10 Phishing Stats That’ll Make Your C-Suite Think

Wanting to run a phishing simulation is one thing, but persuading colleagues of the importance of doing so is another. You need to keep your organization safe, not just satisfy basic compliance requirements. You need to improve security awareness and colleague behaviors, throughout your organization, to make a real difference to your ongoing cybersecurity.

We’ve collated a few facts, figures, and bullet points to help busy security teams convince those who hold the purse strings, to make them realize running phishing tests and raising cybersecurity awareness is an important and valuable use of security team resources. If you want to conduct an internal simulated phishing attack we’ve some advice on where to start, on our blog.

1. According to the 2021 Data Breach Investigations Report (DBIR) by Verizon, phishing is the number one cause of enterprise cybersecurity breaches and has been for the last two years, with a staggering 43% of total incidents involving phishing activity. As a part of these attacks, cybercriminals stole login credentials in 85% of cases linked to social engineering. If your company is taking cybersecurity seriously, and spending money in other areas, you have to consider phishing attacks, and raising colleague awareness, as part of the mix.
2. The prevalence of phishing attacks is undeniable, but this isn’t matched by colleague awareness. The Egress Insider Data Breach Survey 2021 states that 73% of US organizations were victims of some form of phishing attack in the last year. Remote and hybrid working is making it more difficult to mitigate breaches caused by malicious email activity. The report further states that a terrifying 43% of employees aren’t aware of best practices or don’t follow security protocols.
3. In the 7th Annual (2021) State of Phish Report, by ProofPoint, industry participants who encountered a phishing breach reported the following consequences:76% were infected with ransomware or malware.
   • 60% of compromised businesses lost data.
   • 52% had accounts or credentials compromised.
   • 18% encountered direct financial losses.

   We can further add to this compliance fines, lost intellectual property, lost employee hours, indirect lost revenue, and other factors. Sobering numbers requiring strong preventative action.

4. Some industries are more vulnerable to these attacks than others. In Q1 of 2021 overall the online industry sector most commonly target by phishing attacks (according to Statistica) was financial services institutions (24.5%), though this is often dependent on the size of the company. Healthcare and pharmaceutical companies are most vulnerable if they have a staff of up to 249. Construction is most susceptible to phishing breaches if the company is between 250-999 employees. Technology firms take the top spot for industries with a workforce of 1,000+. No matter your industry, running a simulated email attack is important, but if you are in one of the more targeted areas this is a clear red flag.
5. The cost of a data breach can be devastating to businesses. Following the logic of the IBM/Ponemon Cost of a Data Breach Report 2021, the average cost of a data breach is at a staggering $4.24 million all-time high. This is the highest in the report’s 17-year history and an increase of 10% from 2020. This includes compliance fines and other costs, as well as direct loss of sales, employee productivity, and long-term reputation. The report is based on 537 breaches across 17 countries and 17 industries. The average cost was increased by $1.07 million where remote working was a factor, and lost business accounted for around 38% of any data breach loss ($1.59 million).
6. A 2020 Q2 study by APWG shows that most phishing attacks are aimed at companies that utilize webmail and SaaS, being responsible for 34.7% of attempts. If your company uses these services, these figures are strong evidence to support your case for educating colleagues about phishing attacks. APWG also reported a considerable growth in BEC attacks coming from free webmail providers, from 61% to 72% year on year, and discovered that more than half of these used Gmail.
7. Bad actors rely on staff ignorance, FOMO and psychology, familiarity, and basic social engineering tactics. The KnowBe4 2020 Phishing Report details that cybercriminals commonly use business-specific phrases to entice unwary staff into opening malicious emails. The most common email subjects include the likes of:
   • Password Check Required Immediately.
   • Zoom: Scheduled Meeting Error.
   • Touch base on meeting next week.
   • Changes to your health benefits.
   • Vacation Policy Update.
   • COVID-19 Remote Work Policy.

   Making staff aware of possible messaging like this can be hugely beneficial in stopping a possible breach at the source. Letting your managers see the psychological tricks and personal nature of these emails could help to let them see your susceptibility – especially if they realize they might fall for this themselves.

8. In the recent Microsoft New Future of Work Report, looking specifically at the impact of the pandemic on working practices, the research found that 62% of the security professionals surveyed had seen a marked growth in phishing campaigns. There has also been an increase in remote workers’ circumnavigation or disabling remote security measures and a growth in the use of personal (BYOD) devices. If you have staff working from home or in a hybrid working environment, raising awareness of cybersecurity best practices has now become a critical part of maintaining a safe security posture.
9. Attacks will often appear to come from a reputable source, hiding behind companies commonly used by businesses. A study by INKY found that Microsoft was the most impersonated brand, accounting for almost 70% of brand impersonation phishing attempts in 2020, followed by Zoom, Amazon, Chase Bank, and RingCentral. Again, if people can see the way bad actors are hiding behind the brands your business uses every day this will further add to your cause. A high proportion of these were in the technology sector (71.8%), as well as telecommunications, the financial services sector, within retail/eCommerce, and in logistics.
10. The cost of conducting a simulated phishing attack, and the return on investment (ROI), varies from business to business. If you can estimate the cost of a potential breach in your company, then compare this to your susceptibility based on your potential industry failure rate, you can compare this to the outlay in time and resources it would take to run a simple phishing simulation. The difference is the ROI.

Showing your directors this is basic arithmetic, a standard boardroom metric, and a key component in getting the time and/or funds allocated to the exercise. As the old saying goes, “Show me the money.”

Pulling some of these numbers and reports (above) into a simple presentation should offer you some of the ammunition you need to persuade managers and colleagues of the importance of conducting a phishing simulation. Giving them a solid case, showing the dangers involved and the clear ROI – backed up by statistics – will hopefully go a long way to helping them see that raising cybersecurity awareness and running phishing tests are an important and valuable use of security team time and resources.

Let’s hope you never get the opportunity to say, “I told you so.”