Phishing Statistics: A Staggering Look At The Growing Threat

It's no secret that phishing attacks are flooding in on businesses like never before. But just how bad is the threat landscape looking? Here’s a quick glimpse at some of the latest damning phishing statistics, and what you can do to ensure you're protected.

Woman writing on paper between two laptops showing data

Just like everything else in our increasingly technological world, phishing attacks are evolving at a quicker pace than many of us seem to realise. The days of deploying a large mass of generic and fraudulent emails onto endless recipients are often being replaced with newer tactics.

Nowadays, employee phishing emails can be hyper-personalised, sophisticated, hard to detect, and surprisingly cunning for even the most security-savvy individual. Techniques such as spear phishing and "whaling" attacks have seen even c-level executives fall victim to simple malicious emails, resulting in a domino effect of issues for their companies.

These factors, amongst countless others, have resulted in some frightening statistics over the last few years. And while such numbers can be thrown around the media in what are often labelled as “scare tactics”, the research that many security-focused organisations are conducting speaks for themselves - and their voices need to be listened to.

The most popular type of phishing lure is the fake invoice technique

The old cyber criminal's favourite of disguising malicious email attachments as invoices remains the most popular tactic for conning users into opening the bait. A Symantec study found that one in every four major malware spam campaigns used this technique in 2016.

Other tactics that have cropped up heavily in the last year include disguising attachments sent as scanned documents from office printers, email delivery failure messages, order and payment confirmations, and highly specific flight confirmations.

Email is the no.1 delivery method of nearly all malware - one in every 131 emails contains malware.

This number undoubtedly contributes to Verizon’s findings that two-thirds of all malware at the same time were installed via email attachments.

Good news is, 2017 saw a drop in such spam email campaigns. This is no surprise, seeing as how Necurs, one of the largest botnets in the world and the primary distributor of the Locky ransomware, was taken down. In Q1 of 2017, emails containing ransomware fell by almost 50% as a result.

Templated attacks are no match for spear phishing campaigns

In one of usecure’s recent studies, spear phishing campaigns came out on top against generic templated attacks - and by a country mile.

In a campaign ran on behalf of a client, clicks on personalised spear phishing campaigns towards our ‘malicious’ site were 5x higher than the number of clicks on a templated email. With the templated attack, only 1% of employees eventually entered their credentials on the fake page, compared to 26% of the spear phishing recipients.

Click rates for smaller, more customised phishing campaigns are significantly higher. Not only is that incentivising attackers to make their campaigns more targeted and cunning, it's also resulting in the need for organisations to invest more in their security awareness programmes.

Apple IDs are the no.1 target for credential theft emails

Following on from phishing emails designed to steal credentials, 25% of these types of campaigns focus on stealing Apple IDs. Considering just how popular Apple products are these days, this might not exactly come as a shocker.

The unwanted winners of the second and third placed targets are Microsoft Outlook and Google Drive, respectively.

Phishing emails impersonating large companies

Interestingly (although not one of the top three most targeted), Dropbox customers have the highest click rate when it comes to credential-stealing phishing emails.

Business email compromise (BEC) scams are a force to be reckoned with

If you’re unfamiliar with this type of scam, then it’s a good idea to look into it - especially if you are a senior-level employee. Also known as “whaling” or CEO fraud, these campaigns take the form of spear phishing emails where an attacker impersonates a company or senior exec, such as the CEO. They then attempt to trick an employee or vendor into parting ways with funds or sensitive information.

Sounds like quite the effort, right? Well, cyber criminals have seen an incredibly high ROI, with BEC scams resulting in $5 billion of business losses in October 2013 to December 2016. Overall, BEC campaigns have increased by 45% in Q4 of 2016.

In 2016, a huge 76% of companies reported being victims of phishing attacks. As scary as those phishing statistics sound, they're not going to be lowering anytime soon, with phishing rates having increased in Q2 of 2017 for most industries and business sizes.

No sector, company or department is immune from these phishing lures, meaning that all organisations need phishing prevention measures in place in order to protect their sensitive data.

Take a proactive stance against phishing now

Strong endpoint security technology is, of course, a must for any company - but it’s not enough.

Training and educating employees on the risks of phishing attacks and how to spot the tell-tale signs are a proven way of lowering the threat. Phishing reports and statistics are beyond a warning sign of just how serious and prevalent phishing campaign are.

One of the most effective ways of seeing just how susceptible your end users are is with simulated phishing campaigns. For more information on just how important it is to raise awareness of phishing scams, take a look at “4 reasons why you should phish your employees”, or give our free phishing simulation trial a go.

Read More: Your Complete Guide to Phishing

How to run an effective phishing simulation