Phishing is one of the biggest cybersecurity threats facing all of us today. As an experienced IT and cybersecurity pro, I want to walk through the top phishing facts and statistics for 2023 so you can be prepared.
By the end, you‘ll have a solid understanding of what phishing is, why it‘s so dangerous, and how to avoid falling victim. Time to dive in!
Let‘s start with a quick refresher on what phishing is exactly.
Phishing is a type of online scam where hackers send fraudulent emails or texts, make phone calls, or create fake websites to impersonate trusted sources. Their goal is to trick you into handing over login credentials, financial information, or sensitive data.
These messages often look very legitimate, using corporate branding and logos. But small telltale signs like subtle domain misspellings or odd email addresses give them away as fakes.
Once a victim enters their information or downloads malware, the hackers can gain access to accounts, networks, and sensitive systems. Both individuals and businesses end up compromised.
Some common phishing techniques include:
- Spear phishing – Highly customized phishing targeting specific companies or roles. Often leverages insider knowledge to boost legitimacy.
- Smishing – Phishing via SMS text messages rather than emails.
- Vishing – Phishing over the phone using social engineering to obtain sensitive info.
- Pharming – Redirecting users from a legitimate website to a fake phishing site.
- Deceptive Phishing – Fake login pages for common services like Microsoft, Google, Apple, etc.
- Malware-Based Phishing – Emails with infected attachments that download malware when opened.
Now let‘s look at some key statistics that demonstrate how prevalent and impactful phishing attacks are today.
Top 10 Phishing Facts and Stats for 2023
1. 91% of Cyberattacks Start with Phishing Emails
Staggering research from PurpleSec shows that 91% of cyberattacks start with a phishing email. This really highlights how critical it is for every individual and business to guard against phishing, as it provides the initial doorway into systems and data.
Image source: PurpleSec
2. Phishing Emails Have a 14% Open Rate on Average
Analysis of millions of phishing emails by Cofense revealed an average open rate around 14%. While this may seem low, with enough volume it results in thousands or even millions of opened emails and exposed victims. Hackers only need a small sliver to take action.
3. 1 in 3 People Will Click on Phishing Links
According to Verizon‘s 2022 Data Breach Investigations Report, a startling 32% of people will open a phishing email and click on the included link or attachment without realizing it‘s malicious. This really underscores the need for comprehensive security awareness training, as people are the weak link.
4. Phishing Played a Role in 36% of Data Breaches
Verizon also found that 36% of breaches analyzed involved phishing. The effectiveness makes phishing the tool of choice for infiltrating business networks to steal credentials, financial data, intellectual property and more.
5. Bogus Invoices Lead to $1.8 Billion in Losses
In 2021, the FBI revealed that scammers stole a massive $1.8 billion from US businesses using fake vendor invoices sent over email. This business email compromise tactic preys on accounts payable departments and continues to scale rapidly.
6. Small Businesses Lost $20 Billion to Phishing
According to the Better Business Bureau, US small businesses lost over $20 billion to phishing attacks and scams last year. Small companies often lack the security resources of large firms, making them soft targets for phishing campaigns.
7. Most Phishing Sites Stay Active Only 4-8 Hours
Research by Cofense shows that most fake phishing sites setup to steal credentials are active for less than 8 hours on average. Hackers want to monetize compromised accounts quickly before they are detected and shut down.
8. Monday is the Most Popular Day for Phishing
An analysis of over 4 million phishing emails found that 35% arrive on Mondays. Attackers target the start of the workweek when people are busy and potentially less observant. Weekend sees the least activity.
Image source: Cofense
9. Microsoft is Most Impersonated for Phishing
Studies by Proofpoint indicate Microsoft is the brand most frequently imitated in phishing campaigns. This likely stems from Microsoft‘s ubiquity – services like Office 365, Outlook, and OneDrive are used by virtually every business.
10. 95% of Attacks Use Victim Analytics
Research by PurpleSec reveals that 95% of phishing attacks incorporate custom analytics on the targeted organization or individuals. This includes intelligence on role, industry, behaviors, interests, and leaked credentials. Personalization boosts believability.
Real-World Examples of Damaging Phishing Attacks
To make these phishing facts more concrete, here are two disturbing real-world examples:
- AllClear ID Breach – In 2018, the identity protection firm AllClear ID suffered a data breach traced back to an employee falling for a phishing email. The hack exposed sensitive personal and financial data on thousands of customers.
- Port of Montreal Attack – In 2020, North America‘s second largest port fell victim to a phishing attack compromising all of their systems. This major trade hub ground to a halt costing millions per day.
These examples demonstrate how a single phishing email can have massive ripple effects if it enables access to sensitive systems and data.
