Phishing Facts
Information security statistics
every business should know.
Common and destructive.
Information security is paramount for all businesses, and phishing poses a serious threat. Below are some interesting phishing facts to support the need to address the phishing threat vector. Please share these critical information security facts with others.
74%
of all security breaches involve the human element.
It takes less than 60 seconds
for users to fall for a phishing attack.
95%
of social engineering attack motivation is financially driven.
Statistic
Source
Share
Phishing was the 3rd most common initial access vector, involved in 17% of data breaches
Phishing emails reportedly succeeded in 35% of attempted attacks
Ransomware, often delivered via phishing, was present in 44% of data breaches
Phishing accounted for more than 30% of social engineering action varieties while pretexting held steady at 40%
Email comprised nearly 100% of the top action vectors within social engineering breaches
External actors account for 65% of breaches while internal actors account for 35% of breaches (up from 20% last year, but 73% of internally caused breaches were mistaken error)
The median time for users to fall for a phishing email is less than 60 seconds
20% of users reported phishing in simulation engagements, and 11% of the users who clicked the email also reported
Carelessness appeared in 98% of breaches, making it the most common error vector
Misdelivery (sending something to the wrong recipient) accounted for 43% of breach-related errors
Social engineering accounted for 17% of breaches and 10% of incidents
7% of data breaches resulted in a median loss of $26,000 (more than double the FBI's previous reported figure of $11,500 from 2021)
Phishing remains one of the four main entry points to an organization, accounting for more than 60% of all social engineering attacks
14% of business email compromises in the United States recovered none of their financial losses
95% of Business Email Compromise losses were between $250 and $984,855
Social Engineering was responsible for over 69% of breaches within the Public Administration sector
Almost 100% of social attacks in the Public Administration sector involved phishing
Social Engineering accounts for 86% of the breaches within the Mining, Quarrying, Oil & Gas Extraction, and Utilities industries
Stay Ahead of Attackers
Conduct security awareness training, phishing simulation, and threat management.
Within the manufacturing industry, over 75% of social engineering attacks involved phishing
67% of breaches can be attributed to human risk: credential threat, errors, and social attacks
Business E-mail Compromise (BEC) schemes resulted in an annual loss of approximately $1.8 billion for U.S. consumers and businesses
Phishing scams resulted in an annual loss of over $54 million for U.S. consumers and businesses
65% of attacker groups used spear phishing as the primary infection vector
29% of breaches involved use of stolen credentials
48% of malicious email attachments are Office files
64% of organizations have experienced a phishing attack in the past year
22% of organizations see phishing as their greatest security threat
77% of IT professionals feel their security teams are unprepared for today’s cybersecurity challenges
34% of organizations see careless or unaware employees as a vulnerability
70% of breaches associated with a nation-state or state-affiliated actors involved phishing
71.4% of targeted attacks involved the use of spear-phishing emails
66% of malware is installed via malicious email attachments
49% of non-point-of-sale malware was installed via malicious email
64% of organizations have experienced a phishing attack in the past year
21% of ransomware involved social actions, such as phishing
Finance faced 59% of phishing attacks in the Americas
74% of cyber-espionage actions within the public sector involved phishing
82% of manufacturers have experienced a phishing attack in the past year
90% of incidences and breaches included a phishing element
In 2016, 89% of all attacks involved financial or espionage motivations.
30% of phishing messages were opened in 2016 – up from 23% in 2015.
95% of breaches and 86% of security incidents fall into nine patterns.
70% of cyber attacks use a combination of phishing and hacking.
63% of confirmed data breaches involved weak, default, or stolen passwords.
The top 3 industries affected by security incidents are public, information, and financial services.
50% of recipients open emails and click on phishing links within the first hour of them being sent.
Almost half of all phishing attacks registered in 2016 were aimed at stealing a target's money.
Phishing emails include fake notifications from banks, e-payment systems, email providers, social networks, online games, etc.
34.9% of all spear-phishing email was directed at an organization in the financial industry.
The number of spear-phishing campaigns targeting employees increased by 55%.
The APWG announced the number of observed phishing attacks in Q1 2016 was higher than any total since 2004.