SoftActivity

26 Phishing Attack Statistics To Keep In Mind In 2021

Given the increase in remote work because of technology and the pandemic, cybersecurity breaches are on the rise in 2021. One of the most prevalent and dangerous types of cybersecurity threats are spear phishing attacks. 

Phishing attacks can affect anyone and infiltrate any size business and wreak havoc on a company’s network. To stay on top of these attacks, keep in mind these shocking phishing attack statistics in 2021. 

What is a Phishing Attack? 

A phishing attack is a type of cyber threat or social engineering attack that largely targets email accounts. 

Bad actors will capitalize on popular products, beliefs, and ongoing trends to pull off a sophisticated social engineering attack through a phishing campaign. This cyber attack usually affects internet users in the form of an email that asks an individual to click to confirm an account, fix an error on a common account, or log in to a site using credentials. 

Known as social engineering attacks, phishing attacks are dangerous because they look and operate similarly to common emails sent out by legitimate businesses. 

Example of a Phishing Attack

A successful phishing attack will be so convincing that you wouldn’t even know that you were affected. The threat actor could send an email that appears to be from Amazon, with a subject line like “Action Required | Your Amazon Prime Membership has been declined.” 

If you have an Amazon Prime account already, then you may be worried that your subscription would be disrupted and then you would log in to the email to rectify the situation. If you don’t, then you may fear something related to identity theft.

There are several ways, then, that the phishing attack can progress:

  • The email might encourage you to click a link which downloads a keystroke logging software, malware, or virus. This software might sit idly on your computer or network to try to infiltrate your company’s network. It can act in the form of a keystroke logger, a virus that sneaks into authorized areas, or perform a ransomware attack or DDOS attack. 
  • Another form is an email or website that asks you to confirm account information. They then ask that you plug your credentials in, but the URL is a malicious site. The attacker then has access to your credentials to access sensitive information on other sites. 

Often, the email or website will mimic the brand’s imagery, so the victim will be thinking that their action is required. Instead, they will be giving their sensitive information to a bad actor, or they would be unknowingly downloading a malicious file onto a computer. 

Frequency of Phishing Attacks Statistics

Phishing attacks are a well known cyber crime, one which governmental cybersecurity organizations aim to minimize. 

These types of attacks that cause data breaches don’t always come in the form of hooded figures carrying a backpack (although they could!). Phishing attack hackers sneak into your company through emails, websites, and SMS texts. 

Once on a device that has access to your company network, then the bad actor, malicious code, or phishing credential scam can take advantage of many areas of your network, including restricted access areas and sourcing out vulnerabilities in your network. 

Unfortunately, this type of attack occurs frequently. 

1. In 2020, six out of ten mid-sized UK businesses were hit by fraud, suffering losses of £245,000 pounds, with 40% noting an increase from previous years.

(Source: BDO)

In 2020, almost 50% of middle-sized businesses in the UK were hit by fraud, experiencing a 40% increase from years prior. 

No doubt this increase is reflected in the rise of remote work, weak online endpoints, poor infrastructure security, and a much more crowded market than years previous. 

2. Healthcare and pharmaceuticals are hit extremely hard, with 44.7% of small businesses, 49.2% of medium-sized businesses, and 49.3% being from that sector.

(Source: KnowBe4)

While any type of business can be targeted for an attack, those with valuable information and weaker security are prime targets. Healthcare and pharmaceuticals is one area that is hit strongly across all business sizes. 

Manufacturing, businesses services, construction, technology, and education were also hard hit. 

3. 75% of organizations globally experienced a phishing attack in 2020.

(Source: Proofpoint)

You might not even realize that your company is being targeted before an attack hits. There won’t always be flashing lights once you’ve clicked the bad link, or the malware has infected your account. So many phishing attacks gain access to a critical network and then sit, wait, and prepare for their attack. 

4. 95% of organizations claim to provide phishing awareness training.

(Source: Proofpoint)

Although, clearly, given how many employees are bound to click on a phishing link or email, this training is not good enough and not frequent enough. 

Phishing attacks are evolving daily, and it is nearly impossible to keep up with these demands. 

5. Phishing and insider threats seem to be major contributors to data breaches, as 22% of data breaches involve phishing. 

(Source: Verizon)

And the financial cost of a data breach is increasing, too. According to IBM, data breaches are costing the US over 3.86 million dollars. There is a growing divide between the cost of data breaches and the cost of putting together advanced security teams, incident response teams, and security processes. 

Since data breaches can cause irreparable damage, businesses need to prepare with employee monitoring, antimalware, and antivirus software. 

6. Nearly 1 in five businesses that suffered a data breach in 2020 was due to stolen credentials.

(Source: IBM) 

Stolen credentials can occur if a data breach happens directly or if an employee plugs in their credentials to a malicious phishing site! Once the perpetrator has your credentials, they can then gain critical access to your company’s information. 

In addition to educational campaigns, your team should be regularly changing their credentials for security reasons. 

