Phishing statistics and facts for 2019 - 2021

Phishing attacks use social engineering in emails and messages to persuade people to hand over information such as passwords or financial information, or to get them to perform certain tasks such as downloading malware or completing a wire transfer. Phishing schemes continue to become more sophisticated with targeted attacks (spear phishing) posing a threat to many businesses.

While spam filters catch many phishing emails, newer and more sophisticated ones get through. There is evidence that most people are aware of the existence of phishing attacks. Indeed, many companies provide training and simulations to teach employees how to spot malicious emails and messages.

That said, scammers still have success with this form of cyber attack and its use remains prevalent. Plus, cybercriminals are changing tactics to get around the anti-phishing measures in place.

Here’s a rundown of phishing statistics and facts for 2021:

1. Phishing attacks are still extremely common

According to APWG’s Phishing Activity Trends Report for Q4 2020, the final quarter saw almost twice as many phishing attacks as the same time in 2019. Reports peaked in October, with 225,304 unique phishing sites identified. For context, there were fewer than 100,000 in January of 2020.

2. Credential phishing is becoming less common

Cofense’s Q3 2020 Phishing Review found that information stealers and keyloggers are quickly becoming the favored tools for phishing. In fact, these account for over 70% of attacks combined. Compare this with the beginning of last year, when almost 74 percent of phishing attacks involved credential phishing—stealing usernames and passwords.

These attacks can be difficult to stop as the emails typically show no signs of being malicious. Many originate from hijacked business email accounts, a tactic known as business email compromise or BEC. Plus, attackers often go a step further and host fake login pages (phishing sites) on Microsoft Azure custom domains. For example, these could end in “,” making the site seem legitimate and the scam even more difficult to spot.

3. Spear phishing emails are the most popular targeted attack vector

Symanetc’s Internet Security Threat Report 2019 shows spear-phishing emails are used by almost two-thirds (65 percent) of all known groups carrying out targeted cyber attacks. The report also tells us that 96 percent of targeted attacks are carried out for the purpose of intelligence gathering.

Symantec spear phishing chart.
Source: Symantec

4. Human intelligence is the best defense against phishing attacks

In its 2019 report, Cofense reiterates the importance of awareness training in thwarting phishing attempts. It cites an example in which a phishing attack on a major healthcare company was stopped within just 19 minutes. Users reported receiving suspicious emails and the security operations center was able to take swift action.

5. Phishing attacks are getting more sophisticated

Cofense also sheds light on the types of attacks taking place. Because users trust links to things like SharePoint and OneDrive sites, attackers increasingly use cloud filesharing services as part of their schemes. More than 5,200 Sharepoint phishing emails were reported in a 12-month period, as well as close to 2,000 attacks involving OneDrive.

Cofense also found that attackers were quick to capitalize on current events. For instance, in the first half of 2020, there was an influx of COVID-19 related phishing, often claiming to provide financial assistance for impacted citizens.

6. Attackers are using tricks such as Zombie Phish and shortened URLs

A popular trick used by attackers is the Zombie Phish. As explained in the 2019 Cofense report, this involves attackers taking over an email account and responding to an old email conversation with a phishing link. The sender and subject is familiar to the recipient, helping to disguise the email as genuine.

Another strategy that’s being seen more in phishing emails is the use of shortened URLs provided by link shortening services such as Bitly. These links are rarely blocked by URL content filters as they don’t reveal the true destination of the link. Plus, users who are vigilant about suspect domain names might be less likely to identify a shortened link as malicious.

7. Webmail and SaaS users continue to be the biggest targets

Although credential phishing is no longer the most popular tactic, it remains far more common than we’d like. The APWG report sheds some light on the types of credentials attackers are after.

There’s been a marked change from previous years, though, with Software as a Service (Saas) and webmail attacks dropping from 31.4% to 22.2% in a single quarter.As such, financial institutions are now the most common target, accounting for 22.5%. Meanwhile, attacks on eCommerce platforms and payment platforms have both risen by a few percent.

8. Smaller organizations see a higher rate of malicious emails

Symantec combines numbers for various types of email threats, including phishing, email malware, and spam, and reports that employees in smaller organizations are more likely to receive those types of threats. For example, for an organization with 1–250 employees, roughly one in 323 emails will be malicious. For an organization of 1001–1500 employees, the rate is far lower with one in 823 emails being malicious.

9. Malicious emails are most likely to hit mining companies

Symantec also breaks down malicious email rates by industry. Mining tops the list with one in 258 emails being malicious. This is closely followed by agriculture, forestry, and fishing (one in 302) and public administration (also one in 302). Manufacturing, wholesale trade, and construction follow as the next most heavily targeted industries.

10. People in Saudi Arabia are most likely to receive malicious emails

If you’re wondering about which countries are targeted most, Symantec provides information about that too. Saudi Arabia has the highest rate of malicious emails (one in 118) while the USA has one of the lowest (one in 674).

