Must-know phishing statistics for 2024

Egress | 19th Jan 2024

Over the last couple of difficult years, businesses worldwide have been forced to accelerate their adoption of new technologies and IT security – and cybercriminals have been just as fast to catch up. Fresh from our latest report, here are some headline stats about phishing that you need to know for 2024.

Important phishing statistics for 2024

According to our recently published Email Security Risk Report 2024, the top three most common phishing attack types are malicious URLS, attacks sent from compromised trusted third-party accounts and malware or ransomware.

We surveyed 500 cybersecurity professionals to aggregate these statistics.

The report also states:

  • 94% of organizations were victims of phishing attacks and 96% of those were negatively impacted by it.
  • In 74% of organizations, the employees involved were disciplined, dismissed, or voluntarily left.
  • 58% suffered from account takeover attacks.
  • 79% of those attacks started with a phishing email and 83% had multi-factor authentication (MFA) that was bypassed for the attack to succeed.
  • 61% of Cybersecurity leaders say the use of chatbots in phishing keeps them awake at night.
  • 91% have concerns with their SEG and 90% with their static DLP rules.

Administrative cost of phishing attacks

There was an organizational cost for 79% of the companies we surveyed. Phishing hurt the bottom line in 64% of instances. Financial loss related to customer churn was the most common outcome at 47% of the companies we surveyed.

Reputational damage was cited as causing pain in 42% of companies, as businesses navigated the impact with both suppliers and customers. 22% saw lengthy remediation processes and 14% suffered legal repercussions, including litigation.

AI and phishing

It’s impossible to discuss phishing in 2024 and not mention the use of artificial intelligence. The use of large language models (LLMs) and generative AI allow cybercriminals to create targeted phishing email templates easily. They can also generate malware using AI.

Cybersecurity leaders are concerned about the use of AI in sophisticated email attacks, with 63% concerned about the creation of deepfakes, 61% worried about AI chatbots being used to draft phishing emails and 52% thinking about use of AI in supply chain compromise. A further 47% are worried about the use of AI as a tactic for account takeover.

Data loss & exfiltration stats

  • 94% experienced incidents caused by data loss and exfiltration, an 8% increase from last year’s report.
  • 51% of organizations had information barriers breached.
  • 91% of organizations experienced negative fallout.
  • 67% of the people involved were impacted.
  • 57% experienced financial losses in some capacity.
  • 46% saw revenue lost from customer churn.
  • 40% saw damage to their company’s reputation.

The employees involved were disciplined in 51% of data loss and exfiltration instances. In 24%, the employees involved were fired and in 19%, those involved left voluntarily.

The negative impacts of breached information barriers

Every organization that had its internal information barriers breached experienced disruption and damage. Over half (58%) had to cease operations while incidents were investigated, impacting organizational efficiency and the bottom line. In 49% of organizations, client relationships were damaged from breached confidentiality, and just under one-quarter (22%) lost customers.

Limitations of perimeter technology

Of the cybersecurity leaders we surveyed:

  • 91% expressed frustration with their SEG.
  • 87% are considering or have already replaced their SEG.
  • 90% are concerned about the limitations of static email DLP.
  • 91% worry about the effectiveness of traditional training.

Outbound email security is a manual process driven by administrators. 94% use static email DLP rules and 51% detect breaches by reviewing audit logs. Of those using static rules, 100% of participants expressed frustration with them, with the most common complaint being the need to alter rules to make them more usable for employees. Cybersecurity leaders also mentioned that these systems need a high level of administrative overhead to maintain.

Security awareness training (SAT)

Of the cybersecurity leaders we surveyed:

  • 100% conduct SAT.
  • 59% train employees weekly or monthly.
  • 30% conduct SAT quarterly.
  • 8% do SAT programs twice per year.
  • Just 3% run SAT programs annually.
  • For 88%, meeting compliance requirements is a primary driver for their SAT programs.

When it comes to personalization, most organizations only offer a limited degree of personalization within their SAT programs, with 74% using either out-of-the-box modules or tailoring based on the organization’s industry. Only 19% of organizations deliver SAT programs that reflect on the department or team that employees work in, and just 9% tailor to each individual employee.

91% of the Cybersecurity leaders we surveyed expressed doubts about the effectiveness of their traditional SAT programs. The top concerns that they expressed on the back of that were that employees skip through the training and do not engage fully and that they find it annoying.