In today’s digital landscape, phishing attacks have become a persistent threat, jeopardizing the security and privacy of individuals and organizations alike. Understanding the scope and impact of these threats is crucial for implementing effective cybersecurity measures or avoiding potentially debilitating costs.
Phishing statistics can serve as a reliable visual of the real threat behind phishing attacks. With disparate sources online, we’ve pulled together data about the overall impact of phishing attacks through the examination of phishing data on the global economy.
Phishing Statistics Highlights
- Phishing attacks account for 36% of all US data breaches.
- 83% of all companies experience a phishing attack each year.
- There was a 345% increase in unique phishing sites between 2020 and 2021.
- There were 300,497 phishing attacks reported to the FBI in 2022.
- Each phishing attack costs corporations $4.91 million, on average.
Summary of Types of Phishing Attacks
Phishing scams account for nearly 36% of all data breaches, according to Verizon’s 2022 Data Breach Report. And according to a Proofpoint study, 83% of all companies experienced a phishing attack in 2021.
Here are some of the most common phishing attacks an organization could face:
| Phishing Type | Explanation |
| Email Phishing |
|
| Spear Phishing |
|
| Whaling |
|
| Pharming |
|
Phishing Stats by Targets
According to a report from the FBI’s Internet Crime Complaint Center (IC3), it received 800,944 reports of phishing, with losses exceeding $10.3 billion in 2022. The 2022 Internet Crime Report from IC3 shows how phishing scams have become significantly more detrimental to individuals and businesses.
Personal Phishing Attacks
Personal phishing attacks target individuals through email, text messaging, or other one-on-one methods of communication. A personal phishing attack often aims to gather sensitive data from an individual to gain access to financial accounts or other data.
According to the IC3 2022 report, individuals aged between 30-39 were the most significant reporting group of phishing scams. Citizens 60 and older suffered the most extensive economic loss.
Another study by the Telephone-operated Crime Survey of England and Wales (TCSEW) found that individuals between 25 and 44 were more likely to be targeted in these regions.
According to the UK-based survey, fraudulent delivery companies were the most prominent fake senders of phishing scams to individuals.
Data from the Anti-Phishing Working Group (AWPG) published on Statista, the number of unique phishing sites detected worldwide from the third quarter of 2021 to the third quarter of 2022 saw a jump from 1.097 million to 1.270 million.
There was an approximate 345% increase in unique phishing sites at the start of the COVID-19 pandemic – the most significant increase in the phishing data available.
Company Phishing Attacks
According to a survey by Ironscales, email phishing is a key concern for 90% of IT professionals. In addition, phishing scams have risen in recent years.
A comprehensive analysis from IBM in 2022 revealed that 16% of company data breaches directly resulted from a phishing attack. And the number of brands and legitimate entities targeted by phishing attacks is rising.
In July 2022, 621 brands worldwide were targeted by phishing attacks. This is compared to 522 brands in the proceeding year.
Almost all institutions are on the watch for phishing attacks, especially as more reports show increased phishing attacks on remote workers.
According to Verizon’s 2021 Data Breach Investigation Report (DBIR), web apps most often used by remote workers were responsible for 90% of the data breaches. Another study from Ponemon Institute in 2021 showed that IT professionals believe it is easier to protect company information when staff are working in the office.
According to figures from APWG pulled from data in Q3 of 2022, financial institutions were the most targeted online industry by phishing attacks.
The Cost of Phishing Attacks
Here are a few of the costs of phishing attacks:
- Costs to consumers
- Costs to businesses
- Costs of prevention
- Other hidden costs
Some examples of hidden costs include the cost of a business’s reputation, the loss of consumer trust, or a breach of personal information.
Cost of Phishing to Consumers
The 2022 IC3 FBI Crime report revealed a loss of roughly $52 million from phishing scams. And the 2022 FTC report revealed fraud reports from 2.4 million consumers in 2022, with the most commonly reported scam being imposter scams.
According to the same IC3 report, phishing was the most common 2022 crime type, with 300,497 victims. For comparison, the second most common crime type was a personal data breach, with 58,859 victims.
