Startling Phishing Statistics to Be Aware of in 2022

Phishing attacks are a regular occurrence in 2022, but some phishing email scams are easier to detect than others. While you probably know that you shouldn’t respond to an email claiming “You’ve Won a Free iPad,” many fraudulent emails are more cunning with their approach.

After analyzing phishing statistics, we discovered just how effective fraudulent emails could be.

For example, in 2019 a cybercriminal successfully executed a spear phishing campaign that swindled employees from Google and Facebook into paying over $100 million in fraudulent invoices.

In 2017, scammers sent emails posing as the CEO of an Austrian aerospace parts maker, requesting large sums of money from entry-level employees. This resulted in approximately $61 million in losses. This type of phishing tactic is so prevalent that it even has a name: CEO fraud.

While social engineering scams are always changing, educating yourself on the latest phishing trends and security software options is the best thing you can do to stay safe. Check out our list of phishing statistics for 2022 below.

Key Takeaways:

• One in every 99 emails is a phishing email.
• It’s estimated that 3.4 billion fraudulent emails are sent daily.
• The top five most impersonated brands are eBay, Apple, Microsoft, Facebook, and Steam.
• 2021 was the costliest year for data breaches in 17 years.
• The total average cost of a data breach was $4.24 million in 2021, up from $3.86 million the previous year.

Table of Contents:

1. What percentage of cyberattacks are phishing?
2. Recent phishing attempts are more convincing
3. Phishing email statistics
4. Website phishing statistics
5. Top brands exploited by phishing scams
6. Cost of phishing attacks
7. Data breach statistics
8. Phishing trends in 2022
9. 4 tips to protect against phishing for businesses

What percentage of cyberattacks are phishing?

Verizon’s 2020 Data Breach Investigations Report found that 22 percent of data breaches are phishing. That accounts for more than one in every five data breaches.

This only makes sense, given that the FBI’s Internet Crime 3 (IC3) Report recorded phishing as the most common cybercrime type of 2020.

The number of phishing, vishing, smishing, and pharming complaints came out to 241,342, resulting in adjusted losses of over $54 million.

According to CISCO’s 2021 Cyber Security Threat Trends, 86 percent of organizations had at least one user attempt to connect to a phishing website.

Additionally, F5’s 2020 Phishing and Fraud Report found that phishing incidents rose by 220 percent compared to the yearly average during the height of the COVID-19 pandemic.

Recent phishing attempts are more convincing

At one point, phishing attacks were known as easy-to-spot emails sent out to mass numbers of people. Today, spear phishing emails use personal information to craft convincing messages targeting specific individuals.

This is shown by Symantec’s 2019 Internet Security Threat Report, which found that 65 percent of targeted attacks in 2019 involved spear phishing tactics. The motivation of 96 percent of these targeted attempts were for the sake of gathering intelligence.

Email phishing is also the number one concern for 90 percent of IT professionals, according to a recent survey by IRONSCALES. The same survey found that 81 percent of IT directors and managers experienced higher rates of email phishing attempts since the start of the COVID-19 pandemic.

Here’s a breakdown of how many respondents from that survey experienced phishing on platforms other than email:

• Video conferencing platforms: 44 percent
• Workforce messaging platforms: 40 percent
• Text messaging: 36 percent

These stats show how phishing attempts are becoming more convincing while spreading across different platforms, where the average worker might not see them coming.

Phishing email statistics

Phishing is most commonly done via email. In 2019, Avanan’s analysis of 55.5 million emails revealed that one in every 99 emails is a phishing attempt.

How many phishing emails are sent daily?

Valimail’s 2019 Email Fraud Landscape report estimated that 1.2 percent of emails are malicious.

If you convert that percentage into emails, it corresponds to 3.4 billion fake emails being sent per day. By those estimations, it means that over the course of a year, over 1 trillion fraudulent emails are sent out.

