Phishing statistics reveal an alarming reality: in less than 60 seconds, an average user falls for a phishing email. According to Verizon’s 2024 Data Breach Investigations Report (DBIR), the median time it takes for users to fall for phishing emails is just one minute (21 seconds to click and an additional 28 seconds to enter their data on a phishing site). We invite you to check out the latest phishing statistics and data from Verizon and other industry leaders…
IBM’s X-Force Threat Intelligence Index 2024 report shows that phishing as the top initial access vector in 2023 fell 44% compared to 2022. But does this mean phishing is going out of style? Unlikely: Phishing is a 24/7 business opportunity for criminals, and it will likely never go out of style.
Phishing is a very real (and common) threat facing businesses and consumers. The goal of phishing is to get a target to do something they normally wouldn’t do, such as reveal their login credentials, send sensitive customer data, or your company’s intellectual property.
Are you here to learn the latest phishing statistics from cybersecurity industry experts?
Let’s analyze the matter. Phishing Statistics: A Look at Phishing Costs and Frequency
1. BEC losses exceeded $2.9 trillion in 2023
Data from the FBI’s Internet Crime Complaint Center (IC3) 2023 Internet Crime Report shows that phishing/spoofing (which they group together) accounted for 298,878 reported complaints in 2023. The number is lower than in 2021, which It amounted to 342,494 complaints. But what’s particularly interesting is that reported losses from phishing have dropped dramatically, costing “only” $18.7 million in the reporting period compared to $126.4 million in losses reported in 2021.
Now, note that IC3 classifies business email compromise (BEC) attacks separately from phishing. However, many organizations often count BEC attacks within their phishing statistics, so it gets a little murky here in terms of the potential overlap. When it comes to BEC scams, the IC3 says that more than $2.9 trillion in losses were reported in 2023 due to these attacks.
Of course, this data is based on reported commitments and losses. However, it makes me wonder how many people or companies did not report being victims.
2. Attackers can leak data within two days of an attack
Of course, not all costs are monetary. Another way to look at phishing is in terms of time: the amount of time it takes to respond to an attack, remediate an attack, or recover from one.
Data from Palo Alto Network’s 2024 Incident Response Report shows that attackers have figured out how to eliminate a week’s time for cyber defenders to respond and stop data leaks in a ransomware attack. The research team says that in 2021, the “average time between compromise and exfiltration was nine days.” But as of 2023, that number plummeted to just two days!
In the following example of a ransomware attack, Palo Alto reports that it took less than 14 hours to carry out the following steps and wreak havoc on the targeted organization, all starting with a phishing email:
3. 94% of organizations report being victims of phishing attacks
Phew… That’s fantastic. Nine out of 10 organizations surveyed by Egress in its 2024 Email Security Risk Report indicated they were victims of phishing attacks. What is less surprising, however, is that almost all of them (96%) say they were “negatively impacted” by those attacks.
This makes sense, considering that phishing attacks are typically used to trick people into handing over their login credentials (and other sensitive information) or making financial payments to scammers who are often discovered too late.
4. Phishing was involved in 71% of cyber threats
ReliaQuest’s Annual Cyber Threat Report shows that seven out of 10 system and network breaches the company’s security team observed in 2023 involved the use of phishing links and attachments. Social engineering was recognized as the “most common route to gaining initial access” for criminals to exploit legitimate users.
Researchers anticipate that attacks compromising business email will increase in 2024. This is due in part to the use of generative artificial intelligence technologies that:
Help phishers create more realistic emails.This helps bad guys “AVOID the typos” we are used to seeing in many phishing emails and imitate people’s personal communication styles. They can create believable messages that can catch users off guard and make them do something they (and you) will regret later.
Allow bad actors to create synthetic voice recordings.GenAI can be used to create voices that impersonate real people (your boss, a co-worker, or even a family member) to carry out fake voice phishing. There have even been examples of bad guys using these genAI deepfake voice recordings to trick people into believing that a loved one has been kidnapped!
5. Phishing contributed to 79% of account takeover attacks (ATOs)
Research from Egress’ aforementioned 2024 Email Security Report indicates that almost four in five ATO incidents began with criminals using phishing emails. Often, ATO attacks begin when criminals use phishing to carefully investigate the target company (and/or specific employees).
