Phishing statistics and facts for 2019–2020

Phishing attacks use social engineering in emails and messages to persuade people to hand over information such as passwords or financial information, or to get them to perform certain tasks such as downloading malware or completing a wire transfer. Phishing schemes continue to become more sophisticated with targeted (spear phishing) attacks posing a threat to many businesses.

While spam filters catch many phishing emails, newer and more sophisticated ones get through. There is evidence that most people are aware of the existence of phishing attacks. Indeed, many companies provide training and simulations to teach employees how to spot malicious emails and messages.

That said, scammers still have success with this form of cyber attack and its use remains prevalent. Plus, cybercriminals are changing tactics to get around the anti-phishing measures in place.

Here’s a rundown of phishing statistics and facts for 2020:

1. Phishing attacks are at their highest level in three years

According to APWG’s Phishing Activity Trends Report for Q3 2019, phishing attacks rose in prevalence to a level that hasn’t been observed since 2016. In Q4 of 2016, 277,693 attacks were recorded by APWG. In Q3 of 2019, the number was close to that at 266,387.

This is alarming since the organization had reported much lower numbers in previous quarters. The Q2 figure was 46 percent lower at around 182,000, and Q1 saw almost half the number of attacks (around 138,000).

2. The vast majority of phishing attacks involve credential phishing

Cofense’s Phishing Threat and Malware Review 2019 found that almost 74 percent of phishing attacks between October 2018 and March 2019 involved credential phishing—stealing usernames and passwords. These attacks can be difficult to stop as the emails typically show no signs of being malicious. Many originate from hijacked business email accounts, a tactic known as business email compromise or BEC.

Plus, attackers often go a step further and host fake login pages (phishing sites) on Microsoft Azure custom domains. For example, these could end in “windows.net,” making the site seem legitimate and the scam even more difficult to spot.

3. Spear phishing emails are the most popular targeted attack vector

Symanetc’s Internet Security Threat Report 2019 shows spear phishing emails are used by almost two-thirds (65 percent) of all known groups carrying out targeted cyber attacks. The report also tells us that 96 percent of targeted attacks are carried out for the purpose of intelligence gathering.

Symantec spear phishing chart.
Source: Symantec

4. Human intelligence is the best defense against phishing attacks

In its report, Cofense reiterates the importance of awareness training in thwarting phishing attempts. It cites an example in which a phishing attack on a major healthcare company was stopped within just 19 minutes. Users reported receiving suspicious emails and the security operations centre was able to take swift action.

5. Phishing attacks are getting more sophisticated

Cofense also sheds light on the types of attacks taking place. Because users trust links to things like SharePoint and OneDrive sites, attackers increasingly use cloud filesharing services as part of their schemes. More than 5,200 Sharepoint phishing emails were reported in a 12-month period, as well as close to 2,000 attacks involving OneDrive.

Cofense also found that some unusual attachment types are being used in some phishing campaigns, likely to bypass controls imposed by secure email gateways. For example, Cofense observed .iso files being renamed to .img files to pass malware through a gateway.

6. Attackers are using tricks such as Zombie Phish and shortened URLs

A popular trick used by attackers is the Zombie Phish. As explained in the Cofense report, this involves attackers taking over an email account and responding to an old email conversation with a phishing link. The sender and subject is familiar to the recipient, helping to disguise the email as genuine.

Another strategy that’s being seen more in phishing emails is the use of shortened URLs provided by link shortening services such as Bitly. These links are rarely blocked by URL content filters as they don’t reveal the true destination of the link. Plus, users who are vigilant about suspect domain names might be less likely to identify a shortened link as malicious.

7. Webmail and SaaS users continue to be the biggest targets

We mentioned that credential phishing is the most common type of phishing attack, and the APWG report sheds some light on the types of credentials attackers are after. Continuing the trend from previous years, Software as a Service (SaaS) and webmail users account for around one-third of attacks.

APWG phishing industry sectors chart.
Source: APWG

Attackers seek to harvest webmail credentials for use in BEC attacks and SaaS credentials are utilized to access corporate accounts. Customers of payment services (21 percent of attacks) and financial institutions (19 percent of attacks) are also heavily targeted.

8. Smaller organizations see a higher rate of malicious emails

Symantec combines numbers for various types of email threats, including phishing, email malware, and spam, and reports that employees in smaller organizations are more likely to receive those types of threats. For example, for an organization with 1–250 employees, roughly one in 323 emails will be malicious. For an organization of 1001–1500 employees the rate is far lower with one in 823 emails being malicious.

9. Malicious emails are most likely to hit mining companies

Symantec also breaks down malicious email rates by industry. Mining tops the list with one in 258 emails being malicious. This is closely followed by agriculture, forestry, and fishing (one in 302) and public administration (also one in 302). Manufacturing, wholesale trade, and construction follow as the next most heavily targeted industries.

10. People in Saudi Arabia are most likely to receive malicious emails

If you’re wondering about which countries are targeted most, Symantec provides information about that too. Saudi Arabia has the highest rate of malicious emails (one in 118) while the USA has one of the lowest (one in 674).