How Does Phishing Work? Tactics and Techniques
Now that you grasp the scale of phishing, let‘s quickly cover how these attacks actually work:
- Spear phishing – Uses personalization and custom content tailored to the recipient or organization to boost legitimacy. Often leverages data from social media or breaches.
- Whaling – Spear phishing targeted specifically at senior executives due to their access to sensitive systems and financial controls.
- SMS phishing (Smishing) – Phishing via text message rather than email. Often used for customer service impersonation and fake order notifications.
- Phone phishing (Vishing) – Fraudulent phone calls impersonating banks, tech support or other agencies to coerce users into providing account access or installing malware.
- Pharming – Technique that redirects visitors from a legitimate website to a nearly identical malicious phishing site to harvest credentials and data.
- Malware payloads – Phishing emails containing infected attachments or links to downloads that install malware for persistence and data exfiltration.
- Deceptive phishing pages – Fake login pages for popular sites and services like Facebook, Google, Apple, etc. designed to steal usernames and passwords.
Understanding these common tactics makes it easier to recognize the telltale signs of phishing attempts.
Why Do People Fall for Phishing?
If the phishing statistics tell us anything, it‘s that these attacks work far too often. So what makes people so susceptible? Here are the key factors:
1. Appear Genuine and Urgent
Phishing messages are carefully crafted to look like they are from legitimate, trusted sources. Tactics like spoofing sender addresses and using corporate branding make these emails appear authentic. Hacking psychology, they also aim to instill urgency to cloud judgement.
2. Leverage Familiarity
Most phishing spoofs brands the target knows like banks, social networks, and popular services. This familiarity automatically builds some level of trust.
3. Create Strong Call to Action
Phishing emails compel the reader to take immediate action like resetting their password, confirming details, or reviewing a purchase. This robs time for critical thinking.
4. Exploit Human Instincts
Phishing takes advantage of hardwired mental shortcuts and emotional reactions humans use to quickly process information and make decisions. Appeals to fear, curiosity, greed, or vanity short-circuit critical thinking.
5. Distraction and Fatigue
When people are distracted, overloaded, stressed or tired, their ability to pick up on subtle cues diminishes. This makes them more apt to click without thinking.
Understanding these psychological factors is key to building more phishing-resistant employees through effective awareness training.
How Can You Avoid Falling Victim to Phishing?
Now that you know what you are up against, here are pro tips to avoid becoming a phishing statistic:
- Enable two-factor authentication (2FA) on all critical accounts. This prevents stolen passwords from being misused.
- Carefully inspect sender addresses and domain names for any irregularities before opening emails.
- Never click links or attachments in unsolicited emails. Manually type in known website addresses.
- Watch for poor grammar and spelling errors which signal phishing attempts.
- Ignore unexpected requests for personal information or account access credentials. Legitimate companies won‘t ask for these over email.
- Hover over hyperlinks to preview the true destination before clicking.
- Be wary of threatening language demanding immediate action or locking the account.
- Install anti-phishing browser extensions like Webroot BrightCloud or MetaCert which identify malicious sites dynamically.
- Report any suspicious emails to the appropriate brands being impersonated so they can take action.
With attacks rising, phishing awareness and prevention needs to become second nature for anyone working and transacting online today.
What To Do If You Fall Victim to Phishing
Despite your best efforts, there‘s still a chance you may fall victim to a particularly clever phishing scam. If this happens, here are the key steps to take:
- Scan for malware – Run anti-virus and anti-malware scans to check for anything malicious installed through downloaded files.
- Change passwords – Immediately change passwords for any compromised accounts, especially financial or work systems. Make them 12+ characters using a password manager.
- Contact banks/employers – Notify your bank and employer IT if you entered financial or work login credentials on fake pages so they can reset access.
- Monitor accounts – Watch all accounts compromised by the phishing attack for suspicious activity and further attacks.
- Notify contacts – Send out communications warning contacts not to open suspect emails if a phishing email came from your own compromised email.
- Report the phishing – Supply details to appropriate entities like domain registrars, email providers, and brands being impersonated.
- Enable fraud alerts – Consider placing 90 day fraud alerts on your credit files in case personal data was stolen for identity theft.
While falling for phishing can be a costly mistake, quick action to contain the damage will limit the impact.
The Takeaway: Vigilance Against Phishing
Phishing remains one of the most dangerous cybersecurity threats due to its simplicity and effectiveness against humans. But awareness and vigilance can go a long way in protecting yourself and your organization.
Keep these key phishing statistics and facts front of mind. Make phishing prevention training a regular event for all employees. Instill a culture of critical thinking when it comes to unsolicited emails and messages.
Implement technological safeguards like email security filters, link checkers, stronger authentication, and backups as well.
With the right preparation and know-how, it‘s entirely possible to avoid becoming another phishing statistic. Stay safe out there!