In today’s digital landscape, phishing attacks have become a persistent threat, jeopardizing the security and privacy of individuals and organizations alike. Understanding the scope and impact of these threats is crucial for implementing effective cybersecurity measures or avoiding potentially debilitating costs.
Phishing statistics can serve as a reliable visual of the real threat behind phishing attacks. With disparate sources online, we’ve pulled together data about the overall impact of phishing attacks through the examination of phishing data on the global economy.
Phishing Statistics Highlights
- Phishing attacks accounted for 36% of all US data breaches in 2023.
- 1339 brands were targeted by phishing attacks in the fourth quarter of 2023.
- The number of unique phishing sites (attacks) reached 5 million in 2023.
- In 2023, phishing attacks were the second costliest source of compromised credentials.
- Healthcare has remained the number one most costly industry for data breaches for 13 years, while other sectors are experiencing a switch in momentum.
Summary of Types of Phishing Attacks
Phishing scams account for nearly 36% of all data breaches, according to Verizon’s 2023 Data Breach Report.
And according to a Proofpoint study, 71% of all companies experienced a successful phishing attack in 2023.
Here are some of the most common phishing attacks an organization could face:
Phishing Type | Explanation |
Email Phishing |
|
Spear Phishing |
|
Whaling |
|
Pharming |
|
Phishing Stats by Targets
According to a report from the FBI’s Internet Crime Complaint Center (IC3), it received 800,944 reports of phishing, with losses exceeding $10.3 billion in 2022.
The 2022 Internet Crime Report from IC3 shows how phishing scams have become significantly more detrimental to individuals and businesses.
Personal Phishing Attacks
Personal phishing attacks target individuals through email, text messaging, or other one-on-one methods of communication. A personal phishing attack, like the Geek Squad scam, often aims to gather sensitive data from an individual to gain access to financial accounts or other data.
According to the IC3 2022 report, individuals aged between 30-39 were the most significant reporting group of phishing scams.
Citizens aged 60 and older suffered the most extensive economic loss.
Another study by the Telephone-operated Crime Survey of England and Wales (TCSEW) found that individuals between 25 and 44 were more likely to be targeted in these regions.
According to the UK-based survey, fraudulent delivery companies were the most prominent fake senders of phishing scams to individuals.
Data from the Anti-Phishing Working Group (AWPG) also show that the number of unique phishing sites (attacks) reached 5 million in 2023.
This makes 2023 the worst year for phishing on record, eclipsing the 4.7 million attacks seen in 2022.
Company Phishing Attacks
According to a survey by IRONSCALES, email phishing is a key concern for 90% of IT professionals.
In addition, phishing scams have risen in recent years.
A comprehensive analysis from IBM in 2023 revealed that 16% of company data breaches directly resulted from a phishing attack.
In fact, phishing was both the most frequent type of data breach and one of the most expensive.
Furthermore, according to APWG, 1339 brands were targeted by phishing attacks in the fourth quarter of 2023 (Q4 2023).
This is actually down by 447 attacks compared with Q4 2022 when the number of brands targeted by phishing attacks amounted to 1786.
The most targeted industry sector in Q4 2023 was social media, comprising 42.8% of all phishing attacks.
This is an explosion from 18.9% of all attacks recorded in Q3.
The Cost of Phishing Attacks
Here are a few of the costs of phishing attacks:
- Costs to consumers
- Costs to businesses
- Costs of prevention
- Other hidden costs
Some examples of hidden costs include the cost of a business’s reputation, the loss of consumer trust, or a breach of personal information.
Cost of Phishing to Consumers
The 2022 IC3 FBI Crime report revealed a loss of roughly $52 million from phishing scams.
A Federal Trade Commission (FTC) report revealed fraud reports from 2.6 million consumers in 2023, amounting to more than $10 billion. The most prevalent type of fraud was imposters.
According to the same IC3 report, phishing was the most common 2022 crime type, with 300,497 victims.
In comparison, the second most common crime type was a personal data breach, with 58,859 victims.
IBM’s Cost of a Data Breach Report found that 60% of the studied organizations increased their prices due to a breach.
Consumers may be paying a higher price for goods and services because of the risk of phishing attacks.
As we explore in our guide to how hackers steal passwords, phishing is one of the most common methods for password theft.
Cost to Businesses from Phishing Attacks
Businesses face the cost of phishing attacks in two ways; the actual amount lost to phishing attacks and the amount spent trying to prevent phishing attacks.
