SoftActivity

32 Phishing Attack Statistics To Keep In Mind In 2024

Given the increase in remote work because of technology and the pandemic, cybersecurity breaches are on the rise in 2024. One of the most prevalent and dangerous types of cybersecurity threats is spear phishing attacks. 

Phishing attacks can affect anyone and infiltrate any size business and wreak havoc on a company’s network. To stay on top of these attacks, keep in mind these shocking phishing attack statistics in 2024. 

What is a Phishing Attack? 

A phishing attack is a type of cyber threat or social engineering attack that largely targets email accounts. 

Bad actors will capitalize on popular products, beliefs, and ongoing trends to pull off a sophisticated social engineering attack through a phishing campaign. This cyber attack usually affects internet users in the form of an email that asks an individual to click to confirm an account, fix an error on a common account, or log in to a site using credentials. 

Known as social engineering attacks, phishing attacks are dangerous because they look and operate similarly to common emails sent out by legitimate businesses. 

Example of a Phishing Attack

A successful phishing attack will be so convincing that you wouldn’t even know that you were affected. The threat actor could send an email that appears to be from Amazon, with a subject line like “Action Required | Your Amazon Prime Membership has been declined.” 

If you have an Amazon Prime account already, then you may be worried that your subscription would be disrupted and then you would log in to the email to rectify the situation. If you don’t, then you may fear something related to identity theft.

There are several ways, then, that the phishing attack can progress:

  • The email might encourage you to click a link that downloads a keystroke logging software, malware, or virus. This software might sit idly on your computer or network to try to infiltrate your company’s network. It can act in the form of a keystroke logger, a virus that sneaks into authorized areas or perform a ransomware attack or DDOS attack. 
  • Another form is an email or website that asks you to confirm account information. They then ask that you plug your credentials in, but the URL is a malicious site. The attacker then has access to your credentials to access sensitive information on other sites. 

Often, the email or website will mimic the brand’s imagery, so the victim will be thinking that their action is required. Instead, they will be giving their sensitive information to a bad actor, or they would be unknowingly downloading a malicious file onto a computer. 

Frequency of Phishing Attacks Statistics

Phishing attacks are a well-known cyber crime, one which governmental cybersecurity organizations aim to minimize. 

These types of attacks that cause data breaches don’t always come in the form of hooded figures carrying a backpack (although they could!). Phishing attack hackers sneak into your company through emails, websites, and SMS texts. 

Once on a device that has access to your company network, then the bad actor, malicious code, or phishing credential scam can take advantage of many areas of your network, including restricted access areas and sourcing out vulnerabilities in your network. 

Unfortunately, this type of attack occurs frequently. 

1. Phishing attacks are involved in 36% of data breaches.

(Source: Check Point)

Phishing emails are one of the most common delivery vectors for malware, and many companies simply cannot detect them without the right security solution.

2. Healthcare and pharmaceuticals are hit extremely hard, with 44.7% of small businesses, 49.2% of medium-sized businesses, and 49.3% being from that sector.

(Source: KnowBe4)

While any business can be targeted for an attack, those with valuable information and weaker security are prime targets. Healthcare and pharmaceuticals are one area that is hit strongly across all business sizes. 

Manufacturing, business services, construction, technology, and education were also hard hit. 

3. According to the IBM Report, the top 3 most common attacks were stolen credentials (20% of breaches), phishing (17%), and misconfigurations (15%).

(Source: Security Intelligence)

Many phishing attacks gain access to a critical network and then sit, wait, and prepare for their attack. Becoming a victim of a phishing attack is quite easy, which is why they’re in the top 3 most common attacks.

4. 95% of organizations claim to provide phishing awareness training.

(Source: Proofpoint)

Although, clearly, given how many employees are bound to click on a phishing link or email, this training is not good enough and not frequent enough. 

Phishing attacks are evolving daily, and it is nearly impossible to keep up with these demands. 

5. Phishing and insider threats are major contributors to data breaches, as 22% of data breaches involve phishing. 

(Source: Verizon)

And the financial cost of a data breach is increasing, too. According to IBM, data breaches cost the US over 3.86 million dollars. There is a growing divide between data breaches and the cost of putting together advanced security teams, incident response teams, and security processes. 

Since data breaches can cause irreparable damage, businesses must prepare with employee monitoring, anti-malware, and antivirus software. 

6. Nearly 1 in 5 businesses that suffered a data breach in 2020 were due to stolen credentials.

(Source: IBM) 

Stolen credentials can occur if a data breach happens directly or if an employee plugs in their credentials to a malicious phishing site! Once the perpetrator has your credentials, they can gain critical access to your company’s information. 

In addition to educational campaigns, your team should regularly change their credentials for security reasons. 

7. There are now nearly 75x more phishing sites than there are malware sites. 

(Source: GoogleSafe Browsing) 

Employees don’t often notice when the site redirects to a malware site. Additionally, they might not recognize when the URL is different. Unfortunately, there are now 75 times more phishing sites than malware sites.

