20 Phishing Statistics to Keep You from Getting Hooked in 2019
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

20 Phishing Statistics to Keep You from Getting Hooked in 2019

Here’s the info you need to avoid the phishing scams that leave companies reeling

If you read most of the 2018 and 2019 phishing statistics articles, they typically start out the gate with a doom-and-gloom rehashing of the costs of cybercrime in general and how it relates to email fraud. Or, the author drones on about how phishing is on the rise and how more companies and people are finding themselves on the hook after falling for the bait. (Essentially, people either are becoming dumber or the crooks are all becoming smarter — which we argue could go either way depending on the scenario, but let’s table that discussion for another time.)

But we’re not going to do that here. You’ve seen it enough on other sites, and we’d like to assume that’s the reason you’re on our site and not theirs. You know we’re going to provide you with the numbers you need — much like we did with our 2019 cyber security statistics and 2018 cybercrime articles. Today, we present the pure phish facts and phishing stats without all of the drama.

So, without further ado — the 2019 phishing attacks statistics you’ve been waiting for…

Let’s hash it out.

Phishing statistics 2019: breaking down the numbers

Something you’ve probably noticed is how much the very definition of phishing, as well as phishing attacks statistics seem to vary depending on the source of information. The numbers and definitions will vary depending on whether you’re looking at research from companies that create reports based on their clients’ data or you’re reviewing official government data.

Don’t misunderstand — we’re not saying that one source is necessarily better than the other. Whether you’re looking at phishing statistics from smaller cyber security companies, larger research firms, or even government institutions, they all have their own merits and provide valuable insights in different ways. It’s just important to just keep in mind that each source may be a bit skewed one way or another. This is why we share phishing stats and insights from multiple sources — each of these bits of information serves as a piece of the larger puzzle. And, frankly, we want to ensure you’re getting a view of the complete picture.

But enough about that — on to the numbers.

Phishing statistics: businesses and organizations

1 — Nearly one-third of all data breaches in 2018 involved phishing

Verizon’s 2019 Data Breach Investigations Report shows that 32% of the data breaches in 2018 involved phishing activity. Furthermore, “phishing was present in 78% of Cyber-Espionage incidents and the installation and use of backdoors.”

2 — One in 25 branded emails is a phishing email

Avanan, a cyber security platform, reports the two most popular brands phishers pose as are Microsoft (42%) and Amazon (38%).

3 — 76% of organizations targeted by phishing in 2017

Wombat Security’s State of the Phish 2018 report indicates that more than three-quarters of surveyed organizations and businesses were targeted by phishing scams in that year.

4 — 83% of global information security reported experiencing phishing in 2018

Eighty-three percent of global information security respondents experienced phishing attacks in 2018, according to ProofPoint’s State of the Phish 2019 Report.

Phishing statistics: phishing methods

5 — 91% of cyberattacks in 2012 began with a spear phishing email

Trend Micro researchers found that more than 90% of targeted cyber attacks were launched from spear phishing communications.

6 — URL phishing detections increased 269% in 2018

Trend Micro reports that “attacks that capitalize on the human desire to respond to urgent requests from authority are on the rise,” such as Business Email Compromise (BEC) and phishing, with phishing URL detections increasing 269 percent over 2017.

7 — Phishing attacks on SaaS and webmail services increases by 48% in Q4 2018

A Q1 2019 Phishing Activity Trends Report from the Anti-Phishing Working Group (APWG) shows that software-as-a-service (SaaS) and webmail services were the two most attacked sectors in Q1 2019. Together, they accounted for 36% of all phishing attacks during that quarter and even surpassed the payment services (27%) category for the first time.

8 — 51% of phishing attacks contain links to malware

According to research from Avanan, a cloud security platform, more than half of phishing attack emails contain links to malware. Malware attacks, by far, represent the greatest number of attacks. This is followed by credential harvesting, which represents 41% of phishing attacks.

9 — 48% of malicious email attachments are Microsoft Office Files

Although Symantec’s 2019 Internet Security Threat Report (ISTR) states that phishing levels have declined over the past several years, the email malware rate has remained stable. Microsoft Office users are the most at risk because hackers often disguise their malware as Office file email attachments to trick them into clicking on them.