IBM’s Cost of a Data Breach Report found that 60% of the studied organizations increased their prices due to a breach. Consumers may be paying a higher price for goods and services because of the risk of phishing attacks.
Cost to Businesses from Phishing Attacks
According to an analysis from Proofpoint in 2022, 83% of organizations faced a successful email-based phishing attempt in the calendar year.
Businesses face the cost of phishing attacks in two ways; the actual amount lost to phishing attacks and the amount spent trying to prevent phishing attacks.
The Cost of Recovering from Phishing Attacks Data
In the Proofpoint study, it found that 80% of respondents stated that their organization received at least one successful phishing attack in 2021. The study surveyed over 3,500 working adults across the globe and simulated nearly 100 million phishing attacks.
A phishing attack costs $4.91 million, on average, for responding organizations. According to the 2022 IBM report, phishing attacks were the second costliest source of comprised credentials. Additionally, this report found that breach costs increased by nearly 13% over the last two years.
Each phishing email takes 27.5 minutes at the expense of $31.32 per phishing message, as stated in The 2022 Business Cost Of Phishing Report.
In addition to the monetary loss, businesses that suffer from a successful phishing attack may deal with damage to their reputation, market value, and regulatory fines, as pointed out by the 2022 Ironscales report.
The Costs of Preventing Phishing Attacks Data
One study from Ponemon Institute and Proofpoint showed training in security awareness reduced phishing costs by 50%, on average.
Phishing attacks are racking up expenses between training, detection, and higher IT staffing. The 2022 Ironscales Report found that mid-size companies (with 5 IT professionals) spend $228,630 annually on email-based attacks alone. For enterprise-sized companies with 25+ IT professionals, phishing can cost $1.1 million annually.
Phishing Statistics by Country
The USA, Brazil, and India are the most common victims of phishing through infecting users of Telegram groups, according to data collected from Group-1B.
A 2022 Kaspersky report analyzed over 150 million malicious emails and found the source of many phishing attacks were as follows:
- Russia (24.77%)
- Germany (14.12%)
- USA (10.46%)
- China (8.73%)
- Netherlands (4.75%)
The report found a total of 10 countries responsible for most phishing attacks.
Phishing Statistics: USA
The 2022 IBM Data Breach Report revealed that the average global cost of a data breach was $4.35 million, while the average data breach cost in the USA was $9.44 million.
Internet scam complaints have decreased from 2021 to 2022, according to the 2022 IC3 Report, while total losses have increased drastically. In 2021, there were $6.9 billion of total losses reported, compared to $10.3 billion of total losses in 2022.
Phishing scams have also drastically increased, with a 1,139% increase in reported phishing attacks from 2018 to 2022.
In addition, the Federal Trade Commission (FTC) 2022 crime report revealed an increase in text messaging scams between 2021 and 2022.
Phishing Statistics: UK
An Office of National Statistics (ONS) survey found that over half of UK individuals received a phishing message, and only about 3% clicked on the link.
There has been a 900% increase in “advance fee fraud” compared to pre-pandemic levels. “Advance fee fraud” is a type of scam where the individual has to pay a fee prior to receiving some promised monetary gain, which is never given.
The newest 2023 report from National Cyber Strategy shows how organizations and charity reports of phishing attacks are declining this year, and the number of businesses impacted has been declining.
As of May 2023, 20 million scams have been reported to the UK National Cyber Security Centre (NCSC). The report also states that 129,000 scams have been removed across 235,000 URLs.
Phishing Statistics: Canada
Spear phishing scams are the third most common type of scam in Canada, according to a 2023 article from The Royal Canadian Mounted Police (RCMP) addressing drastic increases in fraud and cybercrime reports. According to their statement, accounts totaled $530 million in victim losses in 2022, a 40% increase from 2021.
In 2022, the Canadian Anti-Fraud Centre received a total of 70,878 fraud and cybercrime reports. Investment, romance, and spear-phishing scams were the three with the highest levels of victim losses.
Online phishing frauds also made it in the top three types of scams in Canada, according to an Ipsos survey. The survey found phishing scams to be the third most common type of reported scam at 8%, only behind credit card fraud and debit card fraud.
