Phishing Attacks by the Numbers: Prevalence, Costs and Impact

Phishing attacks happen when a cybercriminal uses social engineering to make the victim think that he's someone or something he's not. The hacker might pose as your company's CEO or your bank, and try to get you to turn over a confidential file or password.

For instance, you might receive an e-mail stating that there is something wrong with your bank account, with a link to a webpage that looks very much like your bank's. Without thinking, you enter your username and password into the provided box. The cybercriminal will log your credentials and then use it to access your legitimate account.

Phishing comes in many forms, and it often involves a wide variety of communication channels. They could even call you, or talk to you in an instant messaging application. No matter what channel is used, the attacker will try to scare or rush you into doing something that you will regret later on. Others will take advantage of your curiosity to victimize you.

The Most Common Types of Phishing Attacks

One of the reasons why phishing attacks are so successful is that they’re always evolving. There is always a new kind of phishing e-mail going around every day. But what are the most common types of phishing scams?
  1. Sending out e-mails with a link to a malicious website where you would be asked for sensitive information. For example, spoofing an e-mail from your bank, which contains to a link to a phishing site that is made to look like your bank's website.
  2. Installing a backdoor using files attached via e-mail. This backdoor can then be used by the hacker to gain access to your workstation and the company's network.
  3. Sending an e-mail from a spoofed address. Sometimes you get an e-mail from the "boss" asking you to turn over some confidential files. What you do not realize is that the "boss" is not your employer, but a hacker.
  4. Getting company information over the phone by social engineering. Some hackers pose as a supplier, a superior, or the IT department to coax sensitive information out of you.
  5. There are also phishing attacks where cybercriminals add some code or program to your website to capture details and information about your site visitors.
  6. Man-in-the-middle phishing attacks, wherein attackers put themselves in between your customer and your website to get all the information they need.
The common thread in all of these scams is that the attacker is capitalizing on three very human traits: fear, carelessness, and being too busy. We are often so swamped with work that we do not read the e-mail first and then look at the URL behind the link before clicking. The best practice, of course, is to type out the Internet address ourselves.

Some people get too confident to the point of being careless. Then there are those phishing attacks that are ingenious, such as phishing sites that substitute the number 1 for the small letter L, such as having a site name instead of

Others act rashly because of fear. Seeing an e-mail from the FBI or the IRS, they often panic and fall victim.

What’s more, phishing attacks are evolving, so there is always something new that happens every day. This makes preventing phishing scams even more challenging.

What the Numbers Say: Phishing Attacks Are More Prevalent, Getting Bolder

Phishing attempts are very rampant today. According to the PhishMe Enterprise Phishing Resiliency and Defense Report, there were 65 percent more phishing attempts in 2017 than the year before. How many of these attempts succeed? The exact number will be difficult to ascertain for two reasons:
  1. The first is that some companies detect the phishing attack and try to contain it without involving the authorities or notifying outsiders about the breach. In this scenario, there are two things that happen. The company resolves the issue and secures all their networks, devices, computers, and other resources that were affected by the attack. In this case, the company would have fewer reasons to report the attack. For others, they have no choice but to divulge the attack because they were not able to fight it.
  2. The second reason why fewer companies report a phishing attack is that they do not realize they were hit until months or even years after they were first breached.
But the estimates give you a more sobering picture. Wombat Security’s State of the Phish reports that a little more than three out of four businesses, or 76 percent, reported being a phishing victim in 2017. Imagine this: there are 1.5 million new phishing sites being created every month.

Here's another interesting statistic: Kaspersky Lab has an anti-phishing system. In 2017, this software alerted users about possible phishing scams more than 246.23 million times. Phishing takes on two forms. One is where the cybercriminal casts a wide net to victimize more people with just one attack. For instance, a phishing scam might target millions of e-mail users, such as all those using Yahoo Mail. The hackers will create a page that looks like Yahoo Mail's login page and send an e-mail to users telling them their accounts were breached.

Then you also have spear phishing, which targets certain individuals or specific companies. For instance, the hacker wants to infiltrate Facebook, so they identify people within the company that they could victimize. You may think that only fools fall victim to phishing attacks. Think again.

In the old days, one of the best and easiest ways for a hacker to gain access to a network is by sending infected files, such as malware or viruses to the targets. But because antivirus programs are getting better and better, these malicious files are now frequently detected before they can do damage.

These days, 95 percent of all attacks done on corporate networks are because of successful spear phishing. Only five percent comes from other sources, says the SANS Institute.