The Cost of Recovering from Phishing Attacks Data
A phishing attack costs $4.45 million, on average, for responding organizations. According to the 2023 IBM report, phishing attacks were the second costliest source of compromised credentials.
On average, dealing with the threat of a single phishing email takes 27.5 minutes at a cost of $31.32 per phishing message, as stated in IRONSCALES’s 2022 Business Cost of Phishing Report.
In addition to the monetary loss, businesses that suffer from a successful phishing attack may deal with damage to their reputation, market value, and regulatory fines, as pointed out by the 2022 IRONSCALES report.
The Costs of Preventing Phishing Attacks Data
Phishing attacks are racking up expenses between training, detection, and higher IT staffing.
The 2022 Ironscales Report found that mid-size companies (with 5 IT professionals) spend $228,630 annually on email-based attacks alone. For enterprise-sized companies with 25+ IT professionals, phishing can cost $1.1 million annually.
Phishing Statistics by Country
The USA, Brazil, and India were the most common victims of phishing through infecting users of Telegram groups, according to data collected from Group-1B.
Phishing Statistics: USA
The 2023 IBM Data Breach Report revealed that the average global cost of a data breach was $4.45 million, while the average data breach cost in the USA was $9.48 million.
Internet scam complaints have decreased from 2021 to 2022, according to the 2022 IC3 Report, while total losses have increased drastically.
In 2021, there were $6.9 billion of total losses reported, compared to $10.3 billion of total losses in 2022.
Phishing scams have also drastically increased, with a 1,139% increase in reported phishing attacks from 2018 to 2022.
Phishing Statistics: UK
An Office of National Statistics (ONS) survey found that over half of UK individuals received a phishing message, and only about 3% clicked on the link.
There has been a 900% increase in “advance fee fraud” compared to pre-pandemic levels.
Advance fee fraud is a type of scam where the individual has to pay a fee prior to receiving some promised monetary gain, which is never given.
As of January 2024, 29 million scams have been reported to the UK National Cyber Security Centre (NCSC).
As a result, 168,000 scams have been removed across 306,400 URLs.
Phishing Statistics: Canada
In 2022, the Canadian Anti-Fraud Centre received a total of 70,878 fraud and cybercrime reports.
Phishing was the most reported type of fraud, followed by extortion and personal information scams.
Victim losses totaled $530 million in 2022, a 40% increase from 2021.
Investment, romance, and spear-phishing scams were the three with the highest levels of victim losses.
Online phishing frauds also made it to the top three types of scams in Canada via an Ipsos poll.
The survey found phishing scams to be the third-most common type of reported scam in the country (8% of reported fraud), following credit and debit card fraud.
Phishing Statistics: Australia
65% of people received a scam request in 2022-2023 in Australia, compared to 55% in 2021, according to the Personal Fraud Survey conducted by the Australian Bureau of Statistics (ABS).
Scams over the phone were the most common type of fraud (48%), and text messaging scams were the second most common (47%) in Australia.
This phishing data differs from other international data that point to email being one of the most common forms of phishing attacks.
In 2023, Australian consumers lost $25.9 million in Australia due to scams, with 108,636 reports, according to data from the Australian Competition & Consumer Commission (ACCC).
Phishing Statistics: India
A comprehensive study from Group-IB, found India to be the third most targeted country globally and the most targeted country in Asia.
Another study from Microsoft shows that Indian consumers are more likely to be financially impacted by cyber scams compared to global data.
300 million people in India are vulnerable to phishing attacks, of which 500,000 people are deceived by these scams, according to a discussion at the Mobile World Congress in Barcelona and detailed in the India Times.
The same report shows that only about 7% of individuals who get scammed report it to the appropriate authorities.
Phishing Statistics: Brazil
As of 2023, a total of 3,589 potential phishing domains were registered with the intent to impersonate Brazilian organizations, according to a SOCRadar report.
The top-most targeted industries for phishing in Brazil are:
- Cryptoсurrency & NFT
- National Security & International Affairs
- Information Services
- Public Administration
- Banking
The IBM X-Force Threat Intelligence Index 2024 also notes that 68% of all cases X-Force responded to in Latin America were from Brazil.
Phishing Statistics by Industry
According to data from the 2023 IBM Cost of a Data Breach Report, these were the five most financially affected industries by data breaches:
- Healthcare
- Financial
- Pharmaceuticals
- Energy
- Industrial
Healthcare has remained the number one most costly industry for data breaches for 13 years, while other sectors are experiencing a switch in momentum.
