Phishing Statistics: The 29 Latest Phishing Stats to Know in 2020
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Phishing Statistics: The 29 Latest Phishing Stats to Know in 2020

Phishing scams and schemes are becoming more creative every day as businesses and individuals find themselves the targets of new tactics — here are the latest unsettling phishing attack statistics to keep you up to speed

If you read our 2019 phishing statistics article, then you’re in for a treat. We’ve got the most up-to-date phishing statistics for 2020 — and this time, we’re taking a different approach. Instead of writing one-off articles for each year’s list of phishing statistics, we’re going to update this article throughout the year with new statistics as they become available from new research. This way, you can always come to one source to get the latest information. Now that’s what I call service!

This allows us to provide you with the phishing statistics numbers that you need without the hassle of trying to remember which article it was that you found. So if you liked our other articles relating to the 2019 cyber security statistics and 2019 cybercrime statistics articles, then you’ll love this one. So, with all that being said…

Let’s hash it out.

29 Disturbing Phishing Statistics That Will Keep You On Edge in 2020

If you’ve ever found yourself wondering what percent of successful cyberattacks were caused by someone falling for a phishing attack, then you’ve come to the right place. We’ll answer this question and others in our new list of phishing stats.

To kick off this continually-evolving list, we figure it’s best to start out with some general phishing statistics. These are the types of overarching statistics about phishing that you might find useful when researching phishing in a more general sense. After that, we’ll dive more into specific categories relating to the types of phishing attacks (in terms of how they are performed), their impact on organizations and businesses, regions that are frequently targeted by phishing attacks, and phishing attacks that are specifically related to the COVID-19 global pandemic.

1. 32% of Confirmed Data Breaches Involved Phishing

Data from Verizon’s 2019 Data Breach Investigations Report (DBIR) indicates that nearly one-third of all data breaches involved phishing in one way or another. We’re definitely interested in seeing what their 2020 DBIR report will say about phishing once that report is available.

2. Overall Phishing Down 42% in 2019

In their 2020 SonicWall Cyber Threat Report, SonicWall threat researchers indicate a 42% reduction in overall phishing in 2019 — a trend that indicates the attack vector has been declining for the past three years. But don’t think that means that the threat is gone — oh, no. SonicWall researchers indicate that cybercriminals are being more targeted in their phishing efforts — more of a quality-over-quantity approach, if you will. Why would they say that? According to the report:

“Phishers are being measured, pragmatic and patient. Besides the usual phishing campaigns that attempt to steal login credentials, SonicWall observed new practices using old tricks.”

3. 86% of Email Attacks are “Malwareless”

Malware isn’t the only way that cybercriminals launch email-based attacks, according to April-June 2019 data from FireEye. Nowadays, these threat actors more commonly use spear phishing, CEO fraud, and impersonation tactics instead of sending malware-laden messages. Only 14% of email-based attack schemes from that period used malware.

4. 37.9% of Untrained Users Fail Phishing Tests

KnowBe4, one of the industry’s leading cyber awareness training organizations, states in their 2020 Phishing By Industry Benchmarking Report that nearly 38% of users who don’t undergo cyber awareness training fail phishing tests.

5. 90% of Verified Phishing Scams Discovered in Secure Email Gateways

Cofense (formerly PhishMe) reports that nine out of 10 verified phishing emails they analyzed for customers somehow found their ways past perimeter defenses and were discovered in environments that use secure email gateways (SEGs).

6. Apple Is No. 1 When It Comes to Being the Most Imitated Company for Phishing Scams

Data from Check Point Research’s Q1 2020 report indicates that Apple was the most imitated brand in part due to the anticipated launch of the company’s new Apple Watch. This was a significant jump from the company’s No. 7 position in Q4 2019.

Phishing Statistics: The Impact of Phishing on Businesses and Organizations

It’s no secret that successful phishing attacks can cost organizations and individual victims around the world a lot of money. Just how much are we talking about? Read on to find out.

7. $26 Billion Lost Globally to BEC/EAC Crimes Between June 2016 and July 2019

The FBI’s Internet Complaint Center (IC3) reports that more than $26 billion was reported as lost by victims in 166,349 global and domestic incidents in that period. In the U.S. that equated to more than $10 billion in losses to 69,384 victims.

8. $1.7+ Billion in Losses Resulted from BEC/EAC Crimes in 2019 Alone

The FBI’s IC3 reports that more than $1.7 billion in losses — or more than half of the $3.5 billion in losses reported as lost in 23,775 internet and cyber crime complaints — in 2019 resulted from business email compromise complaints.

