Phishing Statistics: The 21 Latest Phishing Stats to Know in 2024
2 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 5 (2 votes, average: 5.00 out of 5, rated)
Loading...

Phishing Statistics: The 21 Latest Phishing Stats to Know in 2024

<60 seconds — this is the median time Verizon’s 2024 Data Breach Investigations Report (DBIR) indicates it takes users to fall for phishing emails. (21 seconds to click + 28 seconds to enter their data on a phishing site.) Check out the latest phishing statistics and data from Verizon and other industry leaders…

IBM’s X-Force Threat Intelligence Index 2024 report shows that phishing as a top initial access vector in 2023 dropped 44% compared to 2022. But does this mean that phishing is going out of style? Unlikely — phishing constitutes 24/7 business opportunities for bad guys, which is likely to never go out of style.

Phishing is a very real (and common) threat facing businesses and consumers. The goal of phishing is to get a target to do something they normally wouldn’t, such as giving up their login credentials, sending sensitive customer data or your company’s intellectual property.

Here to catch the latest phishing statistics from experts around the cybersecurity industry?

Let’s hash it out.

Phishing Statistics: A Look at Phishing Costs and Frequency

1. BEC Losses Topped $2.9 Trillion in 2023

BEC statistics and phishing statistics graphic: $2.9 trillion in reported losses. Data from FBI IC3 Internet Crime Report 2023.
Data source: FBI IC3’s Internet Crime Report 2023.

Data from the FBI’s Internet Crime Complaint Center (IC3) 2023 Internet Crime Report shows that phishing/spoofing (which they lump together) accounted for 298,878 reported complaints in 2023. The number is down from 2021, which totaled 342,494 complaints. But what’s particularly interesting is that the reported losses for phishing are down dramatically, costing “only” $18.7 million in the reporting period compared to the $126.4 million in 2021’s reported losses.

Now, keep in mind that the IC3 ranks business email compromise (BEC) attacks separately from phishing. However, many organizations often count BEC attacks within their phishing statistics, so it gets a bit murky here in terms of the potential overlap. As far as BEC scams are concerned, the IC3 says there were more than $2.9 trillion in reported losses in 2023 (compared to $2.4 trillion in 2021) due to these attacks.

Of course, this data is based on reported compromises and losses. It makes me wonder, though, how many people or businesses didn’t report being victimized…

2. Attackers Can Exfiltrate Data Within Two Days of a Compromise

Of course, not all costs are monetary. Another way of looking at phishing is in terms of time — the amount of time it takes to respond to an attack, remediate an attack, or recover from one.

Data from Palo Alto Network’s Incident Response Report 2024 shows that attackers have figured out how to eliminate a week’s worth of time for cyber defenders to respond and stop data exfiltration in a ransomware attack. The research team says that in 2021, the “median time between compromise and exfiltration was nine days.” But as of 2023, that number plummeted to just two days!  

In the following example of a ransomware attack, Palo Alto reports that it took less than 14 hours to carry out the following steps and wreak havoc on the target organization — all starting with a phishing email:

A screenshot of a graphic from Palo Alto Network's Incident Response Report 2024 that shows a breakdown of how an attacker used phishing as a way in to launch a ransomware and data exfiltration attack.
Image source: Palo Alto Network’s Incident Response Report 2024.

3. 94% Of Organizations Report Falling Prey to Phishing Attacks

Oof… That’s a doozy. Nine in 10 organizations surveyed by Egress in its Email Security Risk Report 2024 indicated that they were the victims of phishing attacks. What’s less surprising, however, is that nearly all of them (96%) say they were “negatively impacted” by those attacks.

This makes sense, considering that phishing attacks are generally used to trick people into handing over their login credentials (and other sensitive information) or making financial payments to fraudsters that are often discovered too late.

4. Phishing Was Involved in 71% of Cyber Threats

ReliaQuest’s Annual Cyber-Threat Report shows that seven in 10 system and network infiltrations the company’s security team observed in 2023 involved the use of phishing links and attachments. Social engineering was recognized as the “most common route to achieving initial access” for bad guys to exploit legitimate users.