Phishing Attack Delivery Method Statistics

The most common phishing attack is done via email. But, there are other ways that they can tap into your network: 

8. 96% of social engineering attacks are delivered via email, 3% of the same style are delivered through a website, and 1 % is through phone or SMS.

(Source: Verizon)

Email phishing attacks are by far the most common methods for attacking users. However, malicious SMS texts and websites is on the rise.

9. GoDaddy, an American web host company, became a victim of a phishing attack in November 2021. 

(Source: PC Mag)

The hack exposed the details of 1.2 million company customers and it spread to six more web hosts.

10. Business email compromise (BEC) attacks increased from 61% to 72%, and over half of these attackers used Gmail as a delivery method. 

(Source: APWG)

Free webmail providers allow more attackers to use their attacks, which means that a majority of phishing emails are 

11. LinkedIn phishing messages make up 47% of social media phishing attempts.

(Source: KnowBe4)

Faux LinkedIn messages are the most common phishing subject in social media. These come in emails with requests to reset your account or information on potential new connection opportunities. 

Examples include: “You appeared in new searches this week!” “People are looking at your LinkedIn profile!” These could reel in those who lost their jobs due to the pandemic.

12. Attacks most strongly come from Windows executables (74%), and Microsoft is the most impersonated brand globally in phishing attacks (43%).

(Source: ESET and Check Point)

So many businesses use Microsoft products globally. Whether for email, online file sharing, or virtual communications, it’s no wonder that Microsoft is the world’s most impersonated brand, clocking in at 43% of all brands. 

In the form of Windows executables, malware attachments are often (74% of the time) sent to users. 

13. The World Health Organization was also used in a phishing attack in 2020.

(Source: N26)

The e-mails looked like reminders and instructions from the organization to prevent the spreading the coronavirus. However, a link included landed users on a fake Microsoft Outlook login page that sent the entered data directly to hackers.

Phishing Attack Statistics

Phishing attacks are so dangerous because they have the power to mimic popular, well-known brands successfully. In doing so, they are creating a culture of mistrust. 

According to research, the most common phishing emails in 2020 Q4 were the following: 

  • RingCentral is coming!
  • Stimulus Cancellation Request Approved
  • Microsoft 365: Action needed: update the address for your Xbox Game Pass for Console subscription
  • Workday: Reminder: Important Security Upgrade Required
  • Twitter: Security alert: new or unusual Twitter login
  • Amazon: Action Required | Your Amazon Prime Membership has been declined
  • Zoom: Scheduled Meeting Error
  • Google Pay: Payment sent
  • Changes to your health benefits

It’s clear that bad actors were capitalizing on pandemic fears related to health concerns, the shift to remote work, and the fact that most individuals were using new technologies to communicate with loved ones. 

Even trained employees are not able to discern which emails are legitimate and which ones are sent by perpetrators mimicking other businesses. Luckily, there are ways to protect yourself against data loss and cyber attacks

14. 20% of all employees are likely to click on a phishing email link. 

(Source: Terranova Security)

No matter how well you train your employees (and 95% of businesses say that they do), phishing attempts are so good and sophisticated that you will likely have an employee accidentally click on a link. 

Education alone cannot stop a phishing attack. However, a strong firewall, antimalware, antivirus software, data loss prevention software, and employee monitoring can help mitigate these risks. 

15. 67.5% of employees will enter their credentials on a phishing website.

(Source: Terranova Security)

Some phishing attacks simply try to download a file onto your computer. However, others encourage users to input their secret credentials onto a website. 

Considering that credential fraud is experienced by 52% of businesses, credential fraud could strike any sized business. 

16. 13.4% of employees will likely input their passwords on a fraudulent page.

(Source: Terranova Security)

Businesses should alert employees to safety markers and require that they check on these marketers before inputting their passwords. 

Additionally, employers should educate their employees on how a company, like Microsoft, will contact employees so they aren’t fooled into providing credentials to bad actors. 

Cost of Phishing Attacks

Phishing attacks are dangerous because they can result in heavy financial losses, including:

  • Downtime, both internally and externally with customers
  • Damage to reputation
  • Loss of intellectual property
  • Remediation time (time to recovery)
  • Direct monetary losses
  • Response and remediation costs
  • Loss of revenue
  • Loss of customers
  • Compliance fines
  • Legal fees

Phishing attacks can result in data breaches, financial losses, and loss of trust. According to IBM’s financial cost of a data breach, 80% of businesses reported a loss in personally identifiable information (PII) data in 2020. 

Phishing scams can lead to data breaches and much worse things. They alone cost US businesses over 54 million dollars

The Dangers of Phishing Attacks 

In addition to financial losses, there are other consequences of phishing attacks: 

17. Approximately 18% of businesses that experienced a phishing attack experience financial losses.

(Source: Proofpoint)

Financial losses are a big part of phishing attacks, but they are much more complex than that. Some phishing attacks only want to discredit the brand. Others want to hack into the company network for other means and as part of a long-term goal. 

