Email phishing attacks are a fact of life in the modern digital world, and these email phishing statistics will shed light on this worrying trend.
Email phishing has been around for as long as emails have existed. It’s basically a form of scam that occurs when criminals try to impersonate legitimate and official organizations with the sole purpose of stealing a target’s sensitive information.
These attacks usually involve a link within the email itself for the target to fill in the relevant information.
But how successful are these attacks?
What do the numbers have to say about email phishing?
Well, let’s find out by taking a look at the latest numbers and data behind this type of scam.
Latest Email Phishing Stats (Editor’s Choice)
(Verizon DBIR 2020)
In recent years, email phishing has become a security issue that can be found in almost every industry. In fact, 96% of all social engineering attacks occur via email phishing, and it’s no wonder—emails are the primary method of communication for businesses, and they often contain financial information, personal information, and confidential data.
2. 86% of all data breaches involving email phishing are financially motivated.
(Verizon DBIR 2020)
According to Verizon’s Data Breach Report, cybercriminals’ data breach goals are purely for financial reasons, rather than sabotage.
The also shows that cybercriminals use email as a means to gain access to sensitive personal information. Examples of this information include online banking credentials, payment card details, and one-time passwords, among other things.
Using email for phishing attacks is a highly effective method for cybercriminals to gain access to sensitive financial information from unsuspecting victims. This is because, in most cases, the attackers pose as legitimate organizations in their communications. For example, if their victim is an online bank customer, they might pose as the bank in an attempt to fool them into revealing private information such as account numbers and login credentials.
3. $30,000 is the average loss via a business email compromise.
(Verizon DBIR 2021)
The median loss via a business email compromise (BEC) attack is $30,000. A business email compromise, also known as an email scam or a CEO impersonation scam, occurs when a cybercriminal poses as an executive of a company and sends emails to employees requesting wire transfers or other funds. This type of scam targets organizations that have suppliers abroad and manage wire transfers.
The top industries targeted by BEC attacks are:
- Finance and Banking
- Energy and Utilities
In addition to the financial impact, BEC attacks also have a significant emotional and reputational cost that can be difficult to quantify.
When an employee’s email account is used in a BEC attack, it can result in damaged relationships with clients, partners, and vendors. Notifying customers of the breach of communication can lead to questions about the company’s cyber-security practices.
Reputational damage from a breach can be significant because one negative customer experience can spread quickly among peers and colleagues.
4. 48% of email phishing attacks contain Office file attachments.
Nearly half (48%) of email phishing attacks contain malicious Office file attachments. In these attacks, the phishing emails typically include an attachment purporting to be an invoice or purchase order for goods and services.
Opening the attachment results in a download of additional malicious files which can then be used to steal data from vulnerable computers or networks.
The reason behind this choice among cybercriminals is due to regular folks’ knowledge and trustworthiness of branded attachments.
5. A whopping 94% of malware is being delivered via email.
Today’s threat landscape is constantly changing, and the methods cybercriminals use to infect victims are constantly evolving.
Email is the number one method of malware delivery. That’s staggering when you consider that email is still one of the most common ways we interact with our friends and colleagues.
In fact, 94 percent of malicious code is delivered via email communication due to the easiness of spreading malware.
6. 1 in 1,846 is the email phishing success rate.
Email phishing is becoming more and more common. In fact, according to one recent study, 1 in 1,846 emails are successful phishing attempts.
This means that 1 out of 1,846 emails that is infected with malware ends up being successful in its purpose leading to irreparable damage from being hacked and having sensitive data exposed.
7. In 2021, 83% of companies have experienced an email phishing attack.
Whether you work at a small startup or a large enterprise, you’ve probably heard this before: “We’ve been hacked!” It’s pretty common. In fact, in 2021, 83% of companies experienced an email phishing attack.
Because of the Covid-19 pandemic, cybercriminals have increased their phishing efforts. This is due to the increasing number of devices and channels that are connected to the internet, which increases the attack surface for hackers exponentially.
These attacks have also become so sophisticated that it’s hard to tell if an email is real or not. And that means that the responsibility to prevent cyber-attacks lies with the employees.
8. 1 in 99 emails is a phishing attack.
(Verizon DBIR 2021)
People receive hundreds of emails every day. But, it is easy to become complacent and not pay attention. According to the latest research, 1 in 99 emails that people receive is a phishing attack.
This means that you need to be highly aware of what you’re clicking on and where you’re entering sensitive information online—especially if you’re doing so from a public device like a shared computer or tablet.