Researchers anticipate that business email compromise attacks will increase in 2024. This is in part due to the use of generative AI technologies that:

  • Help phishers create more realistic emails. This helps bad guys “AvOID teh typo isues” we’re used to seeing in many phishing emails and mimic individuals’ personal communication styles. They can create believable messages that can catch users off-guard and cause them to do something they (and you) will later regret.
  • Enable Bad Guys to Create Synthetic Voice Recordings. GenAI can be used to create speaking voices that impersonate real people — your boss, a coworker, or even a family member — to carry out deepfake voice phishing. There have even been examples of bad guys using these genAI deepfake voice recordings to trick people into thinking that a loved one has been abducted!

5. Phishing Contributed to 79% of Account Take Over (ATO) Attacks

Research from Egress’s aforementioned 2024 email security report indicates that nearly four in five ATO incidents began with bad guys using phishing emails. Often, ATO attacks begin with bad guys using spearphishing to carefully research the target company (and/or specific employees).

Bad guys love to use this scam approach to do any number of things, including trick employees into providing their login credentials or making fraudulent payments.  

6. Global Phishing Attacks Increased 58.2% in 2023

Unsurprisingly, bad guys aren’t ready to hang up their rods and reels. Data from the Zscaler ThreatLabz 2024 Phishing Report shows that researchers observed a nearly 60% year-over-year increase in phishing attacks globally in 2023 compared to 2022.

Of the more than 2 billion phishing transactions they examined across their online security cloud in 2023, researchers saw a surge in recruitment scams, voice phishing attacks, and browser-in-the-browser attacks. (BitB attacks typically involve an attacker creating a bogus login window that looks like the authentication pop-ups we’re used to seeing to log into an app or service using the linked login credentials from other platforms, such as Apple, Google, or Meta.)

An example screenshot of a legitimate login screen that allows a user to log in to Ahrefs using Google or Facebook as alternatives to creating a site-specific pair of credentials.
Image caption: A screenshot we captured from ahrefs.com of a legitimate login screen that allows you to log in to a service or website using credentials from another site, app or service.

7. 3.4 Billion “Unwanted Emails” (Including Phish) Were Sent in 2023

Cloudflare reports that its Cloud Email Security service blocked a total of 3.4 billion unwanted emails in 2023 alone, and this category of messages includes a mix of bulk, spam, and malicious messages (including phishing). This marks an increase of nearly 42% from 2022’s reported 2.4 billion messages.

Of those billions of messages, which equates to an average of 9.3 million per day, the company reports that an average of 3% are malicious. That means more than 102 million malicious emails were sent out in 2023, or what equates to nearly 280,000 malicious messages per day. 

Now, just keep in mind… these numbers relate to the number of messages Cloudflare’s service successfully blocked. This doesn’t include any other instances that may have slipped past its defenses…

Phishing Statistics: Head-Shake Worthy Items of Note

8. Less Than One in Five Simulated Phishing Emails Were Properly Reported

Data from Proofpoint’s 2024 State of the Phish report indicates that only 18.3% of emails sent as part of phishing simulations were properly reported by users (rather than ignoring or deleting them). Nearly half of that number of simulated phishing emails (9.3%) were clicked on by users.

9. 96% of Employees Admit to Doing Stupid Crap, Despite Knowing the Risks

Yup. Another startling statistic from Proofpoint’s survey is that 96% of users say they knowingly do stuff that they know is risky.  

A graphic using Proofpoint data that shows a visual breakdown of how many surveyed employees engage in risky behaviors despite knowing it creates risk for their employer
Data source: Proofpoint.

So, why do they do it? Our guess is that their decision to leave your organization at risk often boils down to users prioritizing convenience over security.