Phishing Statistics: Australia
65% of people received a scam request in 2022-2023 in Australia, compared to 55% in 2021, according to the Personal Fraud Survey.
Scams over the phone were the most common type of fraud (48%) and text messaging scams were the second most common (47%) in Australia. This phishing data differs from other international data that point to email being one of the most common forms of phishing attacks.
Australian consumers have lost $11.5 million lost in Australia due to scams through April 2023, with 37,809 reports, according to data from the Australian Competition & Consumer Commission (ACCC). The report also states that 2.9% of reports have resulted in a financial loss.
Phishing Statistics: India
A comprehensive study from Group-IB, found India to be the third most targeted country globally and the most targeted country in Asia.
Another study from Microsoft shows that Indian consumers are more likely to be financially impacted by cyber scams compared to global data.
300 million people in India are vulnerable to phishing attacks, of which 500,000 people are deceived by these scams, according to a discussion at the Mobile World Congress in Barcelona and detailed in the India Times.
The same report shows that only about 7% of individuals who get scammed report it to the appropriate authorities.
Phishing Statistics: Brazil
In 2019, the number of phishing attacks in Brazil increased by 232%, according to data from APWG. The IBM X-Force Threat Intelligence Index 2023 supports the rise in phishing attacks in Brazil. According to the most recent report, 67% of all cases X-Force responded to in Latin America were from Brazil.
12.39% of internet users were targeted in Brazil, compared to Ecuador in second place with 10.73% of users being targeted by phishing scams. Brazil is the most-targeted country of Latin American and Caribbean countries, says a report from Statista in 2021.
Additionally, Brazil reported over 500,000 blocked phishing emails, according to a DMARC study. This places Brazil up there alongside Thailand, the USA, Germany, and China with the most blocked phishing emails.
Phishing Statistics by Industry
According to data from the 2022 IBM Cost of a Data Breach Report, these are the five most financially-affected industries by data breaches:
- Healthcare
- Financial
- Pharmaceuticals
- Technology
- Energy
Healthcare has remained the number one most costly industry for data breaches for 11 years. While other sectors are experiencing a switch in momentum. For example, the financial industry lost more money in 2020 than in 2021.
Financial Sector Phishing Data
In 2022, the average cost of a data breach in the financial sector was $6 million. Companies in the financial sector were targeted the most, with 41% of all phishing attacks. In addition, the financial sector suffered the second-highest cost of a data breach, only outranked by the healthcare sector.
Swedish Bank Nordea Phishing Scam, 2007
Sweden’s Bank Nordea fell victim to a large-scale phishing scam in 2007, resulting in a loss of about $1.1 million.
Trojan software collected about 250 customers’ login credentials and siphoned funds from the affected accounts. According to the bank, they reimbursed all customers for their losses, totaling roughly $1.1 million.
Carbanak Phishing Campaigns, 2015
The Carbanak phishing campaign was first detected in 2015 and proved to be one of the largest heists of global financial institutions in history. The group targeted over 100 banks and institutions worldwide, using advanced spear-phishing emails and malware.
According to the 2015 Visa Security Threat Statement, it is estimated that up to $1 billion was lost in total, between $2.5 million and $10 million per bank targeted.
Healthcare Sector Phishing Data
A 2019 study by the British Medical Journal found that around 3% of all emails received by a healthcare-related email contained a security threat, such as phishing.
The Health Sector Cybersecurity Coordination Center (HC3) released a warning in December 2020 about the increase in COVID-19-related phishing attacks.
Phishing attacks accounted for 45% of data breaches in 2020, found a survey from Healthcare Information and Management Systems Society. The types of phishing reported in the survey and their prevalence were:
- General email phishing – 71%
- Spear-phishing – 67%
- Voice phishing/vishing – 27%
- Whaling – 27%
- Business email compromise – 23%
- SMS phishing – 21%
- Phishing websites – 20%
- Social media phishing – 16%
The Cost Of A Data Breach Report by IBM revealed the average cost rose to $10.10 million in 2022. According to this report, the healthcare sector has had the highest data breach cost for twelve consecutive years.