However, according to Proofpoint’s 2020 State of the Phish, almost two-thirds (65 percent) of US organizations “experienced a successful phishing attack last year.” This was far higher than the global average of 55 percent.

11. Many data breaches stem from phishing attacks

Verizon’s 2019 Data Breach Investigation Report found that phishing is the top threat action variety in data breaches, with almost one-third (32 percent) of data breaches involving phishing.

12. Knowledge of phishing terms varies among generations

Proofpoint provides interesting information about employee awareness of phishing terms.  Out of four age groups, baby boomers (aged 55+) were most likely to recognize the terms “phishing” and “ransomware.”

Proofpoint phishing terms charts.
Source: Proofpoint

However, when it came to the terms “smishing” and “vishing,” the older generation was the least likely to know the definitions.

Smishing terms charts.
Source: Proofpoint

13. Sextortion is a common tactic in phishing campaigns

Cofense reveals that phishing schemes based on sextortion scams represent a growing issue. These emails are typically generic, but attackers prey on human emotion by using fear and panic to encourage victims to submit a ransom payment. Scammers usually request payment in bitcoin or another cryptocurrency to help avoid detection.

In the first six months of 2019, Cofense found more than seven million email addresses were impacted by sextortion. In addition it found that $1.5 million had been sent as bitcoin payments to accounts (bitcoin wallets) known to be associated with sextortion schemes.

There were even reports at the end of 2019 of a sextortion botnet sending up to 30,000 emails an hour.

14. Spear phishing continues to be used to distribute ransomware

The 2019 McAfee Labs Threat Report confirms that spear phishing continues to be a preferred delivery method for ransomware. In particular, GandCrab and Ryuk are primarily distributed using this method.

15. SEGs are far from free of phishing attacks

Many users wrongly believe that using a Secure Email Gateway (SEG) protects them from phishing attacks. Unfortunately, that’s far from the truth. 90 percent of the phishing attacks reported to Cofense are discovered in an environment that uses an SEG.

Cofense cites the main reason being that even the most progressive automated detection can’t keep up with advances in the sophistication of phishing techniques. SEG developers also need to balance protection and productivity. Plus, as with all systems, SEGs are prone to configuration errors.

16. Malicious attachments exploiting CVE-2017-11882 remain common

CVE-2017-11882 is a remote code execution vulnerability that exists in Microsoft Office software. This vulnerability was identified in 2017 and subsequent updates patch the flaw. Despite this, according to Cofense, 45 percent of malicious attachments exploit this vulnerability.

Vulnerabilities like this remain a target for attackers as some companies are slow to update their software. However, as users catch up and patch the CVE-2017-11882 vulnerability, we will likely see associated attacks diminish.

17. Some phishing attack payloads are location-aware

If you think your location doesn’t matter when it comes to cyberattacks, you may be wrong. According to Cofense, the geolocation of a user (as per their IP address) often determines how a payload behaves once delivered. For example, the content could be benign in one country but malicious in another.

18. SSL is no longer an indicator of a safe site.

For many years, one of the primary tips for avoiding phishing sites has been to examine URLs carefully and avoid sites that don’t have an SSL certificate. “HTTPS” in the URL (versus “HTTP”) signifies that a site has an SSL certificate and is protected by the HTTPS encryption protocol.

However, this is no longer a good tactic for recognizing dubious sites. As reported by APWG, a whopping 68 percent of phishing sites examined in Q3 of 2019 used SSL. This was significantly higher than the figure in the previous quarter when 54 percent of sites were found to be using SSL.

SSL site chart.
Source: APWG

19. Gift cards are still a popular form of payment in BEC attacks

The APWG also provided insight into how attackers request payment. In BEC attacks, in particular, 56 percent of requests for payment came in the form of gift cards in Q3 2019. That said, this was down from Q2 when gift cards accounted for 65 percent of requests. Other popular forms of payment are payroll diversion (25 percent) and direct transfer (19 percent).

20. A custom phishing page costs $3–12

On the attacker side, phishing schemes are part of a large underground industry. Symantec shows us some facts and figures from the dark web, such as the going rate for a phishing webpage is $3–12.

Underground pricing.
Source: Symantec

Phishing projections for 2020 and beyond

Based on phishing statistics from the past year, we can expect to see a couple of key trends as we move through 2020 and beyond:

  • Attacks will increase in sophistication. According to Kaspersky, as companies catch up with patching security flaws, cybercriminals will be more limited in terms of malware delivery methods. However, this doesn’t necessarily mean we’ll see a decline in the prevalence of attacks, but rather that less sophisticated schemes will need to be replaced. Indeed, as discussed above, attackers are finding new and innovative ways to bypass detection and filtering measures.
  • There will be more focus on social engineering. Kaspersky predicts that “the focus on social engineering will increase as other types of attacks become more difficult to carry out.” With some exploit opportunities being closed, attackers may be forced to focus more on the human factor of phishing. Even with improved education and training, people will always represent a weak link in terms of security.

We can’t be certain what the future holds, but we can say with some confidence that phishing will remain a significant threat to both individuals and businesses in the immediate future.