Phishing is a type of cybercrime in which bad actors attempt to con you into clicking a link—usually sent via email or text message—and either downloading malware to your device or collecting sensitive personal information. In most cases, the criminals are out for your money or data they can use to steal your identity, which is why it’s important to recognize these tactics when they happen and to understand how common they are.
You might be wondering: Phishing attacks are part of what percentage of cyberattacks? The following statistics explain.
Most cyberattacks start with a phishing email
Phishing statistics show this is a common form of cyberattack:
- 94% of malware attacks originate from emails sent to victims, according to a 2019 Verizon study on data breaches.
- In 2020, 96% of social action cyberattacks arrived via phishing email.
- Cybersecurity company Trend Micro found that as many as 90% of attacks may come from spear phishing—a personalized scam in which thieves may spoof their email address or phone number to appear to be from a company or organization you trust.
- 22% of data breaches involve phishing, according to Verizon data from 2020.
- 59% of phishing attacks in North and South America are finance-related, according to a 2018 report from NTT Security.
- 48% of malicious email attachments are Microsoft Office files, according to Symantec data.
- The FBI’s Internet Crime Complaint Center recorded more than 240,000 American victims of phishing and related attacks in 2020, with a loss of more than $54 million to scammers.
- 15% of frauds reported to the FTC in 2020 began with an email, and victims lost an average of $400.
- Phishing attempts have exploded since the COVID-19 pandemic began in March 2020. Trend Micro reported 16.7 million high-risk email threats intercepted last year.
- The FBI has warned consumers about an uptick in fraud related to COVID-19 vaccines, including phishing emails that appear to be from insurance companies or medical providers.
- NTT Security reports pandemic-related phishing schemes target everything from healthcare to online shopping sites.
Exactly what percentage of cyberattacks start with a phishing email varies depending on how data is collected and analyzed, but experts generally agree that email accounts for the vast majority of phishing attempts—and phishing is a widely-employed form of cybercrime against the average consumer.
Greg Kelley, a cybersecurity expert at Vestige Digital Investigations, said one reason email is such a common medium for phishing scams: it’s cost-effective. Scammers can reach a large number of targets with very little investment and effort. Plus, there’s no voice interaction with email, so a criminal’s request may be more convincing than it would be over the phone.
Phishing scams may be very convincing, especially if email addresses have been spoofed to look legitimate. Tools like a reverse email search may help you identify who is really trying to contact you.
“Look at the email address of the sender and make sure it is accurate,” Kelley says. “Basically ignore the display name and scrutinize that email address.”
To try and lower your risk of becoming a victim, never click on links you receive via email or text, and always be skeptical of messages you receive—especially if the message sounds urgent.
Kelley says another common phishing tactic to watch out for is language like “click here to view this document or fax,” which may lead to a spoofed website (like Microsoft Office 365) that requires you to enter account login information.
“If you aren’t expecting a document from the alleged sender, give them a call to verify its accuracy,” he says.