10 —58% of phishing sites used SSL certificates

More than half of phishing sites were using SSL certificates in Q1 2019, according to John LaCour, chief technology officer (CTO) of PhishLabs. Quoted in the APWG’s Q1 2019 Phishing Activity Trends Report, LaCour attributes this increase to the use of free domain validation (DV) SSL certificates and the more widespread use of SSL in general.

Phishing statistics: the impacts of phishing attacks

11 — 65% of infosec pros identified credential compromise as the most common impact of phishing

In its February 2019 Attack Spotlight article, ProofPoint reports that more than two-thirds of surveyed information security professionals reported compromised credentials as the biggest impact of successful phishing attacks. This is an increase of 280% since 2016.

12 — 30% of phishing emails bypass default security measures

Avanan research indicates that 4% of all emails are phishing emails. Furthermore, their research also shows that nearly one-third of phishing messages get past companies’ default security methods.  

13 — 95% of respondents said they offer end-user training to employees

Ninety-five percent of survey respondents to ProofPoint’s State of the Phish 2019 report said they offer cyber awareness training to end users to help them identify and avoid phishing attacks. The most commonly used methods of training include computer-based online training (83%) and simulated phishing attacks (75%). 

14 — A data breach with a lifecycle under 200 days costs $1.2 million less than those over 200 days

IBM’s 2019 Cost of a Data Breach Report shows that the percentage chance of experiencing a data breach within two years is 29.6%. According to the report, “organizations today are nearly one-third more likely to experience a breach within two years than they were in 2014.” Breaches can be caused by hacking, phishing, or a variety of other cybersecurity attack methods.

Phishing statistics: by country

15 — Nearly 86% of all phishing attacks targets U.S. entities

Phish Labs’ 2018 Phishing Trends & Intelligence Report shows that the percentage of U.S. targets that are the focus of phishing attacks continues to increase, reaching 85.7% in 2018. The number increased from 81% the previous year.

16 — Phishing Attacks on British organizations decreased by 80% since 2014

The same Phish Labs trends and intelligence report shows the phishing attack trend has been declining for British organizations and institutions. While phishing attacks on the U.S., Colombia, Switzerland, Turkey, and India increased, phishing attacks on Great Britain’s institutions decreased by 80% between 2014 and 2017. 

17 — 21.66% of phishing attacks tracked by Kaspersky Labs targeted users in Brazil in Q1 2019

The Spam and Phishing in Q1 2019 report from SecureList (Kaspersky Labs) indicates that phishing attacks targeted users in Brazil most heavily compared to other countries. This is measured by the share of users whose Anti-Phishing solutions were triggered by users in those countries. The next most targeted country, Australia, jumped up six slots to second place with 17.20% in the same time period.

Phishing statistics: general statistics

18 — There were allegedly 26,379 victims of phishing/vishing/smishing/pharming in 2018

The 2018 Internet Crime Report from the Internet Crime Complaint Center (IC3) indicates that $48,241,748 was reportedly lost per victim due tophishing/vishing/smishing attacks in the same year.

19 — Phishing attacks increase by 65% as success rate of attacks increase globally

Avanan’s research shows that phishing attacks increased globally by 65% between 2016 and 2017.

20 — Up to 1 million Emotet trojan phishing emails are sent in a single day

ProofPoint researchers have seen an increase in phishing emails containing the Emotet banking trojan as an attachments. This trojan is particularly dangerous because it can capture every credential on a compromised device, including those stored in browsers, and steal email data as well.

Wrapping up our phishing attack statistics

As companies increasingly perform their business online and rely more heavily on technology for communications, it’s expected that phishing will continue to increase. However, as the above phish facts and phishing stats show, the methods that cybercriminals are using and victims they’re targeting in their phishing attacks are changing:

  • Cyber-espionage actors frequently employ phishing attacks.
  • There is a growing use of malicious files and HTTPS sites in phishing scams.
  • Phishing attacks on SaaS and webmail organizations are on the rise.
  • Attacks on U.S. organizations and businesses are increasing while some other western countries such as Great Britain are decreasing.

Although we’re only half of the way through 2019, it’ll be interesting to see what the rest of the year — and 2020 beyond that — holds in store for the cyber security industry.


Casey Crane

Casey Crane is a regular contributor to and managing editor of Hashed Out. She has more than 15 years of experience in journalism and writing, including crime analysis and IT security. Casey also serves as the Content Manager at The SSL Store.