And based on the phishing statistics info shared in the next section, it looks like that guess is pretty spot-on…

10. 54% of Employees Ignore Security Warnings Due to “Info Overload”

CybSafe survey data shows that 45% of office workers say they “sometimes” tune out cybersecurity warnings “due to overwhelm and fatigue from digital communication.”  What’s even more worrisome, however, is that another 9% say they do so “often.”

This is particularly problematic since 70.6% of survey respondents indicate that they’re either “extremely confident” or “confident” that they can “recognize and avoid cybersecurity threats (such as phishing emails, unsafe websites)” online. And if that wasn’t bad enough, 43% indicate that they “skip or ignore recommended cybersecurity best practices” in favor of convenience.

… When last we checked, falling prey to a phishing attack — and dealing with the subsequent data breaches, lawsuits, financial losses, reputational damages, and everything else that follows — wouldn’t be too “convenient” for you, your employees, or your customers.

11. ChatGPT Created a Phishing Login Page in Fewer Than 10 Queries

Artificial intelligence (AI) technologies, particularly generative AI (genAI), are a sight to behold. They can create incredible artwork and unbelievably realistic audio and video. (No, we’re not getting into the potential copyright issues and concerns surrounding AI training materials and the images they generate — that’s a whole separate issue.) However, these technologies also pose a significant threat when used by people with ill intentions, leading to concerns that can’t be swept under the rug.

For example, Zscaler’s ThreatLabz researchers used a series of prompts with ChatGPT’s AI chatbot to create a Microsoft-themed phishing login page that looks legitimate in fewer steps than it takes to bake a tasty cake.  

12. AI Deepfake Duped a Finance Worker into Handing Over Nearly $26 Million

CNN reported that an unnamed finance worker in Hong Kong who worked at a major international financial company was tricked into transferring more than $25 million (USD) as part of a genAI-fueled spear phishing attack. How? Through the use of genAI.

The attacker(s) used deepfake technology to fake audio and video recordings. This included hosting a fraudulent web conference with the target — a meeting that included deepfake recordings of the company’s chief financial officer (CFO) and other officials from other international sites.

Apparently, the recordings were believable enough that it got the employee to make the transfer over a series of 15 transactions…

Want to Know How to Avoid Falling for Deepfake Scams?

Learn more about what happened in this phishing attack and explore how to prevent your company from falling for deepfake scams.]

Phishing Statistics: Common Phishing Tactics and Approaches

13. Nearly 43% of Phishing Attacks in Q4 2023 Targeted Social Media

Data from the Anti-Phishing Working Group’s (APWG) Phishing Activity Trends Report for 4th Quarter 2023 indicates a substantial increase in phishing attacks against social media platforms. This data, supplied by APWG founding member OpSec Security, marks a 126% increase over Q3 2024.

According to a related article from APWG Board of Directors member Dave Piscitello:

“Attackers lure victims to impersonation web sites by incorporating phishing URLs into posts or comments. Attackers target Facebook, LinkedIn, Twitter, Tumblr, Snapchat, Google+, Instagram and other social media users with thousands of phishing or otherwise malicious URLs […]. Attackers also distribute phishing lures in text, SMS, Skype, Messenger, or other messaging services. These new attack vectors demonstrate that phishers have adapted to society’s increased mobility and today’s diversity of messaging platforms.”

The APWG tracks unique phishing websites and unique phishing email subjects globally. The Working Group labeled 2023 as the “worst year for phishing on record.”

Cloudflare’s earlier cited data indicates that links were present in nearly half of all the malicious email threats its security team identified. They’re often used in combination with other threats.

In one sense, this isn’t surprising, considering that bad guys love to use links to trick users into going to their phishing and malicious websites. However, it does emphasize the importance of cyber awareness training for employees. You need to do everything in your power to ensure they can recognize real links from malicious ones.

15. 68% of Breaches Involve the “Human Element”

Many industry reports, including some of our articles here at Hashed Out, often point to Verizon’s annual data breach statistic regarding the “human element.” One of the things we’ve always been careful to point out when citing this stat in previous articles was that it included a mix of innocent human errors and malicious privilege misuse (i.e., typically malicious or unapproved uses that cause harm) within that metric.

