Phishing Data – Attack Statistics

Related articles in this category:


When you think of “cyber attacks,” what comes to mind? If you’re like a lot of people, you imagine hackers using lines and lines of code to launch super-sophisticated attacks against international corporations and governments.

The truth, though, is that one of the most common forms of cybercrime is actually fairly simple. In fact, phishing is something anyone with an email address could attempt. This is why these attacks are so dangerous and why you absolutely must appreciate the threat they pose.

To put it simply, a phishing attack takes place when a criminal impersonates someone—usually an authority figure—to trick the victim into willingly handing over personal or sensitive information. The attacker is “fishing” for this information and, once they receive it, will use it to steal money or even more important data.

Number of Attacks

Now that you have a better understanding of what these attacks entail, let’s take a look at some actual numbers to really show how widespread this type of cybercrime is.

How many phishing attacks happened in 2015?

Obviously, it would be impossible to give a concrete number for how many phishing attacks happened in 2015. We have some numbers to go by, but the majority of attempts likely go unreported.

One good source for phishing attack attempts comes from the security companies tasked with the challenge of trying to stop them. Kaspersky Labs is one of the most popular manufacturers of this type of software. Although it is used to protect against all types of cyber attacks, phishing definitely represents a large chunk of its focus.

During the second quarter of 2015, Kaspersky Labs reported that its anti-phishing system was triggered well over 30.8 million times!

That’s a ton of attempts and, again, that’s only from computers running Kaspersky Labs software. It’s a very popular option, but it’s definitely not on every computer in the world.

The Ponemon Institute did a survey of companies back in 2014 to help get a better gauge of this number, too. They targeted companies in the finance, utilities, energy, defense and aerospace industries, as they tend to be the most valued by those launching these attacks. However, some companies from retail, healthcare, and communication were also included.

Ready for some scary numbers?

They discovered that costs related to phishing attacks had more than doubled over the course of four years. Back in 2010, the average damage done to these companies was already a whopping $6.5 million.

Of the companies they spoke to, the minimum lost was $1.9 million. However, one company reported that phishing attacks had cost them $65 million last year.

This trend definitely isn’t going away, either. The Ponemon Institute reported that the average company suffers about 160 successful online assaults a week! That’s more than three times what it was back in 2010. A lot of them are phishing attacks, too.

One of the most infamous successful attempts of 2015 happened to Beacon Health System. A phishing attack gained the perpetrator access to employee emails and information about some 300,000 patients!

Last year, Kaspersky also reported that criminals in Eastern Europe had used phishing attacks to access more than 100 banks from 30 different countries over the past few years. These included:

  • The United States
  • Germany
  • China

These “cyber heists” serve as unfortunate reminders that something as simple as a phishing email can actually cause a huge impact. Estimates of how much these attacks cost get all the way up to a billion dollars!

How many phishing attacks have happened in 2016?

Cybercriminals have kept busy this year as well. In fact, many experts believe this will be another one for the record books.

The British have reported that they are already up to 8,000 phishing attacks occurring a month. Again, keep in mind that that number is probably a lot less than the true amount because of the number of attacks that aren’t reported.

For their part, the IRS has reported that phishing attacks related to taxes are up 400% this season. We’ll talk a bit more about tax-related attacks below.

Geography of Attacks

For the most part, phishing scams seem to originate from Eastern Europe. However, it’s not true that they exclusively originate from that region. Cyber-criminals exist in just about every country where there are computers.

Again, trying to pin down any information about phishing attacks is difficult because we can only go by the incidents where the crime was discovered.

Here is a look at a breakdown of the attacks that occurred in 2015 by what country the victim lived in:

  • Brazil: 9.74%
  • India: 8.3%
  • China: 7.23%
  • Russia: 6.78%
  • France: 6.54%
  • Japan: 5.93%
  • Malaysia: 5.92%
  • Poland: 5.81%
  • Kazakhstan: 5.79%
  • UAE: 5.75%

As you can see, the United States isn’t even in the top 10, though we certainly suffer from our fair share. The other interesting thing about that breakdown is how even the distribution is. While Brazil suffers roughly twice the attacks as the United Arab Emirates, it also has a much larger population. This suggests that cybercriminals throw out a fairly large net when launching these schemes.

Damage Caused by Phishing Attacks

The damage caused by phishing attacks is as extensive as it is diverse. As you’ve probably gathered by now, the main objective of a phishing attack is usually financial in nature. Cybercriminals look to loot and plunder companies, or even individuals, by accessing their financials.

That being said, even if that’s the goal, there is plenty of collateral damage done as well.

One obvious forms of fallout is the lawsuit that generally occurs after a successful attack. We’re not talking about suing the cybercriminal, though. People whose information was compromised can, in some cases, take a company to court for allowing the attack to happen.

Likewise, the company that gets attacked can file suit against their insurer if they have a policy regarding phishing attacks.

A company called Ameriforge Group Inc. took Federal Insurance Co. to court over this very issue at the beginning of 2016. The latter had issued the plaintiff a cyber insurance policy after their company was taken for $480,000. The phishing scam was just about as simple as they come, too. Someone pretended to be the Houston-based company’s CEO and convinced their accountant to wire the sum to a bank in China.

To be fair, the criminal also used phone calls to impersonate the company’s attorney and further confirm in the accountant’s mind that this was indeed a legitimate request.

