The State of Phishing in the US_ Report and Statistics 2020

In recent years, phishing attacks have fast become the favored method for criminals to steal data from unsuspecting victims. These attacks have risen by almost 815 percent in just two years, with as many as 74 percent of US organizations experiencing a successful phishing attack in 2020.

Last year, cybercriminals were quick to put the sudden switch to working and learning from home to good use. They hit consumers, organizations, and educators where and when they were at their most vulnerable to ensure 2020 was a record-breaking year for phishing attacks.

What happened in 2020?

  • Phishing scams made up 30 percent of all internet crimes in 2020 with 241,342 reported–over double the amount reported in 2019 (114,702) and almost 10 times the amount reported in 2018 (26,379) (IC3)
  • $54,241,075 was lost to phishing scams in 2020–a 7 percent decrease from 2019 ($57.8m) but a 12 percent increase from 2018 ($48.2m) (IC3)
  • The average victim loss was down over 55 percent from 2019, with $225 lost per victim (IC3)
  • 19,369 organizations were subject to Business Email Compromise (BEC)/Email Account Compromise (EAC) scams–an 18.5 percent decrease on 2019’s figure (23,775) (IC3)
  • $1,866,642,107 was lost to these BEC/EAC scams in 2020–a 5 percent increase on 2019’s figure ($1.78bn) (IC3)
  • The average loss to BEC/EACs was up nearly 29 percent, with organizations losing $96,373 on average (IC3)
  • 74 percent of US organizations experienced a successful phishing attack last year, 30 percent higher than the global average and a 14 percent year-on-year increase (Proofpoint)
  • 35 percent of US organizations dealt with immediate financial loss as a result of these attacks, nearly twice the global average (Proofpoint)
  • 44 percent of all data breaches (382 of 878) against US organizations were caused by phishing/smishing/BEC attacks in 2020 (ITRC)

This report looks at the state of phishing scams over the last year, analyzing top trends, the most standout attacks of the year, and industry insights into what needs to be done to prevent these types of attacks in the future.

What trends did we see in 2020?

  • The Identity Theft Resource Center suggests that hackers predominantly prefer phishing (and ransomware) attacks because they “require less effort, are largely automated, and generate payouts that are much higher than taking over the accounts of individuals.” Hence why 44 percent of the data breaches logged by the ITRC were caused by phishing/smishing/BEC attacks.
  • This is reflected in the continued growth in the number of general phishing attacks (excluding BEC/EAC scams) reported to the IC3. However, as we have seen, the amount generated in 2020 did dip. This suggests that while scammers are perhaps scaling up the volume of their attacks (which is increasing the number of successful attacks), consumers are becoming savvier to their tactics which is resulting in a decrease in amounts lost. Essentially, scammers are having to generate a far larger volume of phishing attacks to make profits that are anywhere near previous amounts.
  • These trends are flipped on their head when it comes to BEC/EAC complaints, as they seem to be even more profitable. In particular, the IC3 noted an increase in the number of BEC/EAC complaints related to the use of identity theft and funds being converted to cryptocurrency. Here it saw an initial victim being scammed through a different type of fraud, e.g. a romance, tech support, or extortion scam, before providing the scammer with some kind of ID. This was then used to create a bank account to transfer stolen BEC/EAC funds to a cryptocurrency account.
  • Mobile phishing increased by nearly 328 percent (across the whole of North America) in Q3 of 2020. (Proofpoint)
  • During the traditional holiday shopping season of the first 10 days of November, there was an 80 percent increase (globally) in phishing campaigns for sales and shopping offers. (Checkpoint)
  • In the build-up to the presidential election, election-associated text messages with links to websites doubled. At their peak, nearly half of these messages contained links to phishing/scam/attack-associated websites. (Symantec)

What was the cost?

The IC3’s Annual Crime Report states that phishing attacks cost victims just over $54,241,075 in 2020, down by over $3 million from $57,836,379 in 2019 (not including BEC/EAC scams which we look at separately shortly).

