Email security

Must know phishing statistics for 2021

Published on 30th Sep 2021
Phishing Statistics Collaboration 1440X253

While a lot of the world came to a standstill in 2020, the one thing that didn't slow down was phishing attempts on businesses. And it’s carried on well into 2021 – so here are the headline stats you need to know.

Important phishing statistics for 2021

One of the most common goals of phishing is to get hold of login details. According to IBM's 2021 Cost of a Data Breach Report, stolen user credentials were the most common attack method for attackers:

  • 85% of phishing attempts went after user credentials
  • 20% of data breaches started with compromised user credentials
  • 82% of users admit they reuse passwords across various accounts

When hackers get hold of user credentials, it can give them additional leverage for further damaging attacks: 

  • 44% of these types of breach exposed customer personal data
  • PII (personal identifiable information) costs $180 per stolen record
  • It takes approximately 250 days to detect breaches resulting from compromised user credentials

Frequency of phishing attacks

According to the FBI, phishing attempts nearly doubled in 2020 compared to 2019.

In addition, Verizon's 2021 Data Breach Investigations Report notes that phishing played a factor in 36% of data breaches.

Most popular phishing attack methods

So how are these attacks occurring? Here's a rundown of the most popular phishing methods employed by cybercriminals.

Financial cost of phishing attacks

Phishing now costs US companies an average of $14.8m per year.

According to IBM’s Cost of a Data Breach report, companies have spent $4.24 million on data breach costs through 2021, up from $3.86 million in 2020.

Companies that undertook security mitigation efforts to prevent phishing attacks and other cyber threats benefited by:

  • Saving up to $3.81 million by implementing security AI
  • Spending $1.76 million less by rolling out zero trust security policies
  • Containing breaches 77 days faster with cloud modernization strategies

Industries most vulnerable to phishing attacks

Here's a rundown of those considered most vulnerable to phishing attacks based on company size, according to KnowBe4's Phishing By Industry 2021 Benchmark Report:

Large companies

  • Technology – 60%
  • Healthcare and Pharmaceuticals – 49%
  • Manufacturing – 47%

Medium companies

  • Construction – 50%
  • Healthcare and Pharmaceuticals – 49%
  • Business Services – 44%

Small companies

  • Healthcare and Pharmaceuticals – 45%
  • Education – 42%
  • Manufacturing – 41%

Operational cost of phishing attacks

90% of ransomware attacks are delivered by email phishing, when that happens:

  • The average ransom payment is around $200,000
  • The largest paid was $40m
  • Companies experience approximately 21 days of downtime 

There's also a human cost of phishing attacks...

Top three most damaging phishing attacks of 2021 (so far)

  1. Microsoft Office 365 –  Organizations using Office 365 were targeted by emails designed to bypass phishing safeguards. They appeared to come from legitimate domains and encouraged users to enter their credentials.
  2. Revere Health Data Breach – A hacker claiming to be from the US Agency for International Development (USAID) sent an email to an employee at Revere Health that contained a malicious link. When the employee took the bait, they ended up providing the attacker with valid login credentials. The cyberattacker went on to steal information on more than 12,000 cardiology patients. 
  3. UC San Diego Health – A phishing attack ended up compromising the accounts of some UC San Diego Health employee emails accounts. That led to a data breach that exposed the information of students, patients, and other employees.

Most impersonated brands in 2021

According to Check Point's Brand Phishing Report, Microsoft continued to be the most spoofed brand. Forty-five percent of phishing spoofs tied back to them in Q2 2021:

  • Microsoft – 45%
  • DHL —26%
  • Amazon —11%
  • Best Buy — 4%
  • Google — 3%  

One popular method involved a phishing email sent to those with a Microsoft account. The email warned users that their email account had expired, and they needed to click on a link to fix the issue.

However, if they did take the bait, the unsuspecting victim got lured to a fake Microsoft login website that encouraged them to key in their Microsoft account credentials.

Phishing websites

Google has issued nearly four million warnings about potential phishing sites as of September 19, 2021.

As noted above, Microsoft and other big corporations tend to be cybercriminals' favorite when setting up fake websites. Kaspersky notes that they tend to try and attract users by sending fake Microsoft Team notifications or links to fake SharePoint sites.

Other popular targets included US government agencies thanks to programs to help people during the COVID-19 pandemic. For example, users typically received emails that lured them to a fake Treasury department website where they were asked for bank or credit card details.

Interested in learning more about the dangers of phishing and how to stop it? Check out our dedicated phishing information hub.


What are phishing attacks?

Phishing attacks are any online attempt to get you to give up pertinent information that could lead to theft of credentials, financial loss, or other consequences.

What are some popular methods of phishing attacks?

Hackers like to send spoof emails, set up fake websites, and try to contact you through social media.

What industry tends to be most vulnerable to phishing attacks?

Healthcare and pharmaceuticals.

How much do US companies pay because of phishing attacks?

$14.8 million per year.

What is the human cost of phishing attacks?

Twenty-three percent of organizations ended up separating from employees who were the victims of phishing attacks.

You might also be interested in ...

Email security
What is a business email compromise attack?

Learn how to recognise and prevent business email compromise (BEC).

Email security
What exactly is whaling?

What is a whaling attack, and how can you avoid it? Here's all you need to know.

Microsoft Email Scams 555X300
Email security
Microsoft 365 email scams to watch out for

Learn the latest phishing tactics cybercriminals are using to target Microsoft 365 users.