Common email phishing attacks to look out for

According to KnowBe4’s Q3 2021 Top-Clicked Email Phishing Report, here are the top five most common phishing email subjects in the U.S.:

1. Vacation Policy Update
2. Password Check Required Immediately
3. Important: Dress Code Changes
4. Acknowledge Your Appraisal
5. Remote Working Satisfaction Survey

In the same study, these were the most common subject lines found in the Middle East, Europe, and Africa:

1. Your Document is Complete — Save Copy
2. Stefani Has Endorsed You!
3. You Requested a Reset to Your LinkedIn Password
4. Windows 10 Upgrade Error
5. Internet Capacity Warning

According to Symantec’s 2019 Internet Security Threat Report, the most common business email compromise (BEC) email keywords were:

1. Urgent
2. Request
3. Important
4. Payment
5. Attention
6. Outstanding payment
7. Info
8. Important update
9. Attn
10. Transaction

This shows that you need to be wary of emails that use time-sensitive keywords or ask for payment in any way, shape, or form. This information is one way to help you spot phishing email scams.

Malicious attachments to avoid

The ESET 2021 Threat Report found that Windows executable files made up 66 percent of malicious email attachments. Other common malicious attachments include script files, office documents, and PDF files. Here’s the full breakdown:

1. Windows executables: 66 percent
2. Script files: 21 percent
3. Office documents - 4 percent
4. PDF documents - 4 percent
5. Batch files - 3 percent
6. Compressed archives - 2 percent

Being wary of senders when opening attachments is essential. While office workers may be more used to interacting with Office and PDF documents, if you don’t fully trust an email, don’t interact with any links or attachments.

Website phishing statistics

All too often you’ll find fraudulent emails claiming to come from a trusted source. Whether you receive a message from someone claiming to be a coworker or an email from “Facebook Customer Support” claiming your account has been hacked, website phishing happens all the time.

It was previously thought you could avoid these dangerous sites by checking for HTTPS in URLs instead of HTTP. The former indicates that a web page is encrypted and more secure. This false sense of security, however, is something scammers have recently been taking advantage of.

Webroot found that approximately 32 percent of phishing websites used HTTPS during 2020. That means that one in three phishing websites are going the extra mile to maintain an image of security.

According to APWG’s Q2 2021 Trends Report, here are the industries mimicked most by phishing attempts:

1. Financial industry: 29.2 percent
2. Social media: 14.8 percent
3. Payment: 12.2 percent
4. SaaS/webmail: 8.7 percent
5. E-commerce/retail - 8.2 percent
6. Cryptocurrency - 7.5 percent
7. Logistics/shipping - 6.9 percent
8. Other - 10.1 percent

Because it’s common for trusted websites to be impersonated, be mindful of the warning signs of suspicious URLs. In fact, avoiding suspicious links is one of the most important internet safety rules.

Top brands exploited by phishing scams

F5’s 2020 Phishing and Fraud Report found that 55 percent of phishing websites used target brand names and identities in their URLs. In this way, cybercriminals use brand rapport to capture sensitive information from their victims.

According to CISCO’s 2021 Cyber Security Threat Trends, the financial services sector experiences the most phishing attacks out of any other sector. For the healthcare sector, phishing and trojan attacks made up three-quarters of malicious traffic.

In Webroot’s 2021 BrightCloud Threat Report, researchers found which companies were most often impersonated by phishing websites. Here is a breakdown of that data:

1. eBay: 13.2 percent
2. Apple: 10.2 percent
3. Microsoft: 9.5 percent
4. Facebook: 8.8 percent
5. Google: 8.6 percent
6. Steam: 7.9 percent
7. Yahoo: 5.4 percent
8. Netflix: 3 percent
9. PayPal: 3 percent

Sometimes phishing websites can look almost identical to the brand they’re impersonating. This is why it’s so important to use antivirus software that warns you about suspicious or potentially unsafe websites.

Cost of phishing attacks

According to APWG, in 2021 the average wire transfer requested in BEC attacks increased from $75,000 in 2020 to $106,000 in 2021.

The same report found that in the second quarter of 2021, 24 percent of BEC attacks attempted to divert employee payroll deposits.

This information is supported by IBM’s Cost of a Data Breach Report 2021, where it was found that 2021 was the costliest year for data breaches in the last 17 years. They reported that from 2020 to 2021, the average total cost of a data breach increased from $3.86 million to $4.24 million.

Researchers from the same report found that, on average, data breaches caused by phishing took 213 days to be identified and 80 days to be contained. This means that the average time it takes to contain a phishing threat overall is 290 days.

