Email Security

    Phishing Facts and Statistics

    Knowledge is power, when it comes to phishing. Learn the latest trends defining this leading cyber threat — and how to fight back.

    by Mercedes Cardona

    Key Points

    • Phishing continues to grow and evolve as the leading cyber threat.
    • Keep up with phishing facts and statistics to defend against the latest exploits.
    • New tools and basic best practices give you a fighting chance.


    Phishing remains one of the greatest threats to cybersecurity among organizations of all sizes. It’s no wonder, with the sheer volume of email and spam — about 78 billion emails a day worldwide, on average, of which 84% are spam.[i]

    Sure, phishing attacks are all about deception, whether it’s a scam about a $100 gift card awaiting or an imposter asking for the password to your system. But it’s worth looking behind the deception to understand what is true about phishing attacks and then taking steps to thwart them.

    Phishing Statistics for 2022

    From email phishing attacks to whaling, phishing is growing in scope and size. Here are the top phishing statistics to know for this year.

    Phishing Is Frequent

    Phishing attacks are on the rise, especially since the pivot to remote work during the COVID-19 pandemic. The FBI’s Internet Crime Complaint Center (IC3) received 241,342 phishing complaints in 2020, more than twice the 114,707 it logged in 2019. While only a fraction of incidents are reported, the FBI phishing statistics provide a good indication of the general growth trend. Phishing was the most common online scam reported to the IC3, far more frequent than personal data breaches or identity theft.[ii]

    Since the start of the pandemic, companies report that employees are clicking on three times more malicious emails than before. In fact, phishing statistics in the Mimecast State of Email Security 2021 report (SOES) include a 64% increase in email threats in 2020.

    Phishing Comes in Many Forms

    Cybercriminals are quick studies, and they continually adapt their scams to new channels of communications. Popular phishing delivery methods and techniques to look out for include:

    • Email phishing: Forty percent of companies said their email security falls short, in the 2021 SOES report, and 13% have no email security system in place to stave off the various types of email phishing. The original phishing scam involves spamming email boxes with messages meant to get users to send money, reveal personal information or click on a link that drops malware in their system.
    • Spear phishing: This is a more specialized attack that uses personal information pulled from online sources such as social media and databases of stolen information available on the Dark Web. The emails are often crafted to look like legitimate communications from a colleague or client including a fake address or website that looks similar to the real thing.
    • Whaling: An even more specialized kind of spear phishing targets CEOs, CFOs or other “big fish” with emails from imposters asking for sensitive data or requesting payment of a fake invoice.
    • Smishing and vishing: With the growth of smartphone technology and channels such as texting, it was only a matter of time before fraudsters figured out how to use them for scams. Smishing uses texts, or SMS, while vishing uses voice messages, or “robocalls,” usually paired with a request for personal information or a link to click on.
    • Angler phishing: Social media activity can become part of a social engineering attack to get access or personal information. For example, an angler might intercept a social media message complaining about a product. Then the fraudster direct messages the disgruntled customer offering to make things right, if the customer shares some information or clicks on a link provided. Finally, the angler skims personal information or plants malware on the victim’s system.

    Phishing Is Growing

    A few alarming phishing statistics and trends show that this threat is not abating.

    • A scant 16% of organizations made it through the past year without experiencing at least one phishing or ransomware incident, according to Osterman Research.
    • Many organizations suffered multiple attacks last year, the 2021 SOES report said, and 70% expect their business will be disrupted this year by an email-borne cybersecurity threat.
    • By one tally, January 2021 broke monthly records for phishing statistics worldwide, with 245,771 attacks reported to the Anti Phishing Working Group (APWG).[iii]
    • Defenders are still playing catchup with the bad guys. In the Osterman report, only 45% of respondents felt confident that all employees in their organization could recognize phishing emails, but their confidence fell to 34% when asked about their ability to spot smishing, vishing, rogue apps and malicious pop-up ads online.

    Phishing Statistics Show Losses

    The impact of phishing on businesses in recent years has been harsh. According to an annual tally by the Ponemon Institute, the average total cost of a data breach to a business, including such damages as lost sales, runs about $3.86 million. And as breaches get larger, so do the costs. A loss of 5 million to 10 million records can cost an organization $50 million on average; one involving 50 million or more can cost $392 million.[iv]

    Driving costs, in part, are attackers’ higher demands. The APWG report found that the average wire transfer request in a spear phishing/business email compromise attack went up 14% in the first quarter of 2021 to $85,000, from $75,000 in the previous quarter.[v]

    How to Prevent Phishing

    Phishing is, sadly, a fact of life in today’s digital environment. Even as email has made businesses more efficient, it’s become the preferred conduit for cybercrime. Attackers may continually hone their art of deception, but what is true about phishing attacks is that preventing them starts with awareness.

    Best practices for protecting your business from phishing attacks include the following:

    • Security awareness training can teach staff how to spot phishing emails and avoid links or attachments that look suspicious.
    • Phishing drills and other real-time training that simulates an actual attack will keep users alert to fraud.
    • Installing security technologies such as phishing filters on email applications and web browsers will reduce phishing attempts, and pop-up blockers can help stop another common tool used by fraudsters.
    • Update all workstations and devices to the latest software and make sure all software patches and updates are installed as soon as they’re released. Ensure that the operating systems on all devices are current with the latest version.
    • Consider automation. New tools powered by artificial intelligence and machine learning can screen emails by looking for tell-tale patterns that show fraud.

    [i]Total Global Email & Spam Volume for August 2021,” Cisco

    [ii]Internet Crime Report 2020,” FBI Internet Crime Complaint Center

    [iii]Phishing Activity Trends Report 1st Quarter 2021,” Anti-Phishing Working Group

    [iv]Cost of a Data Breach Report 2020,” Ponemon Institute

    [v]Phishing Activity Trends Report 1st Quarter 2021,” Anti-Phishing Working Group


    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top