The danger posed by phishing attacks is constant and is still the main cause of data breaches. All that is required is one member of staff to be tricked by a phishing email for threat actors to obtain the access to carry out further attacks on your group

In this update we list some key 2020 phishing statistics to raise awareness of the threat and highlight the need for businesses to rethink their current phishing security measures.

Phishing is the most straightforward way for hackers to obtain access to sensitive data and spread malware. A small amount of skill or expertise is required to conduct a successful phishing campaign and steal details or infect users with malware. The most recent figures indicate that in 2020, 22% of reported data breaches began with a phishing email and some of the largest data breaches in history have started with a phishing attack, including the 78.8 million record data breach at the health insurer Anthem Inc., and the huge Home Depot data breach in 2014 that saw the email addresses of 53 million individuals illegally taken.

Phishing can be carried out using the phone, via SMS, social media networks, or instant messaging platforms, but email is most the most common vector chosen. Around 96% of all phishing attacks take place over email. Successful phishing attacks lead to the theft of data, theft of credentials, or the installation of malware and ransomware. The cost of settling the incidents and resultant data breaches is significant. The 2020 Cost of a Data Breach Report by the Ponemon Institute/IBM Security showed that the average cost of a data breach is around $150 per impacted record with an overall cost of $3.86 million per breach. A single spear phishing attack costs around $1.6 million to address.

Staff members may think they are able to recognize phishing emails, but data from security awareness training companies show that in many cases, that confidence is not well founded. One study in 2020 showed that 30% of end users opened phishing emails, 12% of users visited a malicious link or opened the attachment in the email, and one in 8 users then shared sensitive data on phishing web pages. Remember that 78% of users said that they know they should never click on email attachments from unknown senders or click links in unsolicited emails.

The 2020 phishing statistics show phishing and spear phishing attacks are still widespread incredibly common and that phishing attacks often succeed. Another study showed that 85% of firms have been tricked by a phishing attack at least once. Phishing websites are always being designed to be used in these scams. Once a URL is confirmed as malicious and placed on a blacklist, it has often already been abandoned by the cybercriminals. In 2020, around 1.5 million new phishing URLs were identified per month.

2020 registered a huge rise in ransomware attacks. While manual ransomware attacks often see networks infiltrated thanks to exploiting flaws in firewalls, VPNs, RDP, and networking equipment, ransomware is also sent using email. Since 2016, the number of phishing emails containing ransomware has grown by over 97%.

Taking on phishing and stopping successful attacks requires a defense in depth tactic. An advanced spam filtering solution is a must to prevent phishing emails from landing inboxes. Businesses that use Office 365 often rely on the protections that come as standard with their licenses, but studies have shown that the basic level of protection supplied by Microsoft’s Exchange Online Protection (EOP) is insufficient and average at best and phishing emails are often not spotted. A third-party, solution is recommended to layer on top of Office 365 – One that incorporates machine learning to spot never before seen phishing threats. The solution should implement email authentication protocols such as DMARC, DKIM, and SPF to identify and block email impersonation attacks and outbound scanning to discover compromised inboxes.

End user training is also crucial. In the event of a phishing email landing in an inbox, employees should be shown how to identify it as such and be conditioned into reporting the danger to their IT team to ensure action can be taken to delete all instances of the threat from the email database. Web filters are also crucial for preventing the web-based component of phishing attacks and preventing employees from visiting phishing websites.