7. There are now nearly 75x more phishing sites as there are malware sites. 

(Source: GoogleSafe Browsing) 

Employees don’t often notice when the site redirects to a malware site. Additionally, they might not recognize when the URL is different. Unfortunately, there are now 75 times more phishing sites than there are malware sites. 

Phishing Attack Delivery Method Statistics

The most common phishing attack is done via email. But, there are other ways that they can tap into your network: 

8. 96% of social engineering attacks are delivered via email, 3% of the same style are delivered through a website, and 1 % is through phone or SMS.

(Source: Verizon)

Email phishing attacks are by far the most common methods for attacking users. However, the use of malicious SMS texts and websites are on the rise.

9. One study found that software-as-a-service (SaaS) users and webmail users were the biggest targets, responsible for 34.7% of attempts. 

(Source: APWG)

Webmail like Gmail and Outlook are commonly reported as being a big target for phishing attacks. 

10. Business email compromise (BEC) attacks increased from 61% to 72%, and over half of these attackers were using Gmail as a delivery method. 

(Source: APWG)

Free webmail providers allow more attackers to use their attacks, which means that a majority of phishing emails are 

11. LinkedIn phishing messages make up 47% of social media phishing attempts.

(Source: KnowBe4)

Faux LinkedIn messages are the most common phishing subject in social media. These come in the form of emails with requests to reset your account or with information on potential new connection opportunities. 

Examples include: “You appeared in new searches this week!” “People are looking at your LinkedIn profile!” These could reel in those who lost their jobs due to the pandemic.

12. Attacks most strongly come in the form of Windows executables (74%), and Microsoft is the most impersonated brand globally in phishing attacks (43%).

(Source: ESET and Check Point)

So many businesses use Microsoft products globally. Whether it is for email, online file sharing, or virtual communications, it’s no wonder that Microsoft is the world’s most impersonated brand, clocking in at 43% of all brands. 

In the form of Windows executables, malware attachments are often (74% of the time) sent to users. 

13. Over half the frauds reported come from external parties, while 34% come from “involved collusion” with employees and malicious actors. 

(Source: BDO)

These shocking statistics suggest that malicious outsiders might approach your employees, managers, and third-party contractors with a proposition: entry into your network system in exchange for money. 

Insiders might provide inside information to a bad actor so that the phishing scam is more effective. 

Phishing Attack Statistics

Phishing attacks are so dangerous because they have the power to mimic popular, well-known brands successfully. In doing so, they are creating a culture of mistrust. 

According to research, the most common phishing emails in 2020 Q4 were the following: 

  • RingCentral is coming!
  • Stimulus Cancellation Request Approved
  • Microsoft 365: Action needed: update the address for your Xbox Game Pass for Console subscription
  • Workday: Reminder: Important Security Upgrade Required
  • Twitter: Security alert: new or unusual Twitter login
  • Amazon: Action Required | Your Amazon Prime Membership has been declined
  • Zoom: Scheduled Meeting Error
  • Google Pay: Payment sent
  • Changes to your health benefits

It’s clear that bad actors were capitalizing around pandemic fears related to health concerns, the shift to remote work, and the fact that most individuals were using new technologies to communicate with loved ones. 

Even trained employees are not able to discern which emails are legitimate and which ones are sent by perpetrators mimicking other businesses. Luckily, there are ways to protect yourself against data loss and cyber attacks

14. 20% of all employees are likely to click on a phishing email link. 

(Source: Terranova Security)

No matter how well you train your employees (and 95% of businesses say that they do), phishing attempts are so good and sophisticated, that you will likely have an employee accidentally click on a link. 

Education alone cannot stop a phishing attack. However, a strong firewall, antimalware, antivirus software, data loss prevention software, and employee monitoring can help mitigate these risks. 

15. 67.5% of employees will enter their credentials on a phishing website.

(Source: Terranova Security)

Some phishing attacks simply try to download a file onto your computer. However, others encourage users to input their secret credentials onto a website. 

Considering that credential fraud is experienced by 52% of businesses, credential fraud could strike any sized business. 

16. 13.4% of employees are likely to input their passwords on a fraudulent page.

(Source: Terranova Security)

Businesses should alert employees to safety markers and require that they check on these marketers prior to inputting their passwords. 

Additionally, employers should educate their employees on the ways that a company, like Microsoft, for example, will contact employees so they aren’t fooled into providing credentials to bad actors. 

Cost of Phishing Attacks

Phishing attacks are dangerous because they can result in heavy financial losses, including:

  • Downtime, both internally and externally with customers
  • Damage to reputation
  • Loss of intellectual property
  • Remediation time (time to recovery)
  • Direct monetary losses
  • Response and remediation costs
  • Loss of revenue
  • Loss of customers
  • Compliance fines
  • Legal fees

Phishing attacks can result in data breaches, financial losses, and loss of trust. According to IBM’s financial cost of a data breach, 80% of businesses reported a loss in personally identifiable information (PII) data in 2020. 

Phishing scams can lead to data breaches and much worse things. They alone cost US businesses over 54 million dollars

The Dangers of Phishing Attacks 

In addition to financial losses, there are other consequences of phishing attacks: 

17. Approximately 18% of businesses that experienced a phishing attack experience financial losses.

(Source: Proofpoint)

Financial losses are a big part of phishing attacks, but they are much more complex than that. Some phishing attacks only want to discredit the brand. Others want to hack into the company network for other means, and as part of a long-term goal. 