WannaCry Ransomware Attack, 2017
The WannaCry ransomware attack began in May 2017, an article published in The Journal of Law & Cyber Warfare explains that the ransomware attack occurred in over 150 countries It exposed some inadequacies in UK’s National Health Service (NHS) when over 40 hospitals were hit simultaneously.
The attack began with a phishing email to hospital staff and employees. Once successful, the scam could access and gain complete control of valuable data and functions. The perpetrators withheld access to this essential data and functionality until a ransom was paid.
While the WannaCry attack did not result in a significant economic loss for the hospitals, it showcased the weak points in the sector. Moreover, it illustrated how a phishing email could quickly escalate to something more.
University Of Vermont Medical Center Phishing Attack, 2020
The University of Vermont Medical Center got hit by an extensive phishing attack in 2020. The attack began with a phishing email sent to UVM employees.
Even though UVM did not pay the hackers any ransom, the incident cost around $50 million. According to reports from the Healthcare Compliance Association (HCCA), the phishing attack caused the UVM system to go down for 28 days, and employees were forced to clear 1,300 servers of malware.
Manufacturing Sector Phishing Data
According to the IBM Cost of a Data Breach report, the industrial sector experienced $4.47 million in losses in 2022.
In 2018, it was reported that malware was present in 1 in 384 emails sent to employees in the manufacturing sector. Further, 1 in every 41 employees in the sector reported having received a phishing email.
There was a 52% increase in ransomware attacks against manufacturing businesses between 2021 and 2022. Phishing, and specifically spear-phishing, is noted as an easy and common attack vector by Sophos.
ThyssenKrupp Cyber Espionage, 2016
In 2016, ThyssenKrupp experienced a significant cyberattack that began with spear-phishing emails that contained malicious attachments sent to specific company figures. Once opened, the hackers had access to sensitive information and secret designs.
According to several reports, top-secret designs were uncovered, and project data was stolen from several divisions. There was no direct theft of company funds in this phishing attack, but it is an example of how phishing can lead to indirect financial loss.
According to the Phishing Activity Trends Report from APWG, the biggest risk of social media phishing is the impersonation of corporate executives.
11% of phishing attacks in Q1 2022 involved social media companies.
According to a 2022 Check Point Press Release, LinkedIn is the most impersonated brand of phishing attacks.
According to the same Check Point data, the top impersonated brands are as follows:
| Brand Name | Percentage of Impersonation |
| 45% | |
| Microsoft | 13% |
| DHL | 12% |
| Amazon | 9% |
| Apple | 3% |
| Adidas | 2% |
| 1% | |
| Netflix | 1% |
| Adobe | 1% |
| HSBC | 1% |
LinkedIn Spear Phishing Scam, 2012
According to reports, 117 million records were stolen from LinkedIn and sold on the dark web in 2012.
While this began as a data breach, it provided the perfect window for phishing attacks.
Facebook And Google Phishing Attack, 2017
Facebook and Google fell victim to the same phishing attack in 2017, losing a combined $100 million to a Lithuanian hacker. According to The United States Attorney’s Office, the hacker posed as an Asian manufacturer used by Facebook and Google. He sent a successful phishing email with a fake invoice requesting money is wired to the hacker.
Government Services Phishing Data
Some popular government agencies that are frequently impersonated, according to the FTC, include:
- Social Security Administration
- The IRS
- Medicare
Government service phishing scams can more readily develop and respond based on the current climate or societal trends. For example, several phishing scams appeared during the COVID-19 pandemic related to stimulus checks or government relief.
The Office Of Personnel Management (OPM) Data Breach, 2015
The OPM Data Breach began several years prior to 2015. Hackers started to get a small foothold within the system and eventually gave themselves access to critical information.
According to many reports, there is no clear evidence of how the 2015 OPM Data Breach began. However, it did trigger a wave of phishing attacks.
According to the U.S. Office of Personnel Management, sensitive information for 21.5 million individuals was released in the data breach.
COVID-19 Relief Phishing Scams, 2020
Phishing attacks increased by 220% during the COVID-19 relief era.
Phishing attacks surfaced when people received information about government assistance during the pandemic. In the Inky Stimulus Phishing Report it notes that most were emails that impersonated government officials, encouraging targets to enter personal information to “receive a stimulus check.”
