In this article
Check out SecurityIQ
Phishing Data - Attack Statistics
- Evolution of Phishing Attacks
- Phishing and Ransomware
- Phishing Attacks by Demographic
- Phishing Data - Attack statistics
- Phishing Targets
In this article
Related articles in this category:
When you think of “cyber attacks,” what comes to mind? If you’re like a lot of people, you imagine hackers using lines and lines of code to launch super-sophisticated attacks against international corporations and governments.
The truth, though, is that one of the most common forms of cybercrime is actually fairly simple. In fact, phishing is something anyone with an email address could attempt. This is why these attacks are so dangerous and why you absolutely must appreciate the threat they pose.
To put it simply, a phishing attack takes place when a criminal impersonates someone—usually an authority figure—to trick the victim into willingly handing over personal or sensitive information. The attacker is “fishing” for this information and, once they receive it, will use it to steal money or even more important data.
Number of Attacks
Now that you have a better understanding of what these attacks entail, let’s take a look at some actual numbers to really show how widespread this type of cybercrime is.
How many phishing attacks happened in 2015?
Obviously, it would be impossible to give a concrete number for how many phishing attacks happened in 2015. We have some numbers to go by, but the majority of attempts likely go unreported.
One good source for phishing attack attempts comes from the security companies tasked with the challenge of trying to stop them. Kaspersky Labs is one of the most popular manufacturers of this type of software. Although it is used to protect against all types of cyber attacks, phishing definitely represents a large chunk of its focus.
During the second quarter of 2015, Kaspersky Labs reported that its anti-phishing system was triggered well over 30.8 million times!
That’s a ton of attempts and, again, that’s only from computers running Kaspersky Labs software. It’s a very popular option, but it’s definitely not on every computer in the world.
The Ponemon Institute did a survey of companies back in 2014 to help get a better gauge of this number, too. They targeted companies in the finance, utilities, energy, defense and aerospace industries, as they tend to be the most valued by those launching these attacks. However, some companies from retail, healthcare, and communication were also included.
Ready for some scary numbers?
They discovered that costs related to phishing attacks had more than doubled over the course of four years. Back in 2010, the average damage done to these companies was already a whopping $6.5 million.
Of the companies they spoke to, the minimum lost was $1.9 million. However, one company reported that phishing attacks had cost them $65 million last year.
This trend definitely isn’t going away, either. The Ponemon Institute reported that the average company suffers about 160 successful online assaults a week! That’s more than three times what it was back in 2010. A lot of them are phishing attacks, too.
One of the most infamous successful attempts of 2015 happened to Beacon Health System. A phishing attack gained the perpetrator access to employee emails and information about some 300,000 patients!
Last year, Kaspersky also reported that criminals in Eastern Europe had used phishing attacks to access more than 100 banks from 30 different countries over the past few years. These included:
These “cyber heists” serve as unfortunate reminders that something as simple as a phishing email can actually cause a huge impact. Estimates of how much these attacks cost get all the way up to a billion dollars!
Cybercriminals have kept busy this year as well. In fact, many experts believe this will be another one for the record books.
The British have reported that they are already up to 8,000 phishing attacks occurring a month. Again, keep in mind that that number is probably a lot less than the true amount because of the number of attacks that aren’t reported.
For their part, the IRS has reported that phishing attacks related to taxes are up 400% this season. We’ll talk a bit more about tax-related attacks below.
For the most part, phishing scams seem to originate from Eastern Europe. However, it’s not true that they exclusively originate from that region. Cyber-criminals exist in just about every country where there are computers.
Again, trying to pin down any information about phishing attacks is difficult because we can only go by the incidents where the crime was discovered.
Here is a look at a breakdown of the attacks that occurred in 2015 by what country the victim lived in:
As you can see, the United States isn’t even in the top 10, though we certainly suffer from our fair share. The other interesting thing about that breakdown is how even the distribution is. While Brazil suffers roughly twice the attacks as the United Arab Emirates, it also has a much larger population. This suggests that cybercriminals throw out a fairly large net when launching these schemes.
The damage caused by phishing attacks is as extensive as it is diverse. As you’ve probably gathered by now, the main objective of a phishing attack is usually financial in nature. Cybercriminals look to loot and plunder companies, or even individuals, by accessing their financials.
That being said, even if that’s the goal, there is plenty of collateral damage done as well.
One obvious forms of fallout is the lawsuit that generally occurs after a successful attack. We’re not talking about suing the cybercriminal, though. People whose information was compromised can, in some cases, take a company to court for allowing the attack to happen.
Likewise, the company that gets attacked can file suit against their insurer if they have a policy regarding phishing attacks.
A company called Ameriforge Group Inc. took Federal Insurance Co. to court over this very issue at the beginning of 2016. The latter had issued the plaintiff a cyber insurance policy after their company was taken for $480,000. The phishing scam was just about as simple as they come, too. Someone pretended to be the Houston-based company’s CEO and convinced their accountant to wire the sum to a bank in China.
To be fair, the criminal also used phone calls to impersonate the company’s attorney and further confirm in the accountant’s mind that this was indeed a legitimate request.
In any case, when Federal Insurance Co. denied their insurance claim in May of 2014, the company responded with a lawsuit. The insurer claims that this type of phishing attack—known as a business email compromise (BEC) or sometimes as CEO fraud—was not covered in their policy because it did not involve forging financial instruments.
The point is that a successful phishing attack rarely ends with the initial damage. Whether it’s a lawsuit like the one above or simply access to sensitive information—like that related to healthcare—cybercriminals can leave huge footprints with a single email.
There are countless versions of the standard phishing attack. Here’s a look at some of the more common ones:
As you can see, those who carry out phishing scams have a veritable arsenal of scams at their disposal. The above list doesn’t get anywhere near covering all of the examples that exist, either.
The only way you can protect yourself against all of them is by practicing constant vigilance. Never assume the person in an email is who they say they are unless you can prove it. Even then, if they ask for information that could lead to a security compromise, take an extra minute and call them to confirm.
If you run a business or are in charge of an organization’s cyber security, this type of caution needs to be built into your company culture. The more employees you have, the more opportunities criminals have to strike. All it takes is one person handing over their email password and the attacker will have a legitimate email address to use for collecting other information.
We’re now going to look at which industries get hit the most by phishing attacks. However, the last thing we want to do is give anyone a false sense of security. If you’ve learned anything from this post so far, we hope it’s that, sadly, no one is safe. Whether you’re a college student, a CEO, or a retired person, you must be aware of these attacks.
The information from this breakdown comes from 2015. In 2015, the industries most affected by phishing attacks were:
It should come as no surprise that industries where companies have access to customers’ financial data are the most attacked. Again, though, no one is completely safe, so never let your guard down.
Don’t let yourself or your employees fall victim to a phishing attack. Now that you know how rampant they are, and what many of them entail, it’s well within your control to defend against them. Just like phishing scams are unnervingly simple to launch, they are equally easy to defend against if you practice some extra caution.