Phishing Attack: A Statistical Analysis

Quick Summary: Is phishing a big security challenge? Does phishing cause most data breaches? Get answers to these questions and more with this article that offers plenty of phishing statistics and facts. You can understand the present scenario of phishing with the useful statistics and facts in this article to make the right decisions for securing your digital landscape.

Phishing attacks have become a serious security challenge for individuals and organizations alike. They are dubious and victims can easily fall prey to them. They are a big challenge for the security and privacy of individuals and organizations.

It is important to understand the scope and impact of this attack vector to prevent potential financial losses and implement effective security measures. Hence, in this article, we have provided a lot of facts and figures about phishing that will give useful insights into this threat vector.

Minimize Your Attack Surface with an Advanced Security Testing Tool Try for Free

What Exactly is a Phishing Attack?

Phishing is a kind of social engineering attack in which an attacker tries to trick a victim user into performing a specific action to gain some benefits. This attack aims to elicit sensitive information from the victim by making them believe that they are entering data on a legitimate platform.

Let’s understand with an example. Suppose a user receives an email that looks like from a legitimate company with an action-oriented heading. The user opens the email and clicks on the link provided in it. After this, the user enters the information asked in the provided link.

It results in compromised information because the email was a scam, and the user unknowingly shared their information with a bad actor. This is how a phishing attack happens.

What is the Current State of Phishing Attacks in 2025?

More than 3 billion emails sent every day are phishing attacks that account for 1% of all email traffic, as per statistics. It shows the state of phishing attacks that have reached a level of critical menace today. In fact, phishing causes more data breaches than any other type of social engineering attacks accounting for 73% of data breaches as per Verizon’s Data Breach Investigation Report 2024.

It becomes an even more dangerous threat vector as attackers are impersonating reputed brands to dupe victims into opening and clicking such emails. Indeed, Microsoft is in the top spot for being the most impersonated brand for malicious emails, as per Statista followed by Adobe, DHL, and Google.

Associating the name of a reputed brand with a malicious email increases the likelihood of opening the mail as victims believe it is from a trusted source. As victims open the email, they fall prey to a scam, resulting in compromised data, malware installation, or other security risks.

Phishing is among the top initial attack vectors for most data breaches as shown in the following image from IBM’s Cost of Data Breach report.

Top Phishing Attack Statistics

• Almost 57% of organizations worldwide face phishing attacks every week.
• The cost of a data breach affecting 10 million records is $50 million and the cost of 50 million compromised records is $392 million.
• There were 960,000 phishing attacks in the first quarter of the previous year.
• Nearly 3.4 billion phishing emails are shared daily, which is 1.2% of all emails.
• 55% of phishing websites impersonate a brand to steal sensitive information.
• 96% of organizations that were victims of phishing attacks were negatively impacted.
• In the US, phishing attacks were behind 36% of all data breaches.
• Nearly 83% of organizations face phishing attacks every year.
• The average cost of a phishing attack is around $4.91 million for organizations.
• 44% of people think an email to be safe if it includes familiar branding.
• Phishing is a common method for injecting malware in 45% of the cases.

Phishing Attack Stats and Facts with Notable Incidents

Phishing attacks exploit human errors to cause data breaches. There are a lot of incidents that happened in recent history where phishing was used as an attack method.

Russia/Ukraine War

Phishing has been massively used in the Russia-Ukraine war. While Russia pursued cyberattacks to steal data, release malware, and cause blackouts, Ukraine has been leveraging cyberattacks to cause massive data breaches. Many fundraising scams also robbed money and sensitive data from individuals.

• From the start of the war, the phishing emails in the Slavik language have increased 7 fold.
• Attackers impersonated legitimate domains with unnoticeable differences to make phishing attempts.
• Hacking groups tried to hack email accounts of military personnel that could allow access to valuable data.

COVID-19

The advent of the pandemic resulted in various phishing attacks that targeted innocents with scams, fake claims of donations, and more.

• Corona, virus, COVID, and quarantine were the top COVID-related keywords.
• Almost 2% of malware spam was related to the pandemic.
• Remote work was the reason for a security breach for nearly 20% of organizations.
• Corona anti-locker ultimate and other data-stealing malware were widespread during the pandemic.

Lapsus$ Extortion

The Lapsus$ group leveraged phishing to hack systems and steal sensitive information or valuable data from companies like Microsoft, Samsung, Nvidia, and Ubisoft.

2014 Sony Pictures Attack

Sony had to bear both financial and reputational damage when attackers exfiltrated up to 100 terabytes of data in a security breach that occurred with phishing emails sent to executives. It cost $100 million to the company.

Scan and Discover Potential Security Risks in Minutes with ZeroThreat Start Now

Industry Sectors Most Impacted by Phishing Attacks

Attackers are not limited to a specific industry when it comes to phishing scams. In fact, statistics of phishing attacks show that different industries are impacted by this attack vector. Since the dependence on digital technologies is increasing across industries, they have become more susceptible to cyberattacks like phishing.

