Cofense Logo - Email Security Solutions

How to Better Use Phishing Statistics

Phishing Statistics Highlight Only a Portion of the Threat

Phishing statistics vary considerably in how they are compiled, represented, and interpreted. However, this does not necessarily mean they are without value. By identifying trends within phishing attack statistics, businesses can better prepare themselves against the types of threat they are more likely to encounter and mitigate the likelihood of becoming phishing statistics themselves.

In the 2006 edition of the “Information Security Management Handbook,” author Christopher Pilewski entitled a section of his chapter on computer crime “Lies, Darned Lies, and Phishing Statistics.” Pilewski gives examples of widely varying phishing attack statistics and attributes the variations to businesses being unwilling to disclose their security failings or the financial consequences.

Fast forward more than a decade and phishing statistics still vary a lot. There are many reports, available online, that pull from vastly different users and survey groups. For example, the 4-19 “State of the Phish” Report claims 83 percent of nearly 15,000 users surveyed experienced a phishing attack in the previous year. At the other end of the scale, the British Government’s “Cyber Security Breaches Survey 2019” reports that only 32 percent of respondents identified a phishing attack or breach during the same period.

Further examples of widely varying phishing attack statistics exist with relation to the cost of a successful phishing attack. In their respective 2018 reports, KeepNetLabs claims the average cost of a successful cyberattack is $1.6 million. Accenture calculates the average cost at $2.4 million, Microsoft at $3.8 million, and IBM at $7.35 million. Juniper Research – clearly anticipating a period of hyper-inflation – predicts that by 2020 the average cost of a successful cyberattack will be $150 million.

Why Phishing Attack Statistics Vary So Much

Phishing attack statistics are not unique in displaying variance. Most statistics vary according to factors such as who, what, where, when, and why. For example, the report above claiming 83 percent of businesses experienced a phishing attack is compiled from client reports made to a security company, whereas the phishing statistic of 32 percent is the result of a UK government survey of business leaders – who may or may not have been aware of the volume of phishing attacks in their businesses.

Email Phishing Statistics

Our own 2019 Annual Phishing Report found that 90% of our clients’ real phish emails were found in environments Using SEGs (Secure Email Gateways). 74% of those phish attacks were hunting for credential information. “Cyber Security Breaches Survey 2019” reports that 20% of attacks came from phishing emails impersonating an organization. While each percentage or phishing stat is important information, it is vital to remember that each report is controlled by the data available and the publishing organization.

The same factors apply to the discrepancies in how much cyberattacks cost businesses. Costs not only vary according to the industry the business operates in, its size, its location, and how long it takes the business to recover from the attack, but also what factors are taken into account when calculating the costs. For example, some calculations include only the costs of information loss, business disruption, and revenue loss, whereas others include costs such as:

  • Equipment damage.
  • Investigation costs.
  • Increased insurance premiums.
  • Technology and security upgrades.
  • Identity theft and credit services.
  • Civil lawsuits and legal fees.
  • Reputation loss.
  • Regulatory fines and sanctions.

One also has to consider the motives for publishing phishing statistics – and how the motives are interpreted. A cynical person might be of the opinion that a security company ́s motive for publishing phishing statistics is to raise concerns and attract more clients, and therefore inflate the statistics in order to represent a far worse situation than actually exists.

That is not necessarily the case, and in fact the figures quoted in the “State of the Phish” report align closely with those produced by the Anti-Phishing Working Group (APWG) – a global data exchange, research and public awareness organization with more than 1,800 members. If Christian Pilewski ́s assertion that businesses are unwilling to disclose their security failings is true, it may not be the case that business leaders “may or may not have been aware of the volume of phishing attacks in their businesses” but rather that they did not want to reveal them.

Why Phishing Statistics Trends are More Important

Phishing statistics trends are more important than the numbers themselves because they provide metrics about where phishing attacks are heading and give companies the opportunity to alert employees to new attack methods. However, as with phishing statistics, it is important to understand how trends are being compiled, represented, and interpreted in order to correctly identify them.

For example, if you were to compare year-on-year phishing statistics compiled from client reports made to the security company, the actual percentage of businesses experiencing a phishing attack decreased. This should not be taken as an indication that phishing attacks are declining, but rather that the security company’s solutions are having an effect – albeit a limited one.

Our own review of phishing attack statistics trends reveals that, although the vast majority of phishing emails have the objective of installing ransomware, there has been a significant increase in phishers attempting to fool email recipients into complacency by acquiring SSL certificates for their phishing sites and in the deployment of “quiet malware” such as remote access trojans.

These trends are disturbing inasmuch as the targets of phishing attacks often misunderstand the purpose of an SSL certificate (82% according to a study by APWG) and divulge log-in credentials believing the phishing site is legitimate. Consequently, there has been a noticeable increase in phishers taking remote control of user accounts and deploying software to mine cryptocurrencies in the cloud.

How to Prevent Your Business from Becoming a Phishing Statistic

One positive phishing statistics trend is that businesses are investing more in phishing awareness training. However, due to the increasing sophistication of phishing, threats are becoming harder to detect, and even technically savvy employees can fall victim to a particularly good or well-crafted phishing scam. Phishing Awareness Training alone will not reduce the consequences of a successful phishing attack, and businesses need to be prepared for the times when phishing emails avoid detection and their requested actions are performed.

Cofense is the leading provider of phishing awareness training and threat management solutions for businesses. Our human intelligence-driven solutions have reduced employee susceptibility by up to 95 percent and, when a phishing email does evade detection, Cofense enables security teams to mitigate the consequences. To date, we’ve helped hundreds of IT security teams contain the consequences of a successful phishing attack.

To learn more about defending your business, your data, and employees against the threat from phishing, contact us now and request a free Cofense demo. Our team will be glad to answer any questions you have about phishing attacks and discuss any specific vulnerabilities. Make sure you’re not helping to feed the next set of phishing attack statistics. Act and be informed. Speak with Cofense today.


Interested in learning more about phishing detection and response?

Explore our Resource Center for our latest content

Explore our database of phish found in environments protected by SEGs, updated weekly

Download our latest Phishing Review to learn about threat landscape trends.


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on as a development site.