Important phishing statistics and what we can learn from them

Important phishing statistics and what we can learn from them

In a phishing attack, a hacker sends an email pretending to be from a legitimate source, such as the CEO of your organization, a bank, the IRS, PayPal, just to name a few, with the goal of tricking the recipient into giving away sensitive or confidential information.

For its victims, the impact of phishing is costly. The average loss for mid-size companies is $1.6 million. Aside from financial losses, which can include fraudulent wire transfers, legal fees, and fines, phishing victims experience:

  • Compliance issues
  • A greater burden on its IT teams
  • Reputation loss of its infosec teams
  • More investments in new technology
  • Frustration from customers and employees after a phishing-related loss

Here are some statistics that reveal today’s phishing landscape. They will help your enterprise beef up security, as well as manage the risks and help you prepare your employees for an attack.

According to Cofense’s “State of Phishing Defense 2018: Susceptibility, Resiliency, and Response to Phishing Attacks”:

  • Email delivers most malware to enterprise, around 92%.
  • The average user receives 16 malicious emails every month.
  • In 2018, 10% of all reported emails were malicious, with more than 50% being phishing attacks.

According to Wombat’s “State of the Phish 2019”:

Email is the top attack vector, with cybercriminals using phishing campaigns to target employees across organizational levels and job functions.
More respondents said they experienced the biggest increases from phishing and spear phishing attacks from 2017 to 2018.
Credential compromise, malware infection, and data loss are the top three impacts of phishing. Credential compromise increased by 70% in the past year, surpassing malware infections.

Here are some additional figures:

  • 30% of phishing emails are opened by their targeted or intended users and 12% of them click on the malicious attachment or link (Verizon).
  • Phishing has increased across most industries and organization sizes (SANS Institute).
  • In 2017, almost 1.5 million new phishing sites were created each month (Webroot Threat Report).
  • The online payment sector was the biggest phishing target in Q3 2018, followed by SAAS/webmail and financial institutions (Proofpoint).
  • 286 brands were targeted in September 2018, the most seen in a month since November 2017 (Proofpoint).

In 2018, 60% of effective phishing campaigns used the subject line “invoice.” And nearly all phishing campaigns were one of four themes:

  • 45% were corporate emails that spoof official corporate communications, including full mailbox notifications, spam quarantines, benefits enrollment messages, invoices, and confidential HR documents.
  • 44% were consumer emails that imitate messages seen by the general public almost daily, such as those on frequent flyer accounts, bonus miles, photo tagging, frozen accounts, social networking, gift card notifications, just to name a few.
  • 8% were commercial emails that look like generic business-related emails such as shipping confirmations, invoice payments, and wire transfer requests.
  • 3% were cloud emails like those on downloading documents from cloud storage and creating a document using an online file sharing service.

Conclusion: Attacks are inevitable for all businesses. Your organization is not immune to phishing, so here are four defense tactics your organisation can adopt to stay safe.

  1. Increase security awareness training for your end users. They must shift from being your organization’s weakest link to its biggest defense. Training helps employees know the latest security attack types, their red flags, and the best defenses against them.
  2. Invest in tools such email and spam protection. These not only help increase employee awareness, but decrease the success rate of phishing attacks.
  3. Get a password manager. It lessens or eliminates the likelihood that your employees will hand over their usernames and passwords to spoof emails and sites. This technology helps your organization maintain strong and unique passwords across the board. It also analyzes websites for safety before automatically filling in forms or logging in.
  4. Partner with a managed services provider (MSP). Spectrumwise is an MSP that will not only provide your enterprise with endpoint network security but security awareness training. We don’t just give you solutions and leave you to deal with security on your own. With our industry expertise, we will work with you to monitor your infrastructure for anomalies, provide preventive maintenance, and look for opportunities to optimize your infrastructure and business processes. Contact us and find out more.

Like This Article?

Sign up below and once a month we'll send you a roundup of our most popular posts