9. Nearly Half of Data Breaches Are Due to Human Error and Glitches

In the 2019 Cost of a Data Breach Report from IBM and the Ponemon Institute, researchers indicate that 49% of data breaches were the result of human error and system glitches. The human error portion includes “inadvertent insiders” who fall prey to phishing attacks.

10. $3.5 Million Was the Average Cost of Human Error Data Breaches in 2019

The same IBM/Ponemon Institute report indicates that data breaches that resulted from human error had an average cost of $3.5 million. This is more than the average cost of system glitches, which is estimated to be $3.24 million, and less than the average cost of malicious and criminal attacks ($4.45 million).

11. 88% of Organizations Reported Experiencing Spear Phishing Attacks in 2019

The latest estimate from ProofPoint’s State of the Phish 2020 report indicates that nearly 90% surveyed organizations faced spear phishing attacks in 2019. The same survey also indicates that 86% of respondents reported dealing with business email compromise (BEC) attacks.

12. 84% of SMBs Targeted by Phishing Attacks

Untangle, a network security solutions provider for SMBs and distributed enterprises, reports that 84% of their Channel Partners identified their SMB clients as being targeted by phishing attacks in 2018. They also anticipate that the biggest threats their clients anticipate facing in 2020 are ransomware (46%) and phishing attacks (25%).

13. 57% of Organizations Report Experiencing Mobile Phishing Attacks

Data from Wandera’s 2020 Mobile Threat Landscape Report indicates that more than half of all surveyed organizations have experienced at least one mobile phishing incident in 2019.

Phishing Statistics: The Top Methods of Phishing Scams and Attacks

There are multiple avenues of attack that cybercriminals can use to target victims. You’ve got the traditional methods of phishing, which include sending bulk and targeted phishing emails, but there’s also other avenues of attack that include HTTPS phishing, SMS text phishing (smishing), and good ol’ fashioned voice phishing (vishing).

14. Victims Paid More Than $1.5 Million to Sextortion Scams in 1H 2019

Cofense Labs reports that their researchers assessed more than $1.5 million in Bitcoin payments that were made in response to sextortion campaigns — and that was just during the first half of the year in 2019!

15. A New Phishing Site Launches Every 20 Seconds

This is one of those phishing statistics you definitely hope is wrong, but you know, deep down, that it’s not. In their 2020 Mobile Threat Landscape Report, Wandera says that a new phishing site launches every 20 seconds. That means every minute, three new phishing sites that are designed to target users pop up on the internet.

16. 87% of Phishing on Mobile Devices Use Methods Other Than Email

According to the same mobile threat report from Wandera, 87% of phishing attacks on mobile devices use messaging, gaming, and social media apps as avenues of attack.

17. 74% of All Phishing Websites Use HTTPS Protocol

Research from the Anti-Phishing Working Group (APWG)’s 4th Quarter 2019 Phishing Activity Trends Report indicates that nearly three-quarters of the phishing websites studied used SSL/TLS certificates. The group reported the number of phishing attacks hosted on HTTPS sites as being 54% in Q2 2019 and 68% in Q3 2019.

According to the report, which involved tracking data from PhishLabs:

“Attackers are using free certificates on phishing sites that they create, and are abusing the encryption already installed on hacked web sites”

18. SaaS/Webmail Represents 31% of Most Targeted Sectors for Phishing Attacks

Data from the APWG’s Q4 2019 Phishing Activity Trends Report indicates that SaaS and webmail sites were the most frequent targets of phishing attacks. Gaining access to these types of accounts makes it easier for cybercriminals to carry out BEC and AEC attacks.

19. Office Files Represent 48% of Malicious Email Attachments

Symantec’s Internet Security Threat Report 2019 research indicates that in 2018, 48% of malicious email attachments were actually Microsoft Office files. This represents a significant jump from the 2017 estimate of just 5%.

20. 94% of Malware Is Delivered Via Email

Verizon’s 2019 DBIR data indicates that a whopping 94% of malware — 9 out of 10 — is delivered using email. Their estimate of how many files are office docs (45%), though, differs slightly from Symantec’s ISTR 2019 report findings.