As threat vectors become more sophisticated, organizations need stronger defensive mechanisms to protect their web applications, APIs, and other digital assets. Organizations must invest resources in regular web application security testing and employee training on cybersecurity best practices to ensure a stronger security posture.

These measures can protect organizations from potential cybersecurity risks, including phishing regardless of the industry they operate in. Today, Phishing has emerged as the most critical security risk for different industries. The following image shows the most targeted industries by phishing graphically.

Healthcare Sector

Healthcare has emerged as one of the prime targets of phishing scams with the growing digitization in this field. Patient information and healthcare records are one of the most valuable assets that attackers can steal to commit fraud and identity theft.

Attackers can lure employees in healthcare sectors with phishing emails and gain unauthorized access to data or compromise the security of a healthcare application.

Healthcare Phishing Statistics:

• In the past few years, 90% of healthcare organizations have faced at least one security breach.
• Large hospitals are the prime targets of 30% of data breaches.
• There is a 75% increase in different types of cyberattacks, including phishing.

Retail/eCommerce

The online retail or e-commerce sector is a lucrative target for attackers as it offers high-value data. Attackers can use malicious emails or messages to deceive users by tricking them into revealing their sensitive information such as passwords, credit card numbers, addresses, and more. Phishing attacks can cause data breaches and financial losses to businesses.

• Phishing attacks have been experienced by 38% of retailers.
• 58% of retailers report an increase in phishing attacks.
• 15% of all attacks by cybercriminals target the retail sector.

Finance Sector

Finance is among the top three most targeted industries by phishing. Since attackers mostly look for financial gains, the finance sector becomes a primary choice to fulfill their desires. Attackers can dupe victims by sending scam emails to get their credentials or sensitive information to commit fraud.

Social engineering tactics like phishing are increasing in popularity among attackers to target financial businesses. In fact, social engineering, system intrusion, and miscellaneous errors account for 78% of data breaches in the financial industry.

Finance Phishing Statistics:

• 9.8% of phishing attacks targeted financial institutions in Q3 of the previous year, as per Statista.
• In the case of the finance sector, social engineering, like phishing, is the major cause of data breaches, with 78% of the incidents.
• Crelank Bank’s phishing attack was the largest heist of global financial institutions, standing at $75.8 million.

Education Sector

The next key target of phishing attacks is the education sector. Mostly, attackers attempt to gain access to high-value data such as addresses, identification documents, passwords, and more. The rising adoption of digital technologies has led to a sharp increase in cyberattacks in the education sector.

Attackers can leverage phishing scams to steal sensitive information and commit identity theft. They can also access intellectual properties that universities may have in addition to personal data.

Phishing Statistics for Education:

• In terms of protecting against phishing attacks, the education sector ranks last.
• 30% of users fall for a phishing attack in the educator sector.
• For K-12 schools, phishing was the most common source of threats, with 30% of cases in the previous year, as per Forbes article.

Make Your Web Apps 10X Secure with Modernized Vulnerability Assessment Perform a Scan

Tips to Prevent Phishing Attacks

Email scams are widespread today and they target both companies and individuals. If we look at the phishing email statistics, there are more data breaches caused by them than any other social engineering tactics.

Phishing is a potentially dangerous attack vector that can result in significant business losses. Hence, you need to take the right steps to protect against this malicious threat. The following are some prevention tips that can help you mitigate the risks of phishing attacks.

Multi-Factor Authentication

Using multi-factor authentication can help minimize the risk of phishing. It adds another layer of protection to an account. Multi-factor authentication involves adding an extra step of authentication before granting access to an account. So, even if the username and passwords are provided, the potential action will only be performed when the additional authentication is performed. Multi-factor authentication can help prevent 99.9% of automated attacks.

Email Security

Spam filter or secure email gateway is the first line of defense against phishing attacks. It evaluates the outbound and inbound emails to detect junk mail, spam, or malicious attachments. These solutions can help protect against a wide range of email-borne threats effectively.

These solutions entail anti-malware engines that can detect malicious code to prevent spam. Besides, they identify and block novel malware with behavior analysis. They check email content to detect spam and block known malicious IPs.

Employee Training

Regular employee training can help reduce the chances of being a victim of a phishing scam. Train employees in secure practices to handle data and tips to identify phishing emails to eliminate the potential loopholes that could arise from the bottom line. Make your employees aware of the possible ways that phishing can take place.

To Wrap Up

As the cybersecurity landscape is changing constantly, you must be prepared to tackle the looming threats. While you can adopt robust cybersecurity measures to protect against potential threats, being aware of the dynamics of cybersecurity risks is also essential to building stronger defensive mechanisms.

The statistics on phishing attacks mentioned in this article help you understand the dynamics of this threat vector, enabling you to build a better defense strategy. Apart from strengthening your defense layers, you should also focus on continuous threat monitoring to identify potential security loopholes.

With a vulnerability scanner like ZeroThreat, you can thoroughly analyze your web apps and APIs to discover hidden security flaws and protect your digital landscape from various attack vectors.