In any case, when Federal Insurance Co. denied their insurance claim in May of 2014, the company responded with a lawsuit. The insurer claims that this type of phishing attack—known as a business email compromise (BEC) or sometimes as CEO fraud—was not covered in their policy because it did not involve forging financial instruments.

The point is that a successful phishing attack rarely ends with the initial damage. Whether it’s a lawsuit like the one above or simply access to sensitive information—like that related to healthcare—cybercriminals can leave huge footprints with a single email.

Types of Attacks

There are countless versions of the standard phishing attack. Here’s a look at some of the more common ones:

  • Phishing Websites: Sometimes, cybercriminals will set up websites that will allow them to more effectively carry out their scams. Many of them are truly high-quality sites that definitely look the part, too. In the fourth quarter of 2014, well over 17,000 such sites were discovered online.
  • Social Media Attacks: This type isn’t so different from the email version, but it still deserves mention. In 2015, LinkedIn narrowly escaped a serious problem when they discovered that hackers could inject a malicious comment into a LinkedIn member’s thread, thus triggering an email the cybercriminal could use—under the banner of an official email from the social networking giant—to phish their victim. Other social media phishing scams work just like email, though this time, the attacker pretends to be a close friend, family member or someone else that the victim knows or has known personally.
  • Spear-Phishing: Back in 2013, the FBI warned that this type of attack was on the rise and they were not wrong. Spear-phishing is when the scammer manages to get specific details about their target. Then, they use this information to make their message look like it’s coming from a trusted source—someone who would know the victim personally or an entity that the victim does some form of business with. After that, it simply takes a message asking for money. For example, “Hey, it’s Brett, I’m on vacation in Barcelona and someone stole my wallet. Could you wire me $100 ASAP…”
  • Fraudulent Tax Returns: Proving that cybercriminals are as creative as they are reprehensible, they have begun using spear-phishing attacks to gain their victims’ tax data. Once they have that information, they can file on the victim’s behalf, but then collect the returns. Likewise, you may get a promising email from an “attorney” who claims they can get you an amazing refund. Just send them your financial information and they’ll get back to you with the details.
  • Phishy Phone Calls: Not all phishing schemes attack via your inbox. Plenty of successful ones have begun with the phone ringing. The attacker may pretend to be the IRS, your credit card company, the bank—any authority that would be reasonable in asking for sensitive information—and invent some circumstance to justify their request.
  • Charity Phishing: Whether it’s by phone or email, one way phishing scammers have found a lot of success is by carrying the banner for a recent problem. Though it’s hard to believe these people could become any more despicable, they know that, say, by emailing you and pretending to collect funds to aid people struck by a recent natural disaster, it will often pull in quite the bounty. It’s also a good example of how a cybercriminal doesn’t always need to pretend to be an authority figure to walk away with a sizable haul.
  • CEO Phishing (Whaling): Recall the story we told above about Ameriforge Group, Inc. That was an example of CEO phishing and it’s extremely prevalent. Last year, the FBI released a report that showed that between Oct. 1, 2013 and Dec. 1, 2014, 1,198 companies were hit with this type of scam, resulting in $179 million in losses.

As you can see, those who carry out phishing scams have a veritable arsenal of scams at their disposal. The above list doesn’t get anywhere near covering all of the examples that exist, either.

The only way you can protect yourself against all of them is by practicing constant vigilance. Never assume the person in an email is who they say they are unless you can prove it. Even then, if they ask for information that could lead to a security compromise, take an extra minute and call them to confirm.

If you run a business or are in charge of an organization’s cyber security, this type of caution needs to be built into your company culture. The more employees you have, the more opportunities criminals have to strike. All it takes is one person handing over their email password and the attacker will have a legitimate email address to use for collecting other information.

Targets by Sector

We’re now going to look at which industries get hit the most by phishing attacks. However, the last thing we want to do is give anyone a false sense of security. If you’ve learned anything from this post so far, we hope it’s that, sadly, no one is safe. Whether you’re a college student, a CEO, or a retired person, you must be aware of these attacks.

The information from this breakdown comes from 2015. In 2015, the industries most affected by phishing attacks were:

  • Internet Service Providers: 24.35%
  • Financial: 20.43%
  • Payment Services: 14.91%
  • Multimedia: 13.08%
  • Retail/Service: 10.25%
  • Social Networking: 3.59%
  • Gaming: 1.31%
  • Government: 0.91%
  • Auction: 0.41%
  • Delivery Services: 0.1%
  • Classifieds: 0.09%
  • MM Reseller: 0.08%
  • Education: 0.02%

It should come as no surprise that industries where companies have access to customers’ financial data are the most attacked. Again, though, no one is completely safe, so never let your guard down.

Don’t let yourself or your employees fall victim to a phishing attack. Now that you know how rampant they are, and what many of them entail, it’s well within your control to defend against them. Just like phishing scams are unnervingly simple to launch, they are equally easy to defend against if you practice some extra caution.

InfoSec Institute
Rated 4.3/5 based on 302 customer reviews.
InfoSec Resources

Be Safe

Section Guide

Darren
Dalasta

View more articles from Darren

SecurityIQ has published a number of videos on social engineering and phishing. You can sign up for a free account to browse their resources and test how phishing savvy you really are.

Section Guide

Darren
Dalasta

View more articles from Darren