For example, technology made 4th position in 2022, but was replaced by energy and industrial in 2023. Furthermore, the pharmaceutical and financial industries reported a slight decrease in costs.
Financial Sector Phishing Data
In 2023, the average cost of a data breach in the financial sector was $5.9 million, according to IBM.
This makes it the sector suffering the second-highest cost of a data breach, only outranked by the healthcare sector.
Carbanak Phishing Campaigns, 2015
The Carbanak phishing campaign was first detected in 2015 and proved to be one of the largest heists of global financial institutions in history.
The group targeted over 100 banks and institutions worldwide, using advanced spear-phishing emails and malware.
According to the 2015 Visa Security Threat Statement, it is estimated that up to $1 billion was lost in total, between $2.5 million and $10 million per bank targeted.
Healthcare Sector Phishing Data
In 2023, the average cost of a data breach in the healthcare sector was $10.9 million, according to IBM.
This makes it the sector suffering the highest cost of a data breach. It has maintained this ranking for 13 years.
In a survey conducted by the Healthcare Information and Management Systems Society (HIMSS), the majority (59%) of respondents said that general email phishing was the initial point of compromise of their organization’s most significant security incident.
The types of phishing reported in the survey and their prevalence were:
- General email phishing – 59%
- Spear-phishing – 31%
- SMS phishing – 29%
- Phishing website – 21%
- Social media phishing – 17%
- Whaling – 13%
- Voice phishing/vishing – 12%
WannaCry Ransomware Attack, 2017
The WannaCry ransomware attack began in May 2017. An article published in The Journal of Law & Cyber Warfare explains that the ransomware attack occurred in over 150 countries. It exposed some inadequacies in the UK’s National Health Service (NHS) when over 40 hospitals were hit simultaneously.
The attack began with a phishing email to hospital staff and employees. Once successful, the scam could access and gain complete control of valuable data and functions. The perpetrators withheld access to this essential data and functionality until a ransom was paid.
While the WannaCry attack did not result in a significant economic loss for the hospitals, it showcased the weak points in the sector.
Moreover, it illustrated how a phishing email could quickly escalate to something more.
University Of Vermont Medical Center Phishing Attack, 2020
The University of Vermont Medical Center was hit by an extensive phishing attack in 2020. The attack began with a phishing email sent to UVM employees.
Even though UVM did not pay the hackers any ransom, the incident cost around $50 million.
According to reports from the Healthcare Compliance Association (HCCA), the phishing attack caused the UVM system to go down for 28 days, and employees were forced to clear 1,300 servers of malware.
Manufacturing Sector Phishing Data
According to the IBM Cost of a Data Breach report, the industrial sector experienced $4.73 million in losses in 2023.
In fact, manufacturing was once again the top-attacked industry in 2023 for the third year in a row, according to the IBM X-Force Threat Intelligence Report.
It represented 25.7% of incidents within the top 10 attack industries.
ThyssenKrupp Cyber Espionage, 2016
In 2016, ThyssenKrupp experienced a significant cyberattack that began with spear-phishing emails that contained malicious attachments sent to specific company figures. Once opened, the hackers had access to sensitive information and secret designs.
According to several reports, top-secret designs were uncovered, and project data was stolen from several divisions. There was no direct theft of company funds in this phishing attack, but it is an example of how phishing can lead to indirect financial loss.
Social Media Companies Phishing Data
According to the Phishing Activity Trends Report from APWG, phishing attacks against social media platforms comprised 42.8% of all phishing attacks in Q4 2023 – nearly half.
According to a 2022 Check Point Press Release, LinkedIn is the most impersonated brand of phishing attacks.
According to the same Check Point data, the top impersonated brands are as follows:
Brand Name | Percentage of Impersonation |
45% | |
Microsoft | 13% |
DHL | 12% |
Amazon | 9% |
Apple | 3% |
Adidas | 2% |
1% | |
Netflix | 1% |
Adobe | 1% |
HSBC | 1% |
LinkedIn Spear Phishing Scam, 2012
According to reports, 117 million records were stolen from LinkedIn and sold on the dark web in 2012.
While this began as a data breach, it provided the perfect window for phishing attacks.
Facebook And Google Phishing Attack, 2017
Facebook and Google fell victim to the same phishing attack in 2017, losing a combined $100 million to a Lithuanian hacker.