Now, Verizon has decided to separate them to provide greater clarity regarding that statistic in its 2024 DBIR report. (NOTE: The DBIR authors said they did this because people were typically focused on promoting cyber awareness as a solution, so malicious use of credentials wouldn’t fit that line of thinking.) So, without counting Privilege Misuse, it means that 68% of the 10,626 confirmed data breaches they analyzed in 94 countries (out of 30,458 security incidents) involved the “human element.”

But what if they were still to include misuse in that stat? According to the report, “the inclusion of the Misuse action would have brought the percentage to 76%[.]”

16. 5 Minutes Is All It Takes GenAI to Create a Believable Phish

In the time that it takes you to pick up your mobile coffee order at your favorite shop, a cybercriminal can use generative AI technology to spit out a deceptive phishing message. This data comes from IBM’S X-Force researchers, who state in the X-Force Threat Intelligence Index 2024 report that it gives attackers back nearly two days’ worth of time that would have been spent crafting their messages otherwise. 

17. Microsoft (#1) and Google (#2) Claim 49% of Phishing Impersonations

Check Point Research reports that the most commonly imitated brands in phishing attacks in the first quarter of 2024 were Microsoft (38%) and Google (11%). LinkedIn followed closely behind, claiming another 11%. 

Here’s a look at the 10 most commonly phished brands in Q1 2024:

A graphic showing the most phished brands using data from Check Point Research
Data source: Check Point Research.

18. 68 Million Microsoft-Themed Spoofing Phishing Emails Were Sent in 2023

This data from Proofpoint means that an average of 186,301 malicious emails were sent per day by bad guys pointed to Microsoft and/or Microsoft products. So, what was the most common product that bad guys were abusing in their fraudulent emails? Office 365.

Zscaler’s 2024 Phishing Report data also shows that Microsoft is the most imitated brand, being impersonated in 43.1% of phishing attempts.

Which brings us to our next phishing stat…

19. 94% of Organizations Were Victimized Within Microsoft 365

Microsoft 365 is one of the world’s leading office software suite providers. So, in many ways, it’s not surprising that bad guys love to exploit Microsoft’s good name to do their dirty deeds. Egress’s Email Security Risk Report survey of professionals shows that nearly 9.5 in 10 people were targeted within their Microsoft 365 environments.

20. 51% of Organizations Fell for Compromised Supply Chain Accounts

More than half of the organizations surveyed by Egress admit to being victimized by phishing attacks that originated within their own supply chains. This underscores the importance of digital trust and having a way to verify the authenticity of the person you’re communicating with at any given time.

Supply chain attacks typically boil down to security issues within third-party software or email accounts. Proofpoint reports in its threat briefing on supply chain attacks that during a one-week period in February 2021, 98% of the 3,000 organizations whose data researchers analyzed “received a threat from a supplier who was either impersonated or compromised.”

21. Phishing Websites Surpassed 13.4 Million in 2023

Bolster reports in its 2024 State of Phishing & Online Scams report that the number of phishing and other fraudulent scam sites observed in 2023 increased significantly compared to the volume seen in the past several years. The company’s researchers indicate that the detected scam sites jumped nearly 94% from 6,942,158 in 2020 to 13,438,810 in 2023.

A graphic showing a steady increase in phishing activity over the past several years using data from Bolster.ai.
Data source: Bolster.ai.

Hungry for More Relevant Industry Statistics?

We hope you’ve found these phishing statistics informative and useful for your purposes. If you’re still looking for more interesting data, be sure to check out our articles relating to cyber security statisticscybercrime statistics, and social engineering statistics.

Author

Casey Crane

Casey Crane is a regular contributor to and managing editor of Hashed Out. She has more than 15 years of experience in journalism and writing, including crime analysis and IT security. Casey also serves as the Content Manager at The SSL Store.