Must-Know Phishing Statistics 2017

Must-Know Phishing Statistics 2017

by Jonathan Crowe  Jul 2017 for

Phishing attacks aren’t just increasing, they’re also evolving. Get the latest stats on what types of phishing emails are the most dangerous, and how often victims are taking the bait.

Businesses are seeing more malicious emails flooding their inboxes

According to IBM’s X-Force researchers, not only is the number of spam emails rapidly increasing — it’s currently estimated that more than half of all emails are spam — the number of spam emails containing malicious attachments is on a dramatic rise, as well. For many companies, that increase is reinforcing the realization that spam isn’t just a mere nuisance, it’s one of the primary delivery mechanisms for attacks, and therefore a direct threat to their organization.


Source: IBM Threat Intelligence Index 2017

Email is still the #1 delivery vehicle for most malware (just not ransomware)

1 in 131 emails contained malware in 2016, the highest rate in 5 years.

Tweet this stat

Source: Symantec 2017 Internet Security Threat Report (ISTR)

According to Verizon’s 2017 Data Breach Investigations Report, two-thirds of all malware was installed via email attachments in 2016. 60% of malware was packaged in JavaScript attachments, while 26% was packaged in malicious macros embedded in Microsoft Office documents.

Heading into 2017, however, researchers at Proofpoint recorded a large drop-off in spam email campaigns corresponding with the disappearance of the Necurs, one of the largest botnets in the world and the primary distributor of Locky ransomware. As a result, the ratio of malicious emails delivering ransomware fell nearly 50% — from seven out of every 10 malicious emails in 2016 to just two out of every 10 malicious emails in Q1 2017.


Source: Proofpoint Q1 2017 Threat Report

Note: The spike at the end of March was a sudden high-volume phishing campaign that exploited a Microsoft Word zero-day vulnerability and distributed the Dridex banking trojan.

At the same time, Proofpoint researchers also noted a major shift away from phishing campaigns using malicious document attachments to campaigns using attached archives (such as compressed JavaScript files) or malicious URLs.


Source: Proofpoint Q1 2017 Threat Report

Instead of relying on phishing for distribution, the two biggest ransomware attacks of Q2 2017 — WannaCry and Petya/NotPetya — have exploited vulnerabilities found in unpatched systems. Rather than being outliers, these attacks appear to be part of a larger trend. According to a report from Webroot, as much as two-thirds of the ransomware infections this year have been delivered by exploiting machines with Remote Desktop Protocol (RDP) exposed to the Internet.

Plenty of phishing emails are still delivering ransomware, but as more attackers continue to explore (and find success with) these new infection vectors, it’s no longer a near-guarantee falling victim to a phishing attack will result in a ransomware infection. Phishing victims are now just as likely to encounter banking trojans, adware, or good old-fashioned credential theft attempts at the other end of an unfortunate click.

Most popular phishing lures and targets

Fake invoice messages are the #1 type of phishing lure.

Tweet this stat

Source: Symantec 2017 Internet Security Threat Report (ISTR)

Disguising malicious attachments as fake invoices remains the most popular tactic for tricking users into opening phishing emails and taking the bait. According to Symantec’s 2017 ISTR, one in every four major malware spam campaigns took this approach in 2016.


Source: Symantec 2017 Internet Security Threat Report (ISTR)

Another tactic attackers have been increasingly adopting is disguising attachments as scanned documents being sent from office printers and copiers. The massive Dridex banking trojan campaign in late Q1 2017 is one example.

Other popular disguises include email delivery failure messages, order and payment confirmations, and, more recently, highly specific flight confirmations.

Apple IDs are the #1 target for credential theft emails.

Tweet this stat

Source: Proofpoint 2017 Human Factor Report

When it comes to phishing emails designed to steal credentials, researchers at Proofpoint found that one in four are targeting Apple IDs. Microsoft Outlook credentials are the second-most targeted, with Google Drive credentials coming in third.


Source: Proofpoint 2017 Human Factor Report

While large phishing campaigns designed to steal Apple account credentials may be the most common, the most effective in terms of click rate are emails targeting Dropbox credentials.


Source: Proofpoint 2017 Human Factor Report

Click rates for smaller, more customized phishing campaigns are significantly higher. Not only is that incentivizing attackers to make their campaigns more targeted and convincing, it’s also making the task of protecting organizations with phishing awareness programs alone increasingly dubious.


Source: Proofpoint 2017 Human Factor Report

For an example of what a credential theft email looks like, see our blog post on a recent DocuSign phishing campaign.

Rise in BEC scams

More than 400 businesses are targeted by BEC scams every day.

Tweet this stat

Source: Symantec 2017 Internet Security Threat Report (ISTR)

The past year has also seen significant growth in the number of business email compromise (BEC) scams. Also referred to as CEO fraud or “whaling,” a BEC scam is a form of spear phishing attack where an attacker impersonates a company executive (often the CEO), and attempts to get an employee, customer, or vendor to transfer funds or sensitive information.

According to the FBI, BEC scams have accounted for more than $5 billion in losses between October 2013 and December 2016, with more than 24,000 victims reporting incidients worldwide.

Researchers at Proofpoint identified a 45% increase in BEC attacks in Q4 of 2016 alone.

W-2 phishing hit this year’s tax season harder than ever

Reports of W-2 phishing emails increased 870% in 2017.

Tweet this stat

Source: IRS Return Integrity Compliance Services

One specific form of BEC scam that attackers have been having particular success with is impersonating high-level company executives and requesting employee W-2 forms from personnel in payroll or HR departments. The goal is to use the captured W-2 information to file fraudulent tax returns and claim refunds.

These attacks are naturally tied to tax season, but this year they arrived earlier and in greater numbers than ever before. The massive uptick caused the IRS to release an urgent alert warning employers to be on the lookout for what they’re refering to as “one of the most dangerous email phishing scams we’ve seen in a long time.”

According to Tamara Powell, acting director of the IRS Return Integrity Compliance Services, “In the first four months of 2017, 870 organizations reported to the IRS that they received a W-2 phishing email, up from about 100 organizations in the first four months of 2016.”

Nearly one in four organizations that reported receiving a W-2 phishing email acknowledged they had fallen for the scam. That’s actually down from 2016, when roughly half the organizations on the receiving end of a W-2 phishing email reported they had taken the bait. On the bright side, that’s a significant drop that can be attributed at least in part to an increase in awareness. On the other hand, a 25% success rate is still incredibly high, and will likely encourage more attacks next year.

Who’s getting targeted (spoiler: it’s everyone)

76% of organizations reported being victim of a phishing attack in 2016.

Tweet this stat

Source: Wombat Security State of the Phish 2017

Three out of four companies reported falling victim to phishing last year, and according to Symantec, over the course of Q2 2017 phishing rates have increased across most industries and organization sizes. Unfortunately, no company or vertical is immune, meaning every organization needs to have phishing prevention measures in place.

Training employees to recognize phishing attempts is a great place to start, but thanks to the increasing sophistication of targeted attacks, raising awareness alone isn’t enough. Companies need to invest in strong endpoint security technology that has their employees’ backs.