Phishing attacks are used by hackers to gain access to your personal information, including passwords and credit card numbers. They take advantage of people’s trust in their friends, family, or companies and organizations they do business with. Eventually, these attacks are meant to lead to identity theft.
Tendency & Frequency of Email Phishing Attacks
9. Employees receive, on average, about 14 emails per year with malicious content attached.
According to a 2021 research by Tessian, a regular working employee receives at least one malicious email per month.
However, not every industry is getting hit the same. With that in mind, retail workers are at an increased risk since they receive an average of 49 malicious emails per year, more than any other.
10. Phishing accounts for up to 90% of all data breaches.
A data breach is one of the most dangerous forms of attack against a company or organization. 9 in 10 data breaches involve a phishing attack with at least one employee clicking on a link that contains malicious content.
This may be a devastating blow to a company, especially if employees don’t receive adequate cybersecurity training.
11. Phishing attacks peak during holiday seasons.
Even though Black Friday is one of the most favorite holidays for phishing emails, December is the month where phishing attacks peak with a staggering 52% increase.
According to the same report by CISCO, phishing attacks occur heavily around holidays as people tend to let down their guard and venture into lucrative offers, rewards, or deals they come across in their email accounts.
12. There are 5 most common subject lines used for email phishing.
Identifying a potential threat is not a difficult thing to do. There are a couple of guidelines people should follow, and the most prominent one is the subject line used as a title.
According to the latest research, there are five most commonly used subject lines:
13. PDFs and Microsoft Office files are the most common malicious attachments.
Other than the subject line, a person can identify a malicious attack by the contents of the email. Namely, two file types are most commonly used in an email phishing attack.
The reason behind the usage of these file types is that people are more likely to click a trusted doc format.
14. 76% of all malicious emails do not contain any attachments.
According to this 2021 research, malicious emails decreased during the worldwide pandemic, as employees have switched to working from home.
However, even with the return of the workforce to offices, more than 7 in 10 phishing emails do not contain an attachment because employees have learned their lesson and become very wary of opening such emails and files.
Email Phishing Numbers by Industry
15. Companies saw an increase of 7.3% in email phishing attacks in May through August of 2021.
Eset’s research on data breaches shows us an increase in email attacks during a 4-month period in 2021.
Namely, from May to August, companies saw a 7.3% increase in email phishing attacks during this period, prompting many to upgrade their cybersecurity systems. The reason behind this increase is likely due to cryptocurrencies’ exchange rates declining during the same period.
16. Companies lose up to 60% of their data if an email phishing attack is successful.
Additional data shows that 52% have compromised accounts or credentials, 47% cite their software is infected with ransomware, and about 29% state their software is infected with malware. Fortunately, only 18% of all companies suffer financial losses.
As we can see, the impact these phishing attacks have on organizations is tremendous, especially if they are successful.
17. Organizations state that there are 3 types of data most sought after.
Credentials, such as usernames, pin numbers, and passwords, are among the top hacked data within an organization’s infrastructure.
Personal data comes next, with names, addresses, and email accounts getting phished. And lastly, medical data is also incredibly sought after, especially for insurance claims.
18. Financial service companies are subjected to 60% more attacks out of all industries.
According to these numbers, financial service consultants and firms are in dire need of an impeccable cyber security system since they are targets to phishing attacks more than any other industry.
The next sector that sees a high number of attacks is higher education. Retail, manufacturing, food and beverage, research and development, and tech sectors round up the list of the most attacked industries across the globe.
19. Businesses of all sizes lose approximately $1.797.945 per minute due to cybercrime.
This is a mind-blowing number, to say the least. When a data breach occurs, a company loses about $7.2 with each passing minute that the threat remains intact.
E-commerce is the hardest hit sector when it comes to cybercrime, losing $38.052 per minute due to online payment fraud.
20. Email phishing attacks are the second most expensive type of data breach.
As it is stated in IBM’s report, a single data breach caused by an email phishing attack might cost a business an average of $4.65 million.
BEC is a type of phishing attack where attackers target a corporate email account with the sole purpose of getting rich while hindering the company’s finances.
21. After a breach, companies might also experience a 5% drop in stock prices.
Immediate financial losses aren’t the only loss a company might endure during a phishing attack. Namely, a company’s stock prices see a 5% decrease in the following six months due to a data breach.
This means that the estimated $4.65 million losses after a breach might not be the only damage to a company.
