EXECUTIVE SUMMARY:

In the distributed cyber security ecosystem, are leaders losing control over phishing threats?

More than 50% of IT decision makers state that phishing attacks represent a top security concern. Weaknesses in security policies, processes and infrastructure enable phishing threats to reach end users, along with ineffectual trainings intended to instill cyber security awareness in employees.

Organizations have attempted to address these issues for a long time. How else can leaders shift their focus or target their efforts in order to reduce the phishing threat risk?

In this article, discover insights that can strengthen your organization’s ability to identify security gaps, and that can help you reposition existing resources to better address the complex realities surrounding phishing threats.

Phishing attack statistics

  1. Roughly 15 billion spam emails make their way across the internet everyday, which means that spam filters are “working overtime” and are liable to permit malicious phishing attack emails to slip through.
  2. In 2021, 83% of organizations reported experiencing phishing attacks. In 2022, an additional six billion attacks are expected to occur.
  3. Last year, roughly 214,345 unique phishing websites were identified, and the number of recent phishing attacks has doubled since early 2020.
  4. Thirty-percent of phishing emails are opened. This increases the probability of an individual unintentionally clicking on a malicious link or downloading a compelling-looking document that’s laced with malware.
  5. Forty-two percent of workers self-reported having taken a dangerous action (clicked on an unknown link, downloaded a file, or exposed personal data) while online, failing to follow phishing prevention best practices.
  6. One in 99 emails is a phishing attack. If a ~1% attack rate doesn’t scare you, the fact that 25% of these emails manage to make their way into Office 365 inboxes just might. Office 365 represents one of the most commonly used email clients, with 60 million commercial users, and 50,000 small business customers worldwide.
  7. Roughly 90% of data breaches occur on account of phishing. According to the US Federal Bureau of Investigation, phishing attacks may increase by as much as 400% year-over-year.
  8. Roughly 65% of cyber attackers have leveraged spear phishing emails as a primary attack vector.
  9. When asked about the impact of successful phishing attacks, 60% of security leaders stated that their organization lost data, 52% experienced credential compromise, and 47% of organizations contended with ransomware.
  10. When it comes to phishing attack remediation, IBM’s 2021 Cost of a Data Breach Report found phishing to be the second most expensive attack vector to contend with, costing organizations an average of $4.65 million.
  11. In more eye-opening phishing attack statistics, although 93% of organizations measure the cost of phishing attacks in some way, only 60% of such organizations offer formal cyber security education to their users.
  12. In relation to phishing, the most heavily targeted sectors have historically included financial institutions, social media enterprises, SaaS/webmail services, and retail vendors.
  13. Starting in 2016, cyber attackers staged malware and conducted spear phishing attacks in order to gain remote access into the US energy sector’s systems. After gaining access, nation-state threat actors managed to move laterally and to collect information pertaining to Industrial Control Systems.
  14. According to the Swiss Cyber Institute, LinkedIn phishing messages represent 47% of all social media phishing attempts.
  15. Eighty-four percent of US-based organizations state that security awareness training has lowered phishing failure rates.

Closing thoughts

Phishing emails are more pervasive than ever before and threat actors are growing increasingly ruthless. Numerous methodologies for phishing prevention exist. Many organizations could do more to prevent phishing and to reduce associated costs. What else can your company do?

Whether it’s providing education around social media phishing, applying stronger endpoint solutions that can detect malicious behavior across device types, reducing text-message phishing, or testing out a new zero-trust strategy, your organization can build on existing approaches in order to create a more secure and phishing-free future.

For additional phishing attack statistics, please see CyberTalk.org’s past phishing threat coverage. Lastly, to receive cutting-edge cyber security news, insights, best practices and analyses in your inbox each week, sign up for the CyberTalk.org newsletter.