Phishing sites are evolving

Adding to the problem is that phishing sites are evolving. In the past, a good way to defeat cybercriminals was to make sure you are visiting a HTTPS site. Not anymore. In 2016, only one in every 20 phishing sites had an HTTPS certificate. That number quadrupled in 2017, with 20 percent of phishing sites having an HTTPS address. That number continues to rise.

Working with a software as a service provider will not help you, either. There were more than 237 percent more SaaS-targeted attacks in 2017, compared to the year prior.

No company too small or too big

What types of companies are targeted by phishing scams and who falls victim to them? Symantec says that it doesn’t matter how big or small your company is, you are not safe from phishing. But here's the thing, Intel says that almost all employees cannot detect a sophisticated e-mail. The company puts the number at 97 percent.

How does a phishing attack affect you?

If you fall victim to an attack, you will be expected to clean up and secure everything once again. Estimates say that midsized companies pay an average of $1.6 million to handle a phishing attack. But that is just the tip of the iceberg; the bigger problem lies in the fact that you will lose customers faster than you can acquire new ones. Deloitte reports that one in every three consumers will drop your company like a hot potato if your company suffers from a cyber-security breach. This number holds true even if they do not suffer from financial losses because of the breach.

Aviva, on the other hand, has a more depressing figure: they say that six out of every 10 customers will have second thoughts about doing business with your company and start entertaining notions of moving to a competitor. One in every three will actually give their business to somebody else.

Business e-mail compromise

Business e-mail compromise is when hackers gain control of your employees' e-mail accounts, allowing them to send e-mails from legitimate addresses. In 2018, the Federal Bureau of Investigation reported that companies all around the world lost $12.0 billion because of business e-mail compromise.

In the first half of 2018, AppRiver reports that more than a million business e-mail compromise messages were detected by their system. That's nearly double the 653,000 figure they reported in the same period a year before.

Statistics Showing 5 Phishing Trends for 2019 - infographic

How to Prevent Phishing Attacks

Digital Guardian has put together suggestions from leading security experts on how to fight against phishing in this post. Here are the most common suggestions offered by the pros:
  1. Educate your employees on what phishing is, how it is commonly carried out, and what to look for. They should also know what to do when they fall victim to a phishing scam, such as knowing who to notify or alert. This should be an on-going training – with updated information about new phishing methods. Educating your employees is very important because people are the weakest link in any InfoSec scenario. But first, you should really evaluate how vulnerable you are. There are a lot of software products now that allow you to simulate a phishing attack. These software applications will send a mock phishing e-mail to your employees and then show you statistics on who fell prey. This process can also help you know how effective your training is.
  2. Install all the necessary protections, such as having an antivirus and antimalware software installed. If possible, make sure that SPAM and other e-mail filters are in place. This way, you help minimize the number of phishing attempts that goes through your employees.
  3. You should also have a security policy in place that includes everything – including setting up a strong password and encouraging employees to change their password often.
  4. Encrypting your company's sensitive information will help. Cybercriminals might social engineer their way to getting their hands on confidential files, but if it is encrypted, they will have a harder time reading it.
  5. Consider disabling HTML e-mails and using only text e-mails.
  6. Require additional encryption for employees who work outside the office.
  7. Institute a Web filter that will block out phishing sites.
  8. It may prove to be inconvenient for some employees, but you should insist on two-factor authentication. With this in place, you can be sure that even if a hacker is able to get your employee's user name and password, they still would not be able to access their e-mail accounts and other resources.
  9. Another thing that you should remember is that phishing attacks are not limited to just e-mail. Cybercriminals can call you on phone; they can even come up to you on the street. They can pose to be anyone from the janitor to the CEO. Essentially, if you want to stop being a victim, you should trust no one.
In effect, the fight against phishing revolves around two major things:

Having sound security policies that sets rules on how to handle e-mails that are out of the ordinary and suspicious.

Educating your employees.

The Most Important Number About Phishing That You Should Know: 1

While there are a lot of staggeringly high numbers in phishing, such as 246 million triggers on the Kaspersky system, 97% of employees not being able to distinguish a phishing e-mail, and others, the most important number to remember is the number one.

One. The number of employees it takes to expose you and your company to both financial loss and reputation damage. Hackers only need one employee to take the bait. One person to click on that malicious link. One person to send them that confidential file.

The thing with phishing attacks is that they can easily be foiled. Educating your employees on what the most common types of attacks are, as well as how to detect them is one step. Having the right software and filters in place is another. And lastly, having sound policy will all help keep you and your company safe from phishing attacks.

Phishing Attacks by the Numbers: Prevalence, Costs and Impact

Read Next: Study reveals the top subjects, attachment types and keywords used in malicious emails (sent by cyber hackers)
Previous Post Next Post