Phishing Statistics: What Every Business Needs to Know
Phishing attacks are on the rise, and they’re more sophisticated than ever.
The reason these types of attacks are on the rise is because they’re extremely profitable for perpetrators.
And with the average cost of a phishing attack costing a mid-size company $1.6 million, it can be a death blow for businesses that don’t put in the necessary protections against a potential attack.
The average cost of a phishing attack for mid-size companies?
So, let’s start with the basics: What is a phishing attack?
What is a Phishing Attack?
A phishing attack, or a phishing scam, is when a criminal sends an email pretending to be someone (ex. the CEO of your organization) or something he’s not (ex. Google), in order to extract sensitive information out of the target.
Essentially, the perpetrator attempts to elicit fear, curiosity, and/or a sense of urgency out of the target, so that when the target is prompted to open an attachment or fill in their sensitive information, like a username, password, or credit card number, they are likely to acquiesce.
Here’s an example of a recent Gmail phishing scam that targeted nearly 1 billion Gmail users worldwide:
While this looks exactly like a Gmail sign-in form, the URL is slightly changed. Filling in this form would give a hacker full access to your Gmail account.
The Gmail scam is what happens when a criminal wants to cast a wide net and increase his or her chances of locating individuals who are susceptible to an attack.
However, there are more targeted attacks, which are referred to as spear phishing.
As the name suggests, spear phishing is used when a criminal is targeting either one, or a limited number of people using a more personalized approach. A spear phishing attack can be highly effective, because the perpetrator can use tailored language to each individual.
Imagine if your “CEO” emailed a few people and sent them a meeting invite through Gmail, and the link in the email prompted the users to sign-in to Gmail to attend the meeting.
While the idea is the same — using a malicious link to phish sensitive information — spear phishing allows the criminal to contextualize the attack in a way that creates more urgency and intends to get the target to let their guard down.
Phishing Statistics your Business Needs to Know
To protect yourself and your organization from an inevitable attack, it’s important to have an understanding of the full phishing ecosystem.
Who is being phished?
- According to PhishMe’s Enterprise Phishing Resiliency and Defense Report, phishing attempts have grown 65% in the last year.
- According to Wombat Security State of the Phish, 76% of businesses reported being a victim of a phishing attack in the last year.
- According to the Verizon Data Breach Investigations Report, 30% of phishing messages get opened by targeted users and 12% of those users click on the malicious attachment or link.
- According to the SANS Institute, 95% of all attacks on enterprise networks are the result of successful spear phishing.
- According to Symantec, phishing rates have increased across most industries and organization sizes — no company or vertical is immune.
- According to the Webroot Threat Report, nearly 1.5 million new phishing sites are created each month.
If you think your organization is safe from a phishing attack because you haven’t yet been targeted, think again.
Your employees remain your organization’s weakest security link.
Many, if not all, of your employees are unlikely to be able to spot a phishing email — according to Intel, 97% of people around the world are unable to identify a sophisticated phishing email.
What does a successful attack mean for your business?
In short, it’s pretty devastating.
- According to Deloitte, one-third of consumers said they would stop dealing with a business following a cyber-security breach, even if they do not suffer a material loss.
- According to Aviva, after your company is breached, 60% of your customers will think about moving and 30% actually do.
Your brand image, and the brand trust that you’ve worked so hard to build up, can be obliterated if news of a data breach surfaces to the public.
Thankfully, defending against an attack is possible with dedication, buy-in, and resource allocation for defense tools.
3 Ways to Keep Your Business Safe
- Increase employee security awareness. As is typical when it comes to securing your organization, keeping employees apprised of the latest security attack types and how to defend against them is a surefire way to limit breach scenarios.
According to PhishMe, susceptibility rates (how susceptible a business is to a phishing attack) are as low as 5% when employees are well-trained, and phishing tests are executed and reported on correctly.
- Invest in a security awareness and phishing defense tool. Companies like PhishMe and KnowBe4 have a number of tools, both free and paid, that you can leverage to help increase employee awareness and decrease the likelihood of a successful phishing attack against your organization.
- Invest in a business password manager. While clicking links or attachments can often spell doom for your employees with regards to a phishing scam. Oftentimes, criminals use links to lead employees to spoofed pages of popular sites in order to gain access via employees’ usernames and passwords.
Using a password manager extinguishes this possibility. A strong password management solution uses auto-login and auto-fill technology to analyze a webpage before filling in a user’s sensitive information. If a user has credentials for Gmail.com, and a criminal sends a user to a fake Gmail.com domain, the password manager will automatically recognize the change in the URL and prevent auto-fill or auto-login. Aside from the benefits of phishing prevention, a password manager enables employees to have strong and unique passwords everywhere, which limits the attack surface for hackers.
Interested in learning more about how a password manager can aid in phishing prevention, and how it can be a core tool in overall data breach prevention?