Phishing Statistics: COVID-19 and Novel Coronavirus-Related Attacks

We know you’re tired of reading about COVID-19, or what’s more commonly known as the “Novel Coronavirus.” Frankly, we are, too. But the truth of the matter is that COVID-19-themed phishing and malware campaigns are on the rise. And while businesses around the United States are shut down and individuals are hurting financially, the situation lends itself as ideal conditions for opportunistic threat actors to do what they do.

As such, we thought it best to include it on our list of the phishing statistics and phishing attack statistics.

21. In One Week, Google Blocked More Than 18 Million COVID-19 Phishing Emails Daily

Cybercriminals are deploying new tactics to old phishing scams. In this case, they’re using COVID-19 concerns to exploit individuals who are seeking information relating to the pandemic. On April 16, Google reported that they blocked this many phishing emails each day the previous week (April 6-13)!

22. In One Week, Google Blocked More Than 240 Million COVID Related Spam Messages Daily

In the same time period as the point above, Google blocked more than 240 million COVID-related email spam messages per day.

23. 51,000+ Coronavirus-Themed Domains Have Been Registered Between January 2020 and March 2020

Research from Check Point indicates that more than a total of 51,000 Coronavirus-related website domains have been registered globally. This is up from their previous estimates of more than 4,000 such domains that were registered globally between January 2020 and the beginning of March 2020.

24. 94% of Coronavirus-Related Cyber Attacks in a Two-Week Period Were Phishing Attacks

Other research data from Check Point indicates that nearly 95% of Coronavirus-related attacks between April 6-17 were phishing attacks specifically. This includes attacks that involved:

  • files with “Corona” in the file names,
  • files distributed via emails with Coronavirus-related subjects, and
  • websites with “Corona” or “Covid” in their domains.

Phishing Statistics: A Global Perspective

To give you a bit more of a broader perspective, let’s take a look at some of the top phishing stats relating to different countries.

25. Venezuela Ranked No.1 with 31.16% of Phishing Attack Victims in 2019

Although it’s an “honor” that no one wants, Venezuela found itself in the top slot as the having the highest phishing attack rate in terms of attacked users in the previous year, according to the Spam and Phishing in 2019 report from Kaspersky Labs. Venezuela was followed by Brazil (30.26%), Greece (25.96%), Portugal (25.63%), and Australia (25.24%).

26. 65% of U.S. Organizations Victims of Successful Phishing Attacks

More than two-thirds of U.S. organizations reported experiencing successful phishing attacks in 2019, according to ProofPoint’s State of the Phish 2020 infosec survey. This estimate is significantly higher than the 55% global average reported in the same period.

27. China Was the Biggest Source of Spam at 21.26%

Looks like the “made in China” label also applies to the majority of spam emails in 2019, much as it did in 2018, according to the Spam and Phishing in 2019 report from Kaspersky Labs. It still ranks ahead of the United States and Russia, whose shares are 14.39% and 5.21%, respectively.

28. Puerto Rico Government Loses $2.6 Million in Phishing Attack

The government of Puerto Rico lost more than $2.6 million after one of its employees fell victim to an email phishing attack, according to a report from the Associated Press (AP).

29. Brazil Phishing Incidents Increased 232% Between February 2019 and December 2019

The APWG reports that data from Axur, one of its member companies that’s located in Brazil, indicates that phishing attacks multiplied at a significant rate. The APWG Q4 2019 report indicates that in just 10 months, “the monthly totals of phishing incidents in Brazil increased a disturbing 232%.”

Final Thoughts on Phishing Attack Statistics

Although, on face value, it looks like phishing attacks are decreasing, it’s important to look beyond the surface of these phishing statistics. While the number of attacks is on the decline, cybercriminals aren’t giving up — they’re simply trying new tactics. Phishers and other threat actors are focusing more on the quality and effectiveness of their attacks than simply blasting out numerous phishing messages with the hope that one will stick. It’s the difference of targeting victims with a metaphoric rifle instead of a shotgun.

This is why it’s still just as important for your organization to strengthen your cyber security defenses and harden your “human firewall” through cyber awareness training. If you want to keep your business safe, it’s going to require more than just your basic email spam filters.

It’s still relatively early yet in 2020 and we’re still in the middle of the ongoing COVID-19 pandemic. We’re certain to see changes in the trends of phishing attacks and the phishing statistics that are sure to follow. Stay tuned to stay abreast of the latest phishing stats throughout the year.


Casey Crane

Casey Crane is a regular contributor to and managing editor of Hashed Out. She has more than 15 years of experience in journalism and writing, including crime analysis and IT security. Casey also serves as the Content Manager at The SSL Store.