Phishing statistics and facts for 2019–2023

Phishing attacks use social engineering in emails and messages to persuade people to hand over information such as passwords or financial information, or to get them to perform certain tasks such as downloading malware or completing a wire transfer. Phishing schemes continue to become more sophisticated with targeted attacks (spear phishing) posing a threat to many businesses.

While spam filters catch many phishing emails, newer and more sophisticated ones get through. There is evidence that most people are aware of the existence of phishing attacks. Indeed, many companies provide training and simulations to teach employees how to spot malicious emails and messages.

That said, scammers still have success with this form of cyber attack and its use remains prevalent. Plus, cybercriminals are changing tactics to get around the anti-phishing measures in place.

Here’s a rundown of phishing statistics and facts for 2023:

1. Phishing attacks are still extremely common

According to APWG’s Phishing Activity Trends Report for Q4 2022 phishing attacks hit an all-time high last year. In total, there were more than 4.7 million attacks in 2022, with 1.35 million in Q4 alone. This represents consistent growth of 150 percent per year since 2019.

Additionally, October 2022 saw more than 100,000 unique email subject lines — the largest number that APWG has ever recorded. This shows that hackers are more likely than ever to tailor their approach rather than using the same template for every victim.

2. Loaders are the most popular attack avenue

Cofense’s Q1 2023 Intelligence Trends Review found that loaders remained the most common tool for phishing. Keyloggers and information stealers took second and third place, which is interesting considering that in 2019, almost 74 percent of phishing attacks involved credential phishing (stealing usernames and passwords).

These attacks can be difficult to stop as the emails typically show no signs of being malicious. Many originate from hijacked business email accounts, a tactic known as business email compromise or BEC. Plus, attackers often go a step further and host fake login pages (phishing sites) on Microsoft Azure custom domains. For example, these could end in “windows.net,” making the site seem legitimate and the scam even more difficult to spot.

3. Spear phishing emails are the most popular targeted attack vector

According to Slashnext’s 2022 State of Phishing Report, around 76 percent of all phishing attempts were targeted. Unfortunately, this shows that little has changed on this front in the last few years since Symantec’s Internet Security Threat Report 2019 found spear-phishing emails to be used by almost two-thirds (65 percent) of all known groups carrying out targeted cyber attacks. The report also tells us that 96 percent of targeted attacks are carried out for the purpose of intelligence gathering.

4. Human intelligence is the best defense against phishing attacks

Stanford University’s The Psychology of Human Error report found that 88 percent of all data breaches are a result of human error. The World Economic Forum agrees, going as far to attribute error to 95 percent of all cybersecurity issues to this.

In its 2019 report, Cofense reiterates the importance of awareness training in thwarting phishing attempts. It cites an example in which a phishing attack on a major healthcare company was stopped within just 19 minutes. Users reported receiving suspicious emails and the security operations center was able to take swift action.

5. Phishing attacks are getting more sophisticated

Attackers often use trusted domains to trick people into believing their links are safe. Cofense shows that Amazon AWS, Sharepoint, and Google remained the three most common domains, but YouTube made a surprise appearance in Q1 2023 as well thanks to a backend flaw that allowed bad actors to redirect victims to their own sites via YouTube links.

Cofense also confirmed Symantec’s findings regarding attackers’ ability to quickly capitalize on current events. They corroborated that in 2020, there was an influx of COVID-19 related phishing, often claiming to provide financial assistance for impacted citizens.

6. ChatGPT is a huge advantage for scammers

Zscaler’s ThreatLabs 2023 Phishing Report found that AI tools like ChatGPT could create fake login pages with minimal coding expertise or input from the user. It further suggests that this service could be used to create polymorphic malware or other malicious code.

The flipside of this is that we can also use AI-powered tools to detect phishing links. There’s still some way to go on this, though: Securelist found that ChatGPT-3 could detect phishing links 87.2 percent of the time, but it had a 23.2 percent false-positive rate, which makes it effectively useless without further improvement.

7. There are many different types of target

Although credential phishing is no longer the most popular tactic, it remains far more common than we’d like. The APWG report sheds some light on the types of credentials attackers are after.

There’s been a marked change lately. Previously, financial industries were the number one target for attackers. They’re still a popular choice, but as we’re seeing, scammers are increasingly choosing more unusual targets. Unfortunately, AWPG doesn’t say what was included in its “Other category”, but if we assume it’s any platform not covered by the other headings, this could include:

• Streaming services
• Online gaming accounts
• Subscription platforms like Patreon, Onlyfans, etc
• Reward program accounts
• GitHub accounts

8. Smaller organizations see a higher rate of malicious emails

Symantec combines numbers for various types of email threats, including phishing, email malware, and spam, and reports that employees in smaller organizations are more likely to receive those types of threats. For example, for an organization with 1–250 employees, roughly one in 323 emails will be malicious. For an organization of 1001–1500 employees, the rate is far lower with one in 823 emails being malicious.

9. Malicious emails are most likely to hit mining companies

Symantec also breaks down malicious email rates by industry. Mining tops the list with one in 258 emails being malicious. This is closely followed by agriculture, forestry, and fishing (one in 302) and public administration (also one in 302). Manufacturing, wholesale trade, and construction follow as the next most heavily targeted industries.

10. The UK is the biggest target in Europe

According to Proofpoint’s 2022 State of the Phish, 96 percent of British companies were targeted by phishing last year. Spain was in second place, at 94 percent. Conversely, France and Italy had far lower rates, at 85 percent and 79 percent, respectively.

11. Many data breaches stem from phishing attacks

Verizon’s 2021 Data Breach Investigation Report found that phishing is one of the top threat action varieties in data breaches, with 30 percent of data breaches involving phishing. In its 2022 report, this trend continued, with phishing occuring in around 40 percent of all social engineering incidents.