The average victim loss in 2020 was $225, down by over 55 percent on 2019’s figures ($504) and almost 88 percent less than 2018’s figures ($1,829). This highlights that while phishing attacks are growing at an exponential rate, the money made from them is falling quite dramatically.

In 2020, phishing attacks made up 30 percent of all the cybercrimes reported to the IC3 but just over 1 percent of the overall losses. In 2019, phishing attacks accounted for almost 25 percent of the reported crimes and 1.7 percent of victim losses. And in 2018, phishing attacks accounted for little over 7 percent of the reported crimes but 1.8 percent of victim losses.

Why the huge increase in attacks but significant decrease in losses?

As Notified suggests, phishing scams are a “get rich quick” crime for many criminals. At the click of a button, thousands of phishing emails can be sent. However, the awareness surrounding phishing attacks is growing. Verizon’s Data Breach Investigations Report found that while phishing remains fruitful for attacks, median click rates are at an all-time low (3%). But Verizon’s report also enables us to highlight exactly where cybercriminals are “getting rich quick”–BEC/EAC scams.

Verizon’s report found that BECs are the second most common type of social attacks and are continuing to “take off.” According to its data, of the 58 percent of BECs that were successful in stealing money, the median loss was $30,000 with 95 percent of BECs resulting in losses of $250 to $984,855.

We can see this reflected in the figures from IC3, too. BEC/EAC scams account for just over 2 percent of all cases reported to the IC3 (19,369 of 791,790) but are responsible for around 45 percent of the total reported losses ($1.87bn of $4.2bn).

“[The] wide-net approach, in which the same phishing email is sent to multiple people, was the most common […] But that doesn’t mean spear phishing, whaling and business email compromise (BEC) should be regarded as “lesser” threats than bulk campaigns. These types of attacks reach fewer people, but their level of focus and sophistication make them more difficult for users to spot and for technical tools to block. Attackers are adept at researching and targeting specific roles and people, which means spear phishing, whaling and BEC should remain firmly on everyone’s radar.” – Proofpoint

The elderly are also a key target for scammers as the IC3 found that the over 60s tend to lose more to phishing attacks. 7,353 over 60s were the victims of phishing attacks in 2020, which amounted to $18,829,999 in losses. This means phishing attacks for the over 60’s saw an average loss of $2,561–168 percent more than the average ($225).

As our annual report, The United States of Elder Fraud, has found, the elderly are subject to an exponential amount of financial abuse each year with our estimates putting total losses at around $148bn. Often seen as “easy targets” and with median net worths stretching into the hundreds of thousands, targeted phishing campaigns toward the over 60s are seen as fruitful.

How much of all of the above losses were recovered?

Of the 791,790 cases reported to the IC3 in 2020, the Recovery Asset Team (RAT) assisted in 1,303 cases (a mere 0.16 percent of cases). When involved, though, the RAT enjoyed an 82 percent success rate, freezing over $380m of the $463m lost in these specific cases. Nevertheless, the recovered amount still only accounts for around 9 percent of the total reported losses to the IC3 ($4.2 billion).

How did it happen?

Phishing attacks come in a wide variety of different types, with the 241,342 reports received by the IC3 including phishing, smishing (text-phishing), vishing (voice phishing) and pharming (website redirecting) and a further 19,369 include BEC/EACs. While the IC3 doesn’t provide any further breakdown by type of phishing attack, we can see trends elsewhere.

According to the victims that submitted state-specific data about phishing scams to the IC3:

  • Delaware saw the highest average cost per victim with average losses of $12,497. This is 193 percent more than the average loss of $225.
  • Tennessee and Ohio saw the second-highest average losses with $7,708 and $7,569 respectively.
  • Maine saw the lowest average losses with just $112 lost per victim–67 percent below the average loss.

It’s no surprise that California was the state with the highest number of complaints (3,302) and, therefore, the highest amount lost to phishing scams ($8,864,419). However, with 1,225 victims, Wisconsin had the highest rate of phishing scams with 21.04 victims per 100,000 of the population. It was closely followed by Alaska with 19.82 victims per 100,000 of the population (145 victims in total). At the other end of the scale was Puerto Rico with 2.25 victims per 100,000 of the population (72 victims in total).

