comprised 42.8% of all phishing attacks in Q4 2023 – nearly half.
According to a 2022 Check Point Press Release, LinkedIn is the most impersonated brand of phishing attacks.
According to the same Check Point data, the top impersonated brands are as follows:
Brand Name | Percentage of Impersonation |
45% | |
Microsoft | 13% |
DHL | 12% |
Amazon | 9% |
Apple | 3% |
Adidas | 2% |
1% | |
Netflix | 1% |
Adobe | 1% |
HSBC | 1% |
According to reports, 117 million records were stolen from LinkedIn and sold on the dark web in 2012.
While this began as a data breach, it provided the perfect window for phishing attacks.
Facebook and Google fell victim to the same phishing attack in 2017, losing a combined $100 million to a Lithuanian hacker.
According to The United States Attorney’s Office, the hacker posed as an Asian manufacturer used by Facebook and Google. He sent a successful phishing email with a fake invoice requesting money to be wired to the hacker.
Some popular government agencies that are frequently impersonated, according to the FTC, include:
Government service phishing scams can more readily develop and respond based on the current climate or societal trends.
For example, several phishing scams appeared during the COVID-19 pandemic related to stimulus checks or government relief.
The OPM Data Breach began several years prior to 2015. Hackers started to get a small foothold within the system and eventually gave themselves access to critical information.
According to many reports, there is no clear evidence of how the 2015 OPM Data Breach began. However, it did trigger a wave of phishing attacks.
According to the U.S. Office of Personnel Management, sensitive information for 21.5 million individuals was released in the data breach.
Phishing attacks increased by 220% during the COVID-19 relief era.
Phishing attacks surfaced when people received information about government assistance during the pandemic.
The Inky Stimulus Phishing Report notes that most were emails that impersonated government officials, encouraging targets to enter personal information to “receive a stimulus check.”
Source: www.techopedia.com