Data breach statistics

Data from IC3’s 2020 report found BECs to be the most costly cybercrime, resulting in over $1.8 billion in yearly losses.

In 85 percent of data breaches, a human element was involved, according to Verizon’s 2021 DBIR. This makes sense, given how often phishing tactics use social engineering to steal sensitive information.

In the same report, it was found that credentials are the most commonly stolen type of data in 61 percent of breaches. Here are the rankings of the most commonly stolen data types:

1. Credentials
2. Personal
3. Medical
4. Bank
5. Internal
6. Payment
7. Other

According to Proofpoint’s 2021 State of the Phish report, they found that the most common impacts of successful phishing attacks included:

1. Loss of data: 60 percent
2. Credential/account compromises: 52 percent
3. Ransomware infections: 47 percent
4. Other malware infections: 29 percent
5. Financial loss/wire transfer fraud: 18 percent

Phishing trends in 2022

As we move into a more remote working environment and people spend more time on their devices, it brings more opportunities for phishing attacks to occur. Here’s a breakdown of the most notable 2022 phishing trends:

• Phishing attacks increased 510 percent from January to February in 2020. (Webroot’s 2021 BrightCloud Threat Report)
• Phishing URLs impersonating Netflix increased by 646 percent from March to July of 2020. (Webroot’s 2021 BrightCloud Threat Report)
• More than 60 percent of security professionals surveyed said that phishing campaigns were the most increased security problem during the COVID-19 pandemic. (Microsoft’s 2021 New Future of Work Report)
• Tech support fraud increased by 171 percent from 2019 to 2021, resulting in over $146 million in losses. (FBI’s Internet Crime 3 (IC3) Report)

These stats all point to the fact that, as our world becomes more remote, we have to be more proactive about cybersecurity. Keep your data secure with a VPN and try being more mindful about which emails you click on.

4 tips to protect against phishing for businesses

Businesses are frequently the targets of phishing campaigns. In severe cases, cyberattacks engaging in CEO fraud can cost companies millions of dollars.

The more proactive you are about security, however, the less likely you are to experience great losses from phishing scams. Here are some ways to defend yourself.

1. Open emails with caution

Since emails are the most common form of phishing scams, be mindful as you peruse your inbox. You don’t want a malicious attachment installing spyware onto your device. Warning signs of a fraudulent email include:

• Grammar mistakes
• Unusual requests
• Urgent subject lines

A common tactic scammers use in phishing emails is to pretend to be a coworker or a higher-up at the company you work for. That said, be on the lookout for emails from your “CEO” that request personal information.

2. Use two-factor authentication

Using two-factor authentication, or 2FA, simply means that you use two or more channels to verify your identity when accessing a platform. This means that to access your work email, you might be required to enter in a security code that’s sent to your phone as well as your usual password.

If your password is stolen by a cybercriminal, they still won’t have access to your company’s sensitive data with 2FA.

3. Phishing cybersecurity software

The last thing you want is for ransomware to infect your work computers. To keep your business protected, make sure your computers are always running the latest software updates and using anti-tracking software.

When it comes to keeping your business safe specifically from phishing emails, there are a number of security solutions out there. When choosing security software, simply make sure that it features ways to filter and remove spam, email filtering rules, and malicious URL detection.

4. Educate your employees

The more educated your employees are about security and potential phishing tactics, the more secure your business will be overall. Whether you keep your employees informed through a newsletter or weekly training, you should help them understand common phishing threats and how to avoid them.

You may even want to go the route of requiring your employees to complete full cybersecurity training courses. Some free options include the Department of Health and Human Services Training and FedVTE.

While phishing attacks are on the rise, there are plenty of ways to defend yourself. Be wary of common phishing signs, such as urgent emails and suspicious links and attachments.

You’ll also want to download Clario’s antivirus software and VPNs to defend against phishing attempts. Our data breach monitor allows you to scan emails for threats while alerting you to any leaked sensitive information we detect. Download our mobile security software for Mac, iOS, or Android to keep your data safe.

The landscape of cybersecurity is ever-changing, so you have to be proactive about keeping yourself and your business informed.

Get our research in simple facts gathered in one comprehensive infographic.