According to the victims that submitted state-specific data about BEC/EAC scams to the IC3:

  • Missouri saw the highest average cost per victim with average losses of $378,387. This is 119 percent more than the average loss of $96,373.
  • Ohio again saw the second-highest average losses along with Mississippi with $267,482 and $225,768 respectively.
  • Montana saw the lowest average losses with $20,371 lost per victim–130 percent below the average loss.

Although California had the highest number of complaints again (2,924), it had the second-highest victim loss with just over $219 million lost in total. This resulted in a below-average loss of just under $75,000 per incident. New York had the highest victim loss overall with its 1,300 victims losing over $268 million, making the average loss here $206,418–73 percent above average.

With 143 victims, the District of Columbia had the highest rate of BEC scams with 20.26 victims per 100,000 of the population. This was nearly double second-place Alaska’s rate of 10.25 victims per 100,000 of the population (75 victims in total). Puerto Rico remains the state with the lowest rate of victims with just 1.32 per 100,000 of the population (42 victims in total).

For more in-depth stats on scam figures by state, see our report Online scams rose 25 percent in the US during the pandemic.

What the above figures have shown us is that BEC scams had a huge impact on US businesses in 2020. But how did organizations fare against other types of phishing scams?

Proofpoint’s survey of US organizations found that, in 2020:

  • 75 percent of businesses experienced a successful phishing attack, compared to the global average of 57 percent
  • Of these businesses (multiple options could be selected):
    • 58 percent lost data (global average = 60%)
    • 55 percent suffered credential/account compromise (global average = 52%)
    • 55 percent were infected with ransomware (global average = 47%)
    • 31 percent had other malware infections (global average = 29%)
    • 35 percent suffered financial loss/wire transfer fraud (global average = 18%)

This not only shows us that US businesses are far more likely to suffer phishing attacks than other countries but that they are way above average when it comes to the rate at which businesses lose money to these types of attacks.

Proofpoint’s survey also covered specific types of phishing attacks and the number carried out on each organization. What the below table demonstrates is that US organizations are subject to higher volumes of these attacks than the average global business. For example, 39 percent of global businesses were not attacked by smishing scams, but 21 percent of US organizations were attacked with 26 to 50 each.

How does this transfer across each industry?

According to KnowBe4’s Phishing by Industry Benchmarking Report, the most at-risk small industries (1 to 249 employees) are healthcare (34% at risk), education (32.9% at risk), and not-for-profit (31.2% at risk). Hospitality (42.3%), energy and utilities (35.7%), and healthcare and pharmaceuticals (35.6%) are the most at-risk medium-sized companies (250 to 999 employees). And energy and utilities (52.4%), insurance (51.6%), and banking (47.5%) are the most at-risk large industries (1,000+ employees).

The vulnerability of healthcare organizations, particularly during the pandemic, is highlighted in the Healthcare Information and Management Systems Society’s (HIMSS) annual survey, which found that 57 percent of healthcare organizations had suffered a security incident as the result of a phishing attack in 2020. This was by far the most common type of attack (in second place were credential harvesting attacks at 21%). Email phishing remained the most common point of compromise (89% of cases) with spear-phishing being the most effective type.

Source: HIMSS

Emails are usually the easiest and cheapest way for criminals to create phishing attacks. A report by Bolster, which analyzed Q2 and Q3 of 2020, found that 45 percent of phishing attacks globally use free Gmail accounts to collect user and compromised data. Proofpoint also found that link-based phishing dominates compared to attachment-based phishing, with a rise in the number of attackers using legitimate services such as Constant Contact, Google Drive, Office 365, and SendGrid in socially engineered attacks. This builds trust among the victims while circumnavigating potential blocklists.

Furthermore, Bolster found that the US hosts the vast majority (37%) of phishing and scam websites, way above second-place Russia with 5 percent and third-place Germany with 2.9 percent.

