Must-know phishing statistics - updated for 2023

by Egress
Published on 16th Jan 2023
Statistics Data Info 1003X250 39Kb

Over the last couple of difficult years, businesses worldwide have been forced to accelerate their adoption of new technologies and IT security – and the cybercriminals have been just as fast to catch up. Here are some headline stats about phishing that you need to know for 2023.

Important phishing statistics for 2023

According to IBM's 2022 Cost of Data Breach Report, the use of stolen or compromised credentials remains the most common cause of data breaches. They were the primary attack vector in 19% of breaches this year – a tiny drop from 20% in 2021. The report also states:

  • Stolen or compromised credentials were the primary attack vector in 19% of data breaches this year.
  • 2022 has seen a tiny drop in this statistic from 2021, wherein stolen or compromised credentials were the primary attack vector in 20% of breaches.
  • Breaches caused by stolen or compromised credentials had an average cost of $4.5m. 
  • This type of breach had the longest life cycle – 243 days to identify the breach and 84 to contain it.
  • This length of time is 16.6% greater than the overall mean time for identifying and containing a data breach.
  • Phishing was the second most common cause of breaches at 16%, costing $4.91m.

Frequency of phishing attacks

IBM's 2021 research cited a 2% rise in phishing attacks between 2019 and 2020, partly driven by COVID-19. CISCO's 2021 report echoed this, stating that at least one person clicked a phishing link in around 86% of organizations.

These attacks seem to be getting more frequent into 2022, too. In the first quarter of 2022, the Anti-Phishing Working Group (APWG) observed 1,025,968 total phishing attacks. This is the first time the quarterly total has exceeded one million, making it the worst quarter APWG has ever observed.

Most popular phishing attack methods

Cybercriminals are becoming more resourceful than ever, but education can go a long way to protecting against their attacks. Here's a rundown of some of their most common targets and methods.

  • Web applications and email servers are the top two assets impacted by breaches.
  • The biggest category of phishing is targeted toward webmail and SaaS users. These attacks account for 34.7% of phishing attempts.
  • APWG recorded 1,025,968 phishing attacks in Q1 of 2022.
  • Phishing attacks against social media sets rose from 8.5% of all attacks in Q4 of 2021 to 12.5% in Q1 of 2022.
  • Around 65% of cybercriminals have leveraged spear phishing emails as their primary attack vector.
  • In 2021, almost 40% of breaches featured phishing, 11% involved malware, and around 22% involved hacking.
  • 94% of malware is delivered via email.

Financial cost of phishing attacks

IBM's 2022 Cost of Data Breach Report found that the average cost of data breaches rose from $4.24m in 2021 to $4.35m in 2022. 

The report also advised on some great ways to prevent phishing attacks, including:

  • Adoption of security tools that centralize data security operations.
  • Create an incident response (IR) team and test the IR plan. Breaches at organizations with IR teams that regularly test their plan saw $2.2m in savings compared to those without an IR team or plan.
  • Routinely test the IR plan through tabletop exercises or simulated breach scenarios.

Industries most vulnerable to phishing attacks

Data from Statista shows just how vulnerable certain industries can be to phishing attacks. The online sectors most targeted in Q1 of 2022:

  • Financial - 23.6%
  • Software-as-a-Service - 20.5%
  • E-commerce - 14.6%
  • Social media - 12.5%
  • Cryptocurrency - 6.6%
  • Payment - 5%
  • Logistics - 3.8%

In addition to this, IBM found the healthcare industry suffered the most in terms of the cost of a breach from a successful phishing attack.

Operational cost of phishing attacks

With the increasing frequency of phishing, there's a huge operational cost associated with dealing with these attacks. According to IBM, 28% of organizations experienced a destructive or ransomware attack in 2022, while 17% have suffered a breach thanks to a business partner being compromised.

The average cost of ransomware attacks is $4.54m in 2022 and takes, on average, 326 days to complete its life cycle from being identified to being contained. This is enormously wasteful in terms of time and productivity.

Top three most damaging phishing attacks of last year

  1. Russia/Ukraine hacking
    As part of its ongoing war on the nation, Russia has aggressively pursued digital attacks against Ukraine. These attacks have stolen data, caused blackouts, and released malware. In response, Ukraine has been fighting back via custom malware, causing massive data breaches.
  2. Lapsus$ extortion
    The group Lapsus$, well known for digital extortion since December 2021, went on a hacking spree at the beginning of this year, relying largely on phishing. It has been stealing valuable and sensible data from some of the biggest organizations in the world – including Samsung, Microsoft, Ubisoft, and Nvidia – before leaking it for money-making purposes. Eventually, the activity peaked in March when Lapsus$ announced it had leaked Microsoft Bing and Cortana source code.
  3. Conti paralyzes Costa Rica
    Another gang, Conti, attacked Costa Rica's Ministry of Finance, which crippled the nation's import and export businesses. This attack has since cost Costa Rica millions of dollars, and the issue was declared a 'national emergency.' This is the first time a national emergency has been called over a ransomware attack.

Most impersonated brands of the past year

This year's most impersonated brand is Facebook, representing 14% of all phishing pages. This type of phishing tends to involve falsified security alerts and password reset requests to redirect victims to a phishing site aimed at stealing credentials. 

Microsoft is the second most impersonated, at 13%. Other highly-impersonated brands include Adobe and Netflix.

Phishing websites

The Anti Phishing Working Group's research found that phishing attempts had tripled since 2020, which isn't a surprise when 214,345 phishing websites were identified in 2021. 

Cybercriminals tend to target larger organizations because people are trusting of their logos – which are easy to steal. Other popular targets include government agencies, which is a particularly prominent issue given the rise of programs aimed at helping people during the COVID-19 pandemic. For example, over the last couple of years, users have typically received emails that lure them to a fake treasury department website where they are asked for bank or credit card details.

Interested in learning more about the dangers of phishing and how to stop it? Check out our dedicated phishing information hub.

How much do US companies pay out to phishing attacks?

Phishing is one of the leading causes of data breaches, and IBM's 2022 Cost of Data Breach Report found that the average cost of data breaches rose from $4.24m in 2021 to $4.35m in 2022. 

What is the human cost of phishing attacks?

23% of organizations ended up separating from employees who were the victims of phishing attacks.

You might also be interested in ...

What's the goal of business email compromise (BEC)?

Learn what makes business email compromise such a lucrative form of phishing for cybercriminals. 

Ransomware: 2023's top attacks and need-to-know stats

Learn more about the 2023 stats surrounding ransomware.

Examples of business email compromise (BEC) attacks

Learn about some of the biggest BEC attacks from across the globe, and find out how cybercriminals target their victims.