12. Knowledge of phishing terms varies among generations

Proofpoint notes that while awareness of terms like “malware” and “ransomware” are increasing year over year, they’re still fairly poorly understood. Only around a third of respondents could actually define what these words meant.

13. Sextortion is a common tactic in phishing campaigns

Phishing schemes based on sextortion scams represent a growing issue. These emails are typically generic, but attackers prey on human emotion by using fear and panic to encourage victims to submit a ransom payment. Scammers usually request payment in bitcoin or another cryptocurrency to help avoid detection.

The Internet Crime Complaint Center (IC3) 2021 report revealed that there were over 18,000 reports of sextortion that year, with total losses amounting to more than $13.5 million.

14. Popular apps continue to be used to distribute malware

The Q2 2021 Trellix Report found that use of Powershell and Microsoft Office as a malware-delivery method declined significantly following its huge growth in Q4 of 2020. Instead, attackers now rely on public facing apps to deliver their payloads for them. .

In its October 2021 report, Trellix reports that of all the cloud threats it analyzes, spam showed the highest increase of reported incidents – up by 250% from Q1 to Q2 of 2021. The report also found that spear phishing remains the most prevalent technique used to establish initial access in compromised systems.

15. SEGs are far from free of phishing attacks

Many users wrongly believe that using a Secure Email Gateway (SEG) protects them from phishing attacks. Unfortunately, that’s far from the truth. 90 percent of the phishing attacks reported to Cofense are discovered in an environment that uses an SEG.

Cofense cites the main reason being that even the most progressive automated detection can’t keep up with advances in the sophistication of phishing techniques. SEG developers also need to balance protection and productivity. Plus, as with all systems, SEGs are prone to configuration errors.

In its 2023 report, Cofense reveals that .pdf or .html extensions are the most common filename extensions on attachments that reach users in SEG-protected environments. These account for around 41% and 24% of threats respectively.

16. Malicious attachments exploiting CVE-2017-11882 remain common

CVE-2017-11882 is a remote code execution vulnerability that exists in Microsoft Office software. This vulnerability was identified in 2017 and subsequent updates patch the flaw. Despite this, according to Cofense, this vulnerability remains the top non-Emotet malware delivery method.

Vulnerabilities like this remain a target for attackers as some companies are slow to update their software. However, as users catch up and patch the CVE-2017-11882 vulnerability, we will likely see associated attacks diminish.

17. Some phishing attack payloads are location-aware

If you think your location doesn’t matter when it comes to cyberattacks, you may be wrong. According to Cofense, the geolocation of a user (as per their IP address) often determines how a payload behaves once delivered. For example, the content could be benign in one country but malicious in another.

18. SSL is no longer an indicator of a safe site.

For many years, one of the primary tips for avoiding phishing sites has been to examine URLs carefully and avoid sites that don’t have an SSL certificate. “HTTPS” in the URL (versus “HTTP”) signifies that a site has an SSL certificate and is protected by the HTTPS encryption protocol.

However, this is no longer a good tactic for recognizing dubious sites. As reported by APWG, a whopping 84 percent of phishing sites examined in Q4 of 2020 used SSL. This continues the long-running trend of increasing around 3% every quarter.

19. Gift cards are still a popular form of payment in BEC attacks

The APWG also provided insight into how attackers request payment. In BEC attacks, in particular, 31 percent of attackers requested they be paid in gift cards in Q4 2022.

However, gift cards are less popular than they have been. Instead, we’re seeing more instances (around 39 percent) of advance fee fraud, where people are asked for upfront payment for non-existent goods or services.

20. A custom phishing page costs $3–12

On the attacker side, phishing schemes are part of a large underground industry. Symantec shows us some facts and figures from the dark web, such as the going rate for a phishing webpage is $3–12.

It doesn’t stop there. Securelist found that hackers are selling template phishing kits that can be tailored to specific targets for as little as $40.

21. 67% of phishing attempts have blank subject lines

According to a report from AtlasVPN, almost 70% of all phishing email attempts contain an empty subject line. Some of the most commonly used subject lines cybercriminals use are ‘Fax Delivery Report’ (9%), ‘Business Proposal Request’ (6%), ‘Request’ (4%), and ‘Meeting’ (4%).

22. Almost 900 fake Amazon sites were in use on Amazon prime Day 2022

AtlasVPN reported a surge in retail websites impersonating Amazon on one of the year’s busiest shopping days. In the 90 days up to July 12, 2022, 1,633 fake sites were detected, with 897 spoof Amazon sites active on Prime Day.

Phishing projections for 2023 and beyond

Based on phishing statistics from the past year, we can expect to see a couple of key trends as we move through 2023 and into 2024:

• Attacks will increase in sophistication. Zscaler believes that the rapid proliferation of AI-powered tools will lead to phishing attempts that are more difficult to detect. There’s likely to be a form of cat-and-mouse game here between hackers and large tech platforms.
• There will be more focus on targeted ransomware. Kaspersky predicts that cybercriminals will take a simpler approach, focusing on landing one big payment from major companies, rather than lots of small payments from random targets. It predicts that this will involve rapid diversification into hacking IoT devices like smart watches, cars, and TVs.
• An increase in TrickBot activity. Cofense predicts that 2023 will see new emerging delivery methods for TrickBot with companies likely to be increasingly targeted by campaigns using LNK and CHM downloaders.
• New commodity downloaders are expected. Citing high prices for the malware downloaders currently being sold to hackers; Cofense is predicting the emergence of a new malware downloader that will be much more affordable. This could have severe repercussions for the phishing landscape.

We can’t be certain what the future holds, but we can say with some confidence that phishing will remain a significant threat to both individuals and businesses in the immediate future.

FAQs about phishing