The key events used by scammers

COVID-19 scams

Within less than a month of the pandemic being declared, COVID-19-specific phishing scams started to unfold. In April 2020, the World Health Organization (WHO) alerted the general public to phishing scams that were impersonating the organization, requesting funds to help fight the pandemic. During the same month, Google reported that its systems had detected 18 million coronavirus-related malware and phishing Gmail messages per day as well as over 240 million daily spam messages about COVID-19.

Later on, in August 2020, the Small Business Administration (SBA) issued a cyber warning as it was being impersonated by scammers who were targeting those looking for federal financial aid in response to the pandemic.

Holiday shopping scams

According to Adobe Analytics, US consumers spent a whopping $21.7 billion online in the first 10 days of the holiday shopping season–a 21 percent increase year on year. And, as we have already noted, phishing scams were in full force during this time.

Proofpoint found that phishing campaigns for sales and special offers jumped by 80 percent in the first two weeks of November.

But it was one other event in particular that cybercriminals latched onto…

The presidential election

As stated in our recent robocall report, around 434 million robocalls and 14 billion political texts were made/sent in the lead up to the election. And over 2 in 5 Americans believed they’d received a call or text which contained false or misleading information. This is reflected in our aforementioned statistic from Symantec which found that almost 1 in 2 text messages about the election contained suspicious links.

Proofpoint also found more than 10,000 illegitimate election-related domains were registered. These often involved typosquatting techniques or added different words to a candidate’s name, such as “donaldtrumpangels[.]com”, “joebiden[.]club”, “donaldtrumped[.]tv”. These websites could serve as a credential phishing portal, linked to through an email.

Why did it happen?

As much of the world moved online in March 2020, this gave criminals the perfect in-road for phishing scams. From employees working from home and increases in video calls to online shopping and a surge in the use of emails and texts, scammers were able to take advantage of this growth in online activities. Using the chaos and confusion of the pandemic to worm their way in, scams were hidden in a jumble of fake news and false information.

Ultimately, by impersonating the likes of the WHO, by exploiting vulnerabilities such as businesses in desperate need of financial help, and by weaving their way in amid other influxes of information, scammers cleverly adapted their phishing campaigns to suit. Plus, phishing emails, like all scams, usually try to instill a sense of urgency in victims. This creates a certain amount of pressure to act, which, when teamed with all of the other chaos and confusion, could lead to more people handing over private or financial information in a panic.

Aren’t they easy to spot, though?

No–not always.

Verizon analyzed 150 phishing templates and found that the click rates varied significantly.

Phishing Template Analysis - Verizon
Source: Verizon

As the above figure demonstrates, the click rate can vary from almost none to over half of all respondents clicking on it. Verizon also adds that real phishing scams could be even more compelling than a simulation.

Thankfully, there are several studies in which we can see how aware people (employees in particular) are about phishing.

For example, Proofpoint’s survey found that 63 percent of employees know what the term “phishing” is. However, US workers were the least likely to know (just 52 percent correctly described phishing–but this was an improvement from 49 percent in 2019).

Proofpoint’s survey also finds that older generations are more likely to know what phishing is:

Proofpoint phishing terms charts.
Source: Proofpoint

But when it comes to other more specific types of phishing, e.g. “smishing” and “vishing,” older generations were less likely to know.

Smishing terms charts.
Source: Proofpoint

What does this suggest?

That amid the mass spam phishing emails are many cleverly crafted, targeted phishing campaigns that are incredibly successful. Yes, the over 55s may be more aware of what phishing is, but as we have already noted, they are often a more “fruitful” candidate for scammers. Therefore, scammers may feel they can invest more time into the finite details of these scams as the payout is far greater.

It is also important to note here that the “over 60s” age group accounts for a large chunk of people. All of the other age brackets cover just nine years each, while the over 60s covers more than 40 years. So even though over 55s in the workplace may be savvier when it comes to what phishing is, many of those over 60 (especially those in the over 70/80/90 brackets) may be unaware of what phishing is or may be less able to spot a sophisticated phishing email.

