Phishing Statistics: What your business needs to know and why
Phishing is a cyber threat that uses malicious messages to deceive end users or infect their devices with malware.
It used to be found mainly in email, but now phishing can include text messaging, voicemail, and social media sites. In a phishing attack, someone sends you a message and pretends to be from a legitimate entity. They may pose as someone from your bank, an insurance company, or a coworker.
Some phishing attempts can be easily spotted, but others are becoming more sophisticated, causing these attacks to become more and more successful. With that in mind, here are some of the most alarming phishing statistics to be aware of.
Phishing accounts for 91% of all cyber attacks
You may have been influenced by movies to believe that hackers sit in dark rooms all day typing complex code. But the truth is, most hackers don’t need much code at all. They can get the information they need straight from the source – you.
In fact, 91% of all types of cyber attacks start with phishing. This eliminates the assumption that cyber attacks can only happen to businesses with weak security. All businesses are vulnerable to phishing because this cyber attack starts with a human — not with a system vulnerability.
It can take over 140 days to recognize & report a phishing attack
Phishing attacks are often subtle, and employees aren’t aware of the attack until it’s far too late. In some cases, it can take nearly 5 months for businesses to recognize and report problems with phishing. By that time, your company may have already lost hundreds — if not thousands — of dollars to hackers (either through loss of data or actual siphoning of money).
However, one study showed that by training employees to report suspicious emails, security teams were able to reduce the response time to less than 90 minutes. A huge improvement like this shows that a bit of training can go a long way.
Pro Tip: Reduce the time it takes to respond to phishing attacks with employee training and awareness.
Phishing costs US businesses at least $500,000,000 annually
You may think of the victims of phishing schemes as clueless people who don’t understand technology that well. But in reality, it’s businesses who get hurt the most.
According to statistics from the FBI, phishing attacks cost American businesses at least $500,000,000 per year. That’s just from the cases the FBI knows about, so the overall costs are likely higher.
Spear phishing, a phishing attack targeted towards a specific person or organization, costs businesses around $1.6 million for each successful incident. However, there are addition, long-term side-effects like reputation damage and client loss. A single employee who fell prey to a phishing e-mail at an American insurance company cost the business over $100 million and led to the biggest hack in healthcare we know about today.
Don’t Forget: Phishing happens to everyone, and businesses are typically the ideal target.
Financial & payment industries are big targets
Two industries typically remain top targets for the phishing market — financial institutions like banks and industries that have access to sensitive information like bank accounts and credit card numbers.
Data suggests that as many as 35% of all phishing attacks may be directed at these two types of industries. Keep in mind, most businesses use these services even if it’s not their specialty. In other words, everyone is at risk.
A phisher may even go so far as to pose as someone from your company’s bank, using a very similar logo or letterhead. They might tell you there is something wrong with your account or ask you to send them your login information.
Either way, it’s always best to call your bank to find out if there is a real issue. Remember, banks and financial institutions will rarely ever ask for personal information via e-mail.
Pro Tip: Always do what you can to verify sensitive requests. Think of it as “two-factor authentication” but for email responses.
Final Thoughts: Train your employees on phishing
One way to train your employees on phishing is to hire an outside company to perform a simulated phishing attack.
Companies providing such services have found that their employees fair rather poorly on these tests. One study reported that not only did 31% of employees click on a link in a fake phishing e-mail, but 17% of them actually gave an important username and password when prompted. Even though that indicates phishing campaigns fail at a rate of 83%, that 17% is actually quite large when you consider that all it takes is one person to give away an important password.
However, the longer you keep at it and the more awareness you can create, the more likely it is that your employees can spot a real phishing attack.
EN 
PT