Common and destructive.

Information security is paramount for all businesses, and phishing poses a serious threat. Below are some interesting phishing facts to support the need to address the phishing threat vector. Please share these critical information security facts with others.

74%

of all security breaches involve the human element.

It takes less than 60 seconds

for users to fall for a phishing attack.

95%

of social engineering attack motivation is financially driven.

Statistic

Source

Share

Phishing accounted for more than 30% of social engineering action varieties while pretexting held steady at 40%
Email comprised nearly 100% of the top action vectors within social engineering breaches
External actors account for 65% of breaches while internal actors account for 35% of breaches (up from 20% last year, but 73% of internally caused breaches were mistaken error)
68% of breaches involved mistaken human element errors
The median time for users to fall for a phishing email is less than 60 seconds
20% of users reported phishing in simulation engagements, and 11% of the users who clicked the email also reported
Carelessness appeared in 98% of breaches, making it the most common error vector
Misdelivery (sending something to the wrong recipient) accounted for 43% of breach-related errors
86% of breaches involved the use of stolen credentials
Social engineering accounted for 17% of breaches and 10% of incidents
7% of data breaches resulted in a median loss of $26,000 (more than double the FBI's previous reported figure of $11,500 from 2021)
24% of breaches had a ransomware component
95% of data breaches were financially driven
74% of breaches involved the human element
82% of breaches involved the human element
35% of ransomware attacks are delivered via email
Phishing remains one of the four main entry points to an organization, accounting for more than 60% of all social engineering attacks
14% of business email compromises in the United States recovered none of their financial losses
95% of Business Email Compromise losses were between $250 and $984,855
85% of breaches involved the human element
35% of breaches in North America involved social engineering
70% of breaches in Asia Pacific involved social engineering
Social Engineering was responsible for over 69% of breaches within the Public Administration sector
Almost 100% of social attacks in the Public Administration sector involved phishing
Social Engineering accounts for 86% of the breaches within the Mining, Quarrying, Oil & Gas Extraction, and Utilities industries
Within the manufacturing industry, over 75% of social engineering attacks involved phishing
67% of breaches can be attributed to human risk: credential threat, errors, and social attacks
46% of organizations received malware via email
96% of social attacks arrive via email
86% of breaches were financially motivated
28% of breaches involved small businesses
27% of malware incidents involved ransomware
22% of breaches involve social attacks
Business E-mail Compromise (BEC) schemes resulted in an annual loss of approximately $1.8 billion for U.S. consumers and businesses
Phishing scams resulted in an annual loss of over $54 million for U.S. consumers and businesses
33% of breaches included social attacks
65% of attacker groups used spear phishing as the primary infection vector
29% of breaches involved use of stolen credentials
48% of malicious email attachments are Office files
94% of malware was delivered via email
64% of organizations have experienced a phishing attack in the past year
22% of organizations see phishing as their greatest security threat
77% of IT professionals feel their security teams are unprepared for today’s cybersecurity challenges
34% of organizations see careless or unaware employees as a vulnerability
59% of phishing attacks in the Americas relate to finance
70% of breaches associated with a nation-state or state-affiliated actors involved phishing
71.4% of targeted attacks involved the use of spear-phishing emails
66% of malware is installed via malicious email attachments
49% of non-point-of-sale malware was installed via malicious email
43% of all breaches included social tactics
93% of social attacks were phishing related
64% of organizations have experienced a phishing attack in the past year
28% of phishing attacks are targeted
21% of ransomware involved social actions, such as phishing
Finance faced 59% of phishing attacks in the Americas
74% of cyber-espionage actions within the public sector involved phishing
82% of manufacturers have experienced a phishing attack in the past year
90% of incidences and breaches included a phishing element
In 2016, 89% of all attacks involved financial or espionage motivations.
30% of phishing messages were opened in 2016 – up from 23% in 2015.
95% of breaches and 86% of security incidents fall into nine patterns.
70% of cyber attacks use a combination of phishing and hacking.
63% of confirmed data breaches involved weak, default, or stolen passwords.
The top 3 industries affected by security incidents are public, information, and financial services.
50% of recipients open emails and click on phishing links within the first hour of them being sent.
Almost half of all phishing attacks registered in 2016 were aimed at stealing a target's money.
Phishing emails include fake notifications from banks, e-payment systems, email providers, social networks, online games, etc.
34.9% of all spear-phishing email was directed at an organization in the financial industry.
The number of spear-phishing campaigns targeting employees increased by 55%.
The APWG announced the number of observed phishing attacks in Q1 2016 was higher than any total since 2004.