In the Psychology of Human Error report by Tessian, it was found that just 8 percent of people aged 51 and above felt they had clicked on a phishing email at work (compared to 19 percent of 18 to 30-year-olds, 32 percent of 31 to 40-year-olds, and 29 percent of 41 to 50-year-olds). Stanford University Professor, Jeff Hancock, suggests that while “The older generation has, in many ways, the potential tools and mindsets needed for detecting phishing attacks” they may also be more reluctant to admit that they’ve made a mistake in fear of “losing face.”

Another hugely important factor in the success of phishing campaigns throughout 2020 is the fact that many employees were working from home.

The Tessian report mentioned above noted that 45 percent of people clicked on a phishing email because they were distracted. Add to this that 57 percent of employees said that they are more distracted when working from home and it’s not hard to see why the WFH trend could have aided the BEC scam success in particular.

Those in education were particularly vulnerable, too. According to Keith Krueger, CEO of the ed-tech advocacy group the Consortium for School Networking (CoSN), 3 percent of teachers click on phishing scams in a school environment. But this rose to 15 to 20 percent from home.

Not only were employees perhaps more distracted, under increased pressure, and lacking the right protections to mitigate phishing attacks (a Malwarebytes study found 65 percent of organizations didn’t deploy antivirus solutions on work-issued devices and 61 percent didn’t ask employees to install these solutions on personal devices) but employees were being exposed to new technologies, systems, and protocols without adequate training.

As Zoom’s user figures surged from 10 million at the end of 2019 to 200 million at the start of the pandemic, Checkpoint noted a sudden increase in Zoom-related domains being registered. 25 percent of 1,700 registered at the start of the year were registered in the week after the pandemic was announced with 4 percent of these found to contain suspicious characteristics. Google Classroom (classroom.google.com) was also imitated with the likes of googloclassroom\.com and googieclassroom\.com.

Therefore, with 90 percent of US organizations requesting or requiring users to work from home in 2020 and just 29 percent of these having trained their employees in the best practices for home working (Proofpoint), companies, in particular, were left incredibly vulnerable to phishing scams.

What needs to be done?

There is no silver bullet when it comes to protecting both consumers and organizations from phishing scams. But if 2020 taught us anything about cybersecurity, it’s that training for all situations and being able to adapt to ever-changing threats is key. This includes:

  • Providing regular cybersecurity training for all employees: Our research above highlights how lack of training and/or knowledge can provide easy access for cybercriminals. But, due to how quickly cybercriminals can adapt their scams, one-off training sessions aren’t likely the answer. Rather, as KnowBe4’s research highlights, ongoing cybersecurity training can dramatically reduce phishing attacks. Without any training from the platform, 31.4 percent of employees were likely to fall victim to a phishing scam. After one training session, this decreased to 16.4 percent but after ongoing training for a year, it reduced even further to 4.8 percent.
  • Using behavioral science to mimic “real-life” attacks: Masha Arbisman, the Behavioral Engineering Manager for the Paranoids (the information security team at Verizon Media) believes “the simulations and training offered by most security education teams do not mimic real-life situations, do not parallel the behaviors that lead to breaches, and are not measured against real attacks the organization receives. This is why it is important to progress from the traditional security awareness model to that of using behavioral science to change the habits that lead to attack path-breaking actions.” She goes on to say they have used the Huang and Pearlson model (which suggests that cyber-secure behaviors are driven by the attitudes, beliefs, and values of an organization) in combination with behavioral science techniques. She says, “Over two years, the approach tripled adoption of a password manager and decreased the overall phishing susceptibility of employees by half.”
  • Introducing phishing-specific legislation: As of April 2021, only 23 states had laws that were specifically aimed at phishing schemes. While all other states may cover phishing within computer crime, identity theft, and data protection laws, for example, having phishing-specific legislation will help mitigate attacks by providing further clarity for law enforcement and ensuring greater enforcement on offenders.
  • Educating consumers: At a basic level, consumers should be encouraged to take simple measures, whether that’s by social media companies, e-commerce sites, or financial institutions. Users should be encouraged to install anti-virus and anti-spam software, to be kept up to date with the latest phishing schemes, be warned not to click on any links within emails, texts, or posts without first checking their validity, be asked to create a unique password with each account, and advised never to hand over sensitive information online, via social media, or through email unless they are 100% comfortable it’s a trusted person/account.
  • Implementing multi-factor authentication: To prevent phishers from accessing personal information, the legitimate identity of the user can be verified using two- or multi-factor authentication. As opposed to single-factor authentication which uses only a username/email address and password, two-factor authentication requires an additional layer of information, e.g. a one-time password (OTP) sent to the user’s phone. Multi-factor adds another layer of security. However, while these do add a timely element to the authentication process and are far more secure than single-factor authentication, they aren’t without their vulnerabilities, too. Man-in-the-middle attacks, SIM swapping, technical support scams, fake 2FA pages or pop-ups, and scareware are all examples of how scammers have adapted to these extra layers of protection.