18. A staggering 60% of businesses experienced lost data.

(Source: Proofpoint)

So many businesses collect some type of data on behalf of their workers and their customers. Company data includes credentials, personal data, internal data, medical data, PII data, and banking data. 

The fact that 60% of companies experience data loss is dangerous and suggests that, these days, sharing personal information even with your employers, is a risk. 

19. 52% of businesses experienced compromised accounts or credentials. 

(Source: Proofpoint)

Credentials grant access to those who need to access certain areas of a company or network. So when credentials are compromised, this usually means that bad actors can gain access to sensitive information. 

Changing passwords regularly will limit fraud related to compromised credentials. Implementing a data loss prevention (DLP) software will allow employers to gain data visibility and see movement within a company’s network. 

20. 47% of businesses experiencing a phishing attack were infected with ransomware.

(Source: Proofpoint)

Phishing attacks could have immediate workplace disruptions, or it could lead to ransomware infections. Ransomware attacks are when bad actors gain access to sensitive information and can use this information as a ransom. 

Over 4.2 million American mobile users are affected by ransomware annually, costing Americans $8,500 per hour of downtime, totaling $20 billion in the US in 2021

21. 29% of those targeted by phishing attacks had a malware infection. 

(Source: Proofpoint)

And once the malware is downloaded, then there is a range of other issues can crop up. While most firewall and antivirus software will stop malware before it becomes onto your computer, you don’t want an infection on your computer or company network!

22. Data loss seemed to be the biggest consequence of a phishing attempt by 60% of business leaders. 

(Source: Verizon)

Considering that financial gain is one of the major reasons hackers hack, it’s no surprise that malicious hackers will be after your data, sensitive information, confidential sources, or PII.

Current Phishing Trends

Phishing trends have shifted following the COVID-19 pandemic. We’ve seen massive shifts in the ways we work, including trends to move to remote work and expedited digital transformation. 

The use of AI technologies and remote technologies has drastically changed how we interact with online mediums as well. 

23. Phishing attacks are one of the costliest causes of data breaches, with average price tags of $4.65 million respectively.

(Source: Check Point)

Phishing attacks are effective and very expensive for companies. They were also one of the most common delivery vectors for malware.

24.  In November 2021, IKEA employees started receiving e-mails that became an ongoing reply chain phishing cyber attack.

(Source: Bleeping Computer)

These reply chain e-mails were legitimate e-mails from a company. Therefore, it can be difficult to detect a phishing attack.

25. 76% of business owners felt more exposed to fraud since the pandemic. 

(Source: BDO)

And considering that over a quarter of business owners suffered a security breach during the lockdowns, their fears are warranted!

Not only are businesses requiring more online connections, but personal devices are also being used for work, and more vulnerabilities are popping up. This shadow IT network can be impossible to trace, putting business owners at much higher levels of exposure than they could have anticipated. 

26. In 2021, phishing accounted for 82% of all monitored incidents.

(Source: Munich RE)

This shows that phishing continues to be the predominant threat in users’ mailboxes.

Protecting Your Business From a Phishing Attack

While it can be nearly impossible to anticipate and stop a phishing attack from occurring, you can put safeguards in place to protect your business against spreading phishing attacks. 

Antimalware software and antivirus software are a must considering they can detect most malware and viruses that phishing attacks attempt to download. 

A network firewall can also stop employees from unknowingly taking on malicious code. 

Finally, get data loss prevention software and employee monitoring software to increase data and user monitoring efforts. 

More Must-Know Phishing Statistics for 2024

Phishing attacks remain one of the most common cybersecurity breaches we need to watch out for. Here are more must-know phishing statistics in 2024:

27. Approximately 1.2% of emails sent are malicious. (Astra)

28. There are approximately 3.4 billing phishing emails sent… daily! (Astra)

29. Phishing accounted for an average of $4.91 million in breach costs, being the second costliest reason for a data breach. (Astra)

30. While stolen or compromised credentials were the primary attack in 19% of data breaches in 2022, this was a drop from 2021. (Egress)

31. Stolen credential hacks have the longest life cycle of 243 days to identify and contain. (Egress)

32. IBM detected a 2% rise in phishing from 2019 to 2020 (Egress)

What is Employee Monitoring Software and How Can It Stop Downtime From Phishing Attacks

If you’re worried about a phishing attack, consider getting employee monitoring software to raise data visibility and to have added security measures on your side. 

Employee monitoring software will watch your user activity on watched computers. It will also monitor things like keystroke monitoring, data movement, unusual behaviors, and risky behaviors. The software can often watch multiple computers at the same time and can even watch users through webcam monitoring. 

When it comes to cyberattacks, you need all the help you can get! Trust SoftActivity with your networking monitoring needs.

Sources 

Astra

Egress

BDO
IC3

Barracuda Networks
Verizon

Proofpoint

Terranova Security

Check Point

Threat Report from ESET

KnowBe4

APWG

GoogleSafe Browsing

IBM

January 27th, 2023