According to The United States Attorney’s Office, the hacker posed as an Asian manufacturer used by Facebook and Google. He sent a successful phishing email with a fake invoice requesting money to be wired to the hacker.
Government Services Phishing Data
Some popular government agencies that are frequently impersonated, according to the FTC, include:
- Social Security Administration
- The IRS
- Medicare
Government service phishing scams can more readily develop and respond based on the current climate or societal trends.
For example, several phishing scams appeared during the COVID-19 pandemic related to stimulus checks or government relief.
The Office Of Personnel Management (OPM) Data Breach, 2015
The OPM Data Breach began several years prior to 2015. Hackers started to get a small foothold within the system and eventually gave themselves access to critical information.
According to many reports, there is no clear evidence of how the 2015 OPM Data Breach began. However, it did trigger a wave of phishing attacks.
According to the U.S. Office of Personnel Management, sensitive information for 21.5 million individuals was released in the data breach.
COVID-19 Relief Phishing Scams, 2020
Phishing attacks increased by 220% during the COVID-19 relief era.
Phishing attacks surfaced when people received information about government assistance during the pandemic.
The Inky Stimulus Phishing Report notes that most were emails that impersonated government officials, encouraging targets to enter personal information to “receive a stimulus check.”
References
- Explore our security report archive. (Verizon)
- 2024 State of the Phish (ProofPoint)
- Internet Crime Complaint Center Releases 2022 Statistics (FBI)
- Phishing Activity Trends Reports (APWG)
- IRONSCALES Releases Findings from State of Cybersecurity Survey (IRONSCALES)
- Cost of a Data Breach Report 2023 (IBM)
- Phishing attacks – who is most at risk? (ONS)
- Cybersecurity 2022: Attackers will target remote teams’ weak spots (Samsung)
- The Impact of the New Normal on Workplace Privacy: A Study of Business & IT and IT Security Managers (Ponemon Institute)
- As Nationwide Fraud Losses Top $10 Billion in 2023, FTC Steps Up Efforts to Protect the Public (FTC)
- The Business Cost of Phishing (IRONSCALES)
- The large, less obvious costs of phishing attacks on organisations – report (SecurityBrief NZ)
- Professional stealers: opportunistic scammers targeting users of Steam, Roblox, and Amazon in 111 countries (Group-IB)
- Almost a quarter of all spam emails were sent from Russia in 2021 (ItPro)
- Cyber security breaches survey 2023 (Gov.UK)
- Phishing: Spot and report scam emails, texts, websites and calls (NCSC)
- Fraud Prevention Month 2023: Fraud losses in Canada reach another historic level (Canadian Anti-Fraud Centre)
- Fraud is too Common in Canada: Nearly Half (43%) of Canadians Have Knowingly Been Victimized by Fraud or Scams, in their Lifetime (Ipsos)
- 13.2 million Australians exposed to scams (ABS)
- Scam statistics (ACCC)
- Scam statistics (ScamWatch)
- Global Tech Support Scam Research: India (Microsoft)
- Around 5 lakh people potentially fall victim to phishing scams in India: report (India Times)
- Brazil Threat Landscape Report 2023 (SOCRadar)
- IBM X-Force Threat Intelligence Index 2024 (IBM)
- Nordea loses $1.1 million to online fraud (NS Banking)
- Carbanak (Anunak) Advanced Persistent Threat (VISA)
- A Cost Analysis of Healthcare Sector Data Breaches Health Sector Cybersecurity Coordination Center (HC3) (HHS)
- 2023 HIMSS Healthcare Cybersecurity Survey (HIMSS)
- The Ransomeware Assault on the Healthcare Sector (JSTOR)
- Hacked, Shut Down, But Still Seeing Patients: U. of Vermont Medical Center Shares Strategies (JDSupra)
- Whaling Case Study: Mattel’s $3 Million Phishing Adventure (InfoSec)
- Hackers steal Thyssenkrupp secrets (DW)
- Scam Of The Week: LinkedIn Email Change Your Password (KnowBe4)
- Lithuanian Man Arrested For Theft Of Over $100 Million In Fraudulent Email Compromise Scheme Against Multinational Internet Companies (United States Attorney’s Office)
- Cybersecurity Incidents (OPM)
- Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies (F5)
- Pandemic Phish Are Attacking Without Conscience (Inky)