As with most types of cybercrimes, a multi-layered approach is necessary. As we have seen, human error and lack of education are at the heart of many of these scams, which is why education on a consumer level and organizational level is essential. Unfortunately, this still won’t remove the threat, which is why users, technology providers, governments, law enforcement agencies, and organizations need to enlist the help of anti-phishing techniques, tools, legislation, and vigilance wherever possible.

Insights and observations

  • Subdomains are often used to trick victims into clicking on links. For example, a cybercriminal might register “scam.com” and then use subdomains to obscure it, e.g. paypal.com.scam.com. This is particularly effective against mobile users because the address bar on smartphones is much smaller, thus hiding the full URL.
  • HTTPS is no longer a reliable means to determine whether a site is safe or not. In fact, more than half of phishing sites use HTTPS.
  • Phishing is often the first step of infiltrating a larger system. It could be used to steal credentials, for example, that give the attacker access to the victim’s system. From there they can steal data, install ransomware, or impersonate the victim by hijacking accounts.
  • We should all assume that all of our email addresses are publicly available and anyone, including scammers, can target them.
  • Before sending any new emails out, crooks test their messages with SpamAssassin or a similar tool on a separate system. SpamAssassin provides a “Score” – a subjective assessment of the probability that a specific email is spam. This score is an opportunity to make edits before sending actual emails to ensure they don’t get caught in spam filters.

Phishing attacks by sector

Healthcare

As noted previously, 57 percent of healthcare cybersecurity professionals reported that their organization had been attacked by phishing during 2020.

Two of these phishing attacks were on a mass scale. Almost 1.3 million patients had personal information compromised through the hacked business email accounts of MEDNAX Services, Inc. And, through what was described as a “sophisticated social engineering phishing attack” on Magellan Health, over 1 million people had their records affected.

Others included:

  • Mercy Iowa City Hospital – An unauthorized person gained access to an employee’s email account from May 15, 2020, to June 24, 2020. The phishing email compromise led to the exposure of personal information of 60,473 individuals. The information compromised included name, DOB, SSN, driver’s license number, medical treatment information, and medical insurance information. The hospital believes that none of this has been misused to commit fraud or identity theft.
  • Five Rivers Health Centers, Ohio155,748 patients were notified that their personal health information was breached after a two-month-long email compromise last year stemming from a phishing attack. Personal and health data may have been exposed as well as some patients’ financial account numbers, payment information, Social Security numbers, state ID numbers, and driver’s licenses.

Education

The K-12 Cybersecurity Resource Center found that just 2 percent of all cyber incidents captured on its incident map in 2020 were due to phishing alone, suggesting many of these were dealt with by the schools’ IT systems/personnel and without the need for public reporting. However, it does go on to suggest that four separate spear phishing incidents in school districts occurred in this timeframe. The amount lost during these 4 attacks ranged from $206,000 to a massive $9.8 million. In the former case, the school board’s banking information was entered into a malicious website. The latter was in Wayne County School District, detailed below.