18. A staggering 60% of businesses experienced lost data.

(Source: Proofpoint)

So many businesses collect some type of data on behalf of their workers and their customers. Company data includes credentials, personal data, internal data, medical data, PII data, banking data. 

The fact that 60% of companies experience data loss is dangerous and suggests that, these days, sharing personal information even with your employers is a risk. 

19. 52% of businesses experienced compromised accounts or credentials. 

(Source: Proofpoint)

Credentials grant access to those who need to access certain areas of a company or network. So when credentials are compromised, this usually means that bad actors can gain access to sensitive information. 

Changing passwords regularly will limit fraud related to compromised credentials. Implementing a data loss prevention (DLP) software will also allow employers to gain data visibility and to see movement within a company’s network. 

20. 47% of businesses experiencing a phishing attack were infected with ransomware.

(Source: Proofpoint)

Phishing attacks could have immediate workplace disruptions, or it could lead to ransomware infections. Ransomware attacks are when bad actors gain access to sensitive information and are then able to use this information as a ransom. 

Over 4.2 million American mobile users are affected by ransomware annually, costing Americans $8,500 per hour of downtime, totalling $20 billion in the US in 2021. 

21. 29% of those targeted by phishing attacks had a malware infection. 

(Source: Proofpoint)

And once the malware is downloaded, then there are a range of other issues that can crop up. While most firewall and antivirus software will stop malware before it makes it on to your computer, you don’t want an infection on your computer or company network!

22. Data loss seemed to be the biggest consequence of a phishing attempt by 60% of business leaders. 

(Source: Verizon)

Considering that financial gain is one of the major reasons why hackers hack at all, then it’s no surprise that malicious hackers will be after your data, sensitive information, confidential sources, or PII. 

Current Phishing Trends

Phishing trends have shifted following the COVID pandemic. We’ve seen massive shifts in the ways we work, including trends to move to remote work and expedited digital transformation. 

The use of AI technologies and remote technologies have drastically changed how we interact with online mediums as well. 

23. Between February and March of 2020 alone, phishing emails rose to a shocking 667%.

(Source: Barracuda Networks)

Attackers clearly capitalized on the shift in markets. More individuals were working from home, more businesses were forced to implement new and unprotected cloud-based accesses for their employees. 

24. The FBI’s Internet Crime Report 2020 stated that they received 28,500 complaints about COVID-related phishing & fraud attempts in 2020.

(Source: IC3)

With so many people and businesses seeking financial aid during the pandemic, it’s no surprise then that small to medium-sized businesses were targeted around fraud complaints and phishing attempts due to loan and relief aid. 

The IC3 report reportedly received 28,500 complaints related to the Coronavirus Aid, Relief, and Economic Security (CARES) Act, targeting unemployment insurance, Paycheck Protection Program (PPP) loans, and Small Business Economic Injury Disaster Loans.

25. 76% of business owners felt more exposed to fraud since the pandemic. 

(Source: BDO)

And considering that over a quarter of business owners suffered a security breach during the lockdowns, their fears are warranted!

Not only are businesses requiring more online connections, but personal devices are also being used for work, and more vulnerabilities are popping up. This shadow IT network can be impossible to trace, putting business owners at much higher levels of exposure than they could have anticipated. 

26. 66% of business owners are worried about being targeted by cyber attacks in 2021.

(Source: BDO)

This statistic is likely to maintain or increase in 2022, considering that Microsoft’s New Future of Work report shows similar results. 

On top of that, 80% of security professionals have experienced a rise in security threats since the move to remote work. Of those 80%, 62% suggest that phishing campaigns have been said to increase more than any other threat since shifting to remote work. 

Protecting Your Business From a Phishing Attack

While it can be nearly impossible to anticipate and stop a phishing attack from occurring, you can put safeguards in place to protect your business against spreading phishing attacks. 

Antimalware software and antivirus software are a must considering they can detect most malware and viruses that phishing attacks attempt to download. 

A network firewall can also stop employees from unknowingly taking on malicious code. 

Finally, get data loss prevention software and employee monitoring software to increase data and user monitoring efforts. 

What is Employee Monitoring Software and How Can It Stop Downtime From Phishing Attacks

If you’re worried about a phishing attack, consider getting employee monitoring software to raise data visibility and to have added security measures on your side. 

Employee monitoring software will watch your user activity on watched computers. It will also monitor things like keystroke monitoring, data movement, unusual behaviors, and risky behaviors. The software can often watch multiple computers at the same time and can even watch users through webcam monitoring. 

When it comes to cyberattacks, you need all the help you can get! Trust SoftActivity with your networking monitoring needs.

Sources 

BDO

IC3

Barracuda Networks

Verizon

Proofpoint

Terranova Security

Check Point

Threat Report from ESET

KnowBe4

APWG

GoogleSafe Browsing

IBM

By SoftActivity Team

August 11th, 2021