Bad guys love to use this fraudulent approach to do any number of things, including tricking employees into providing their login credentials or making fraudulent payments.
6. Global phishing attacks increased by 58.2% in 2023
As expected, the bad guys aren’t ready to hang up their rods and reels. Data from the Zscaler ThreatLabz 2024 phishing report shows that researchers saw a nearly 60% year-over-year increase in phishing attacks globally in 2023 compared to 2022.
Of the more than 2 billion phishing transactions they examined in their online security cloud in 2023, researchers saw an increase in recruiting scams, voice phishing attacks, and browser-in-browser attacks. (BitB attacks typically involve an attacker creating a fake login window that looks like the authentication pop-ups we’re used to seeing to log into an app or service using bound login credentials from other platforms. , like Apple, Google or Meta.)
Image Caption: A screenshot we captured from ahrefs.com of a legitimate login screen that allows you to log in to a service or website using credentials from another site, app, or service.
7. 3.4 billion “spam emails” were sent in 2023 (including phishing)
Cloudflare reports that its Cloud Email Security service blocked a total of 3.4 billion spam emails in 2023 alone, and this category of messages includes a mix of bulk, spam, and malicious messages. This marks an increase of almost 42% from the 2.4 billion messages reported in 2022.
Of those billion messages, which is equivalent to an average of 9.3 million per day, the company reports that an average of 3% are malicious. That means that more than 102 million malicious emails were sent in 2023, or almost 280,000 malicious messages per day.
Now, just keep in mind… these numbers relate to the number of messages that the Cloudflare service successfully blocked. This does not include any other instances that may have escaped your defenses.
Phishing statistics: items worth mentioning
8. Less than one in five simulated phishing emails were reported correctly
Data from Proofpoint’s State of the Phish 2024 report indicates that only 18.3% of emails sent as part of phishing simulations were correctly reported by users. Users clicked on almost half that number of simulated phishing emails (9.3%).
9. 96% of employees admit to doing stupid things, despite knowing the risks
Yes. Another surprising statistic from the Proofpoint survey is that 96% of users say they consciously do things they know are risky.
So why do they do it? Our assumption is that your decision to leave your organization at risk often comes down to users prioritizing convenience over security.
And based on the phishing statistics information shared in the next section, it seems like that assumption is pretty accurate.
10. 54% of employees ignore safety warnings due to “information overload”
CybSafe survey data shows that 45% of office workers say they “sometimes” ignore cybersecurity warnings “due to overwhelming and fatigue from digital communication.” However, what is even more worrying is that another 9% say they do it “often.”
This is particularly problematic as 70.6% of respondents indicate that they are “extremely confident” or “confident” that they can “recognize and avoid cybersecurity threats (such as phishing emails, unsafe websites)” online. And if that weren’t bad enough, 43% indicate that they “skip or ignore recommended cybersecurity best practices” in favor of convenience.
Last time we checked, being the victim of a phishing attack (and dealing with the resulting data breaches, lawsuits, financial losses, reputational damage, and everything that follows) wouldn’t be too “convenient” for you, your employees or their clients.
11. ChatGPT created a phishing login page in less than 10 queries
Artificial intelligence (AI) technologies, particularly generative AI (genAI), are a sight to behold. They can create incredible works of art and incredibly realistic audio and video. (No, we are not going to address potential copyright issues or concerns surrounding AI training materials and the images they generate; that is a completely separate topic.). However, these technologies also pose a significant threat when used by people with bad intentions, leading to concerns that cannot be swept under the rug.
For example, researchers at Zscaler’s ThreatLabz used a series of prompts with the ChatGPT AI chatbot to create a Microsoft-themed phishing login page that looks legitimate in fewer steps than it takes to bake a cake. tasty .
12. AI Deepfake tricked a financial worker into handing over almost $26 million
CNN reported that an anonymous financial worker in Hong Kong working at a major international financial firm was tricked into transferring more than $25 million (USD) as part of a phishing attack powered by genAI. As? By using genAI.
The attackers used deepfake technology to falsify audio and video recordings. This included organizing a fraudulent web conference for the purpose: a meeting that included deepfake recordings of the company’s chief financial officer (CFO) and other officials from other international sites.
Apparently, the recordings were credible enough for the employee to make the transfer in a series of 15 transactions.