  • Wayne County School District – Scammers gained access to the school district’s investment advisor’s email system before monitoring it to learn what transactions had been recommended by the advisor and had been approved by the district. Then, on four separate occasions, the scammers sent emails from the account to First State Bank, instructing for millions to be transferred to the fraudsters’ accounts. While the FBI managed to recover nearly $3.5 million before it was distributed into a fraudulent account, losses still amounted to just over $6.3 million.
  • Louisiana State University – LSU was one of 20 universities and colleges discovered to have been targeted by a phishing campaign from July 2020 to October 2020. According to RiskIQ, the LSU-themed student portal login page was the first target it identified as having been targeted by domain shadowing, a technique known to be used by a group nicknamed the “Silent Librarian” due to its focus on university library resources. This enables hackers to steal institutional data which they can use to gain access to financial assets. RiskIQ also suggested that the timing of the attack was in line with the start of the fall semester, which can be the busiest time for IT staff.

Government

A government threat report by Lookout found that 70 percent of phishing attacks against government organizations sought to steal login credentials, which was an increase of 67 percent from 2019. Moreover, the report also found that 1 in 30 federal government workers were exposed to phishing threats in 2020.

Lookout’s report also noted that attackers frequently turned to mobile spear-phishing campaigns in a bid to steal login details and download malicious payloads onto their devices. Using social engineering, scammers encourage users to visit a phishing page or to tap a link that secretly downloads the malware.

One such case occurred at Durham County’s City Hall where employees clicked on phishing emails in June 2020. This, in turn, infected the system with Ryuk ransomware, leading to 100 servers needing to be rebuilt and 1,000 computers re-imaged.

Conclusion

If one thing’s clear from the above, it’s that scammers are always going to adapt to ensure the success of their campaigns. And they will continue to utilize our vulnerabilities to their advantage. Throughout 2020, phishing scammers learned what works and data for 2021 suggests they’re heading for an even more successful year this year.

The ITRC’s latest report suggests that data breaches were up 38 percent in Q2 of 2021 with 491 compromises. The data breaches that have occurred in the first half of 2021 (846) have already made up for 76 percent of breaches in 2020. The increase is being attributed to the surge in phishing, ransomware, and supply chain attacks. In Q2 alone 130 phishing/smishing/BEC scams were reported, accounting for over 26 percent of all the data breaches recorded during this period.

COVID-19-related phishing scams haven’t gone anywhere, either, and have instead been adapted to meet the ongoing vaccine rollouts and to target business owners looking for financial help from the Small Business Administration Office of Disaster Assistance. This also coincides with the ITRC’s report that there has been an eight-time increase in job scams over the last six months.

Whatever the rest of this year may bring in terms of the pandemic, cybercriminals will, as they always do, remain one step ahead. That’s why it’s vital users, organizations, and government entities remain vigilant, invest time in training, and pay extra attention to messages requesting any personal information or to perform any further actions, e.g. clicking on a link or downloading a file.

Researcher: Charlotte Bond

Sources –

Bolster – https://bolster.ai/assets/files/reports/bolster-phishing-scam-report-Q2Q3-2020.pdf

Checkpoint – https://blog.checkpoint.com/2020/11/17/phishing-emails-double-in-november-in-run-up-to-black-friday-and-cyber-monday/

HIMSS Cyber Security Survey – https://www.himss.org/sites/hde/files/media/file/2020/11/16/2020_himss_cybersecurity_survey_final.pdf

IC3 – https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf and https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3ElderFraudReport.pdf

ITRC – https://notified.idtheftcenter.org/s/

Lookout – https://www.lookout.com/info/government-threat-report-lp?utm_source=BL&utm_medium=BL&utm_campaign=WW-MU-MU-MU-MU-P_NON-GovtReport2020

Malwarebytes – https://www.malwarebytes.com/resources/files/2020/08/malwarebytes_enduringfromhome_report_final.pdf

Proofpoint State of Phish Report – https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-state-of-the-phish-2021.pdf

Symantec – https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sms-phishing-presidential-election

Tessian – https://www.tessian.com/blog/phishing-statistics-2020/#the-most-targeted-industries and https://www.tessian.com/research/the-psychology-of-human-error/

Verizon – https://enterprise.verizon.com/resources/reports/2021-data-breach-investigations-report.pdf