However, according to Proofpoint’s 2020 State of the Phish, almost two-thirds (65 percent) of US organizations “experienced a successful phishing attack last year.” This was far higher than the global average of 55 percent.

11. Many data breaches stem from phishing attacks

Verizon’s 2020 Data Breach Investigation Report found that phishing is one of the top threat action variety in data breaches, with 22 percent of data breaches involving phishing.

12. Knowledge of phishing terms varies among generations

Proofpoint provides interesting information about employee awareness of phishing terms.  Out of four age groups, baby boomers (aged 55+) were most likely to recognize the terms “phishing” and “ransomware.”

Proofpoint phishing terms charts.
Source: Proofpoint

However, when it came to the terms “smishing” and “vishing,” the older generation was the least likely to know the definitions.

Smishing terms charts.
Source: Proofpoint

13. Sextortion is a common tactic in phishing campaigns

Cofense reveals that phishing schemes based on sextortion scams represent a growing issue. These emails are typically generic, but attackers prey on human emotion by using fear and panic to encourage victims to submit a ransom payment. Scammers usually request payment in bitcoin or another cryptocurrency to help avoid detection.

In the first six months of 2019, Cofense found more than seven million email addresses were impacted by sextortion. Cofense also found that $1.5 million had been sent as bitcoin payments to accounts (bitcoin wallets) known to be associated with sextortion schemes.

There were even reports at the end of 2019 of a sextortion botnet sending up to 30,000 emails an hour.

14. Popular apps continue to be used to distribute malware

The Q1 2021 McAfee Labs Threat Report found that use of Powershell and Microsoft Office as a malware-delivery method more than doubled from Q3 to Q4 of 2020. This is particularly troubling given that these were already twice as popular as they had been in 2019.Back then, spear phishing was the preferred method for distributing viruses and ransomware.

15. SEGs are far from free of phishing attacks

Many users wrongly believe that using a Secure Email Gateway (SEG) protects them from phishing attacks. Unfortunately, that’s far from the truth. 90 percent of the phishing attacks reported to Cofense are discovered in an environment that uses an SEG.

Cofense cites the main reason being that even the most progressive automated detection can’t keep up with advances in the sophistication of phishing techniques. SEG developers also need to balance protection and productivity. Plus, as with all systems, SEGs are prone to configuration errors.

16. Malicious attachments exploiting CVE-2017-11882 remain common

CVE-2017-11882 is a remote code execution vulnerability that exists in Microsoft Office software. This vulnerability was identified in 2017 and subsequent updates patch the flaw. Despite this, according to Cofense, around 12 percent of malicious attachments exploit this vulnerability.

Vulnerabilities like this remain a target for attackers as some companies are slow to update their software. However, as users catch up and patch the CVE-2017-11882 vulnerability, we will likely see associated attacks diminish.

17. Some phishing attack payloads are location-aware

If you think your location doesn’t matter when it comes to cyberattacks, you may be wrong. According to Cofense, the geolocation of a user (as per their IP address) often determines how a payload behaves once delivered. For example, the content could be benign in one country but malicious in another.

18. SSL is no longer an indicator of a safe site.

For many years, one of the primary tips for avoiding phishing sites has been to examine URLs carefully and avoid sites that don’t have an SSL certificate. “HTTPS” in the URL (versus “HTTP”) signifies that a site has an SSL certificate and is protected by the HTTPS encryption protocol.

However, this is no longer a good tactic for recognizing dubious sites. As reported by APWG, a whopping 84 percent of phishing sites examined in Q4 of 2020 used SSL. This continues the long-running trend of increasing around 3% every quarter.

19. Gift cards are still a popular form of payment in BEC attacks

The APWG also provided insight into how attackers request payment. In BEC attacks, in particular, 60 percent of attackers requested they be paid in gift cards in Q4 2020.  This is a decrease of 11 percent over the previous quarter. Other popular forms of payment are direct bank transfer (22 percent) and payroll diversion (13 percent). Interestingly, payroll diversion is much more common now than last quarter (when it accounted for 6%) but far less than in 2019, when it was requested in a quarter of all scams.

20. A custom phishing page costs $3–12

On the attacker side, phishing schemes are part of a large underground industry. Symantec shows us some facts and figures from the dark web, such as the going rate for a phishing webpage is $3–12.

Underground pricing.
Source: Symantec

Phishing projections for 2021 and beyond

Based on phishing statistics from the past year, we can expect to see a couple of key trends as we move through 2021 and beyond:

  • Attacks will increase in sophistication. According to Kaspersky, we can expect to see other nations employ any trick they can to steal COVID-19 vaccine information. We can also expect educational establishments to be targeted more frequently, given that so many students are learning remotely.
  • There will be more focus on targeted ransomware. Kaspersky predicts that cybercriminals will take a simpler approach, focusing on landing one big payment from major companies, rather than lots of small payments from random targets. It predicts that this will involve rapid diversification into hacking IoT devices like smart watches, cars, and TVs.

We can’t be certain what the future holds, but we can say with some confidence that phishing will remain a significant threat to both individuals and businesses in the immediate future.