Email Phishing Attacks Across The Globe
22. 74% of companies in the US have experienced a phishing attack.
USA is the world leader once again, but this time in successful email phishing attacks. Namely, a staggering 74% of all companies in the US have been hit by a phishing attack at least once.
The UK is not far behind, trailing the USA with 66% of companies affected country-wide. Australia sits in third place with 60%, while Japan and Spain round up the above-half percentage with 56% and 51%, respectively.
23. European countries are far less affected by email attacks, recording less than 50% of companies being affected.
According to this data, European countries have it far easier compared to Asia, Oceania, and the States.
In 2020, 48% of all companies in France had been subjected to a phishing attack, while 47% of all companies endured the same in Germany. This is less than what US, Japanese, and Australian companies have to deal with.
24. 69% of UK citizens are genuinely aware of phishing.
In contrast to the previous data, it seems like people know what they’re dealing with when they encounter email phishing.
More and more people worldwide get accustomed to phishing, with 66% of the Australian populace having knowledge of these attacks.
Elsewhere, 66% of Japanese folks, 64% of Germans, 63% of French and Spanish citizens understand what phishing is.
25. Only 52% of Americans answer correctly to the term “What is Phishing”.
While it’s positive to note that people across the globe are aware of the threat of email phishing, Americans aren’t so familiar with this issue.
Namely, just a little over half of the respondents have correctly answered this question and are aware of the threat of phishing.
It’s no wonder most email phishing attacks are primarily aimed at US companies.
26. Spain is mostly affected by an RDP attempt, with 17.1% of companies being affected.
In 2021, various networks that had exposed services were feeling increased pressure from cyber attacks.
Brute force attacks were the common tool used against RDP services, and Spain is the country that was hit the hardest.
17.1% of all companies in Spain have suffered from these types of attacks, more than any other in the world.
Email Phishing Attacks Detection & What The Future Holds
27. HTML/Phishing.Agent Trojan is the most common form of attachment malware.
According to ESET, this trojan is the most commonly used attachment malware in phishing emails. When this file is opened, the viewer will be redirected to a scamming site that poses identically as an official payment service, banking institution, or social network.
Afterward, it would require the visitor to enter credentials and sensitive information which the attacker receives.
HTML/Phishing Trojan, HTML/Fraud Trojan, and DOC/Fraud Trojan are the cybercriminals’ next most commonly used tools.
28. 8 in 10 cybersecurity professionals state an increase of cyberattacks since they started working remotely.
Furthermore, 62% of these professionals also state that phishing attacks and email phishing campaigns have increased a lot more than any other cyber threat.
Other employees and management personnel believe that these phishing attacks are better handled if cybersecurity professionals are working from the office.
29. Phishing emails saw a whopping 667% increase during the COVID-19 pandemic.
Cybercriminals wasted no time during a period of fear and uncertainty and tried to capitalize as much as they could.
This report states that during the start of the COVID-19 pandemic in 2020, email phishing attacks have increased by an alarming 667%. The reason behind this spike is largely due to companies letting people work from home, thus decreasing their security levels in the process.
30. Text messaging is likely to replace email phishing attacks in 2022.
Phishing via SMS is one of the trends to watch out for going into 2022. According to experts, branded impersonation is likely to remain the top phishing scam by cybercriminals, only this time, we’ll see SMS phishing instead of email phishing.
Another strategy that cybercriminals will likely employ is going after disgruntled employees and bribing them for confidential information.
Email phishing has been present since 1987 and will most probably remain the dominant form of phishing attack in the future. Sadly, phishing is now a part of our everyday lives, especially when we’re digitally connected almost 24/7.
With that in mind, investing in an adequate anti-spam, anti-virus, or cloud service needs to become a priority for every business, irrelative to its size. Because attackers might hone their skills continually, we’ve learned from these numbers that the first step in preventing an email phishing attack is awareness.
Email phishing is a serious problem. These statistics show that phishing attacks are increasing in frequency and the cost of a single attack can be huge.
What can businesses do?
Educating employees and keeping techniques up to date are steps every company should take. At the end of the day, email phishing is a serious threat to businesses and employees—but with proper training and education, you can help minimize the risks.
We hope this list of statistics has been helpful to you as you move forward with your cybersecurity strategies and goals. One thing is for certain—email isn’t going away any time soon, so it pays to be prepared.
Keep in mind that these stats could change in the future, so definitely keep an eye out for more updates.