Phishing by Numbers - Phishing Infographic

Susan Morrow
October 26, 2016 by
Susan Morrow

Try out SecurityIQ - our phishing simulator for free.


See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Phishing by Numbers

The manipulation of human behaviour for criminal intent is nothing new. Age old scams which tricked people into handing over their hard earned cash have been going since humans came down for the trees. The modern equivalent of these old scams is phishing. Phishing is now considered to be the number one most successful technique used by cybercriminals. Variants on the theme of social engineering and trickery, have created a phishing toolset that can be used by cybercriminals to steal login credentials, exfiltrate personal data, and install ransomware. Phishing comes in many forms, from emails containing malicious attachments or with links to spoof websites, to malicious texts, and spoof phone calls. Such a successful method is likely to continue being the weapon of choice of the cybercriminal unless we can put measures in place to prevent it.

Type of Phishing

There are a variety of phishing types. Each has the ultimate goals of either ensuring that malware is installed on the recipient's device, or that they click on a link that takes them to a spoof website, where either they download malware or enter sensitive data, such as login credentials. The following show the most common types of phishing to date.


In March 2016, 93% of phishing emails were being used to infect victims with ransomware (1)

Numbers of organizations reporting they had a phishing attack in 2015 = 85%. Up from 72% in 2014 (2)

Phishing emails containing JavaScript applications and Microsoft Office Macros were the most common methods of infecting users (1).

In a new twist on the old hijacking of email contact lists, a phishing scam based on facebook has emerged this year. Users were sent fake facebook messages informing them a friend had mentioned them in a comment. This message contained  a Trojan which installed a Chrome browser extension. The Chrome extension handled a Facebook account takeover, allowing manipulation of privacy settings and data theft (3).

The IRS has seen a 400% increase in phishing of IRS clients during the 2016 tax season (4)


  1. PhishMe, Q1 2016 Malware Review:
  2. Wombat Security, State of the Phish 2016:
  3. Telegraph, Facebook fake friend phishing attack, July 2016:
  4.  IRS:

Spear Phishing

Spear phishing is a type of phishing email that is specifically targeted towards a known person. Usually it will have their name in the email body and will have enough specific personal information to look very convincing. Spear phishing has been used very successfully in  a number of high profile attacks including the Target Corp breach of 2014. Often this type of phishing will be used to steal login credentials to secure resources such as servers.

67% of organizations reported a spear phishing attack (1)

Size of organization does not guarantee immunity from spear phishing. Organizations of all sizes are being attacked. However, smaller sized businesses (under 250 employees) are seeing a larger increase in spear phishing attempts over the last 3 years. Whereas larger (greater than 2500 employees) businesses have about the same numbers of attacks over the last 3 years.

Spear phishing by company size (2):

Large Medium Small

2013 39 31 35

2014 41 25 22

2015 35 22 43

There was a large spear phishing campaign targeting Amazon customers this year. The emails contained Microsoft Word Macros infected with the Locky encryption ransomware. Up to 30 million customers were targeted. What it made it a spear phishing campaign, rather than a general one was that the attackers could manipulate the header and so make the email appear more genuine (3).


Whaling or Business Email Compromise (BEC)

This is a variant of a spear phishing email which is targeted at employees of a corporation, tricking them into thinking the email originates from their CEO or similar C-level executive. This type of phishing requires much more upfront research by the phisher and the resultant email is very convincing.

BEC (Whaling) statistics

In Q4 2015 55% of businesses saw an increase in this type of scam (1)

January 2015  - June 2016:

  • Losses amount to: almost $1.3 billion (actual $3,086,250,090)
  • Number of countries involved: 100
  • Number of U.S. States involved: 50
  • Number of countries that stolen monies go to: 79, but concentrated in Southeast Asia (2)

37% of companies surveyed had been victim of a targeted phishing scam where the email had purported to be from their CEO (3)

This year, SnapChat was victim to a payroll targeted BEC resulting in the personal details and payroll information of an undisclosed number of employees being disclosed. The email looked like it came for the SnapChat CEO, Evan Spiegel (4).

In similar CEO faked phishing attacks, 55 companies in 2015 fell for a W-2 U.S. tax records scam. In this scam, the company's details were found using sites like LinkedIn. They used emails that looked like they had originated from the CEO to trick company accounts into releasing W-2 tax record data on its employees. This was then used to make false tax claims (5).



SmiShing is a variant of phishing that uses mobile texts, instead of emails to trick users into releasing details such as login credentials.  An example was a recent WhatsApp based Smishing scam. Users would receive a normal SMS text on their phone alerting them to some a need to pay a fee to keep using WhatsApp. The SmiSh tricked users into clicking on a link which took them to a spook WhatsApp site where they were asked for credit card details.

55% of organizations reported a SMiShing attack (1)


  • Wombat Security, State of the Phish 2016


Vishing involves the use of a phone call to extract personal data from a user which is then used to commit fraudulent acts. There are many vishing scams involving banks and other financial institutions. One of the largest to date is the IRS vishing scam (1). In March 2016 there was a 10X increase in the  numbers of vishing attempts with around 450,000 victims (2).


Number of phishing attacks across global market (1)

Date Numbers % Increase over previous quarter

Q2 2015 126,797

Q3 2015 130,946 3.3

Q4 2015 144,694 10.5

Q1 2016 240,520 66.2

Q1 2016 516,702 114.8


Alternative Numbers from Anti-Phishing Working Group (APWG)

Unique Phishing Websites for 6 months to April 2016

Date Numbers % Increase over previous quarter

Oct 15 48,114

Nov 15 44,575 -7.3

Dec 15 65,885 47.8

Jan 16 86,557 31.4

Feb 16 79,259 -8.4

Mar 16 123,555 55.9

: APWG, Phishing Activity Trends Reports from Q4 2015 and Q1 2016:

Number of unique reported email campaigns

Date Numbers % Increase over previous quarter

Oct 15 194,499

Nov 15 105,233 -45.9

Dec 15 80,548 -23.5

Jan 16 99,384 23.4

Feb 16 229,315 130.7

Mar 16 229,265 0

: APWG, Phishing Activity Trends Reports from Q4 2015 and Q1 2016:

Click rate

2014 - 23% opened a phishing email; 11% clicked on malicious link or opened attachment (i.e. completed the phish) (1)

2015 - 30% opened a phishing email; 13% clicked on malicious link or opened attachment (i.e. completed the phish) (1)

Only 3% alerted management to the possibility of  a phishing email (1)

Click rate per industry - top five (2):

  1. Telecommunications: 24%
  2. Professional Services: 23%
  3. Government: 17%
  4. Insurance: 16%
  5. Retail: 14%


Top Ten Country Sources of Phishing Emails - Q1 2016

Get six free posters

Get six free posters

Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.

  1. USA: 12.43%
  2. Vietnam: 10.30%
  3. India: 6.19%
  4. Brazil: 5.48%
  5. China: 5.09%
  6. France: 4.90%
  7. Russia: 4.89%
  8. Mexico: 4.57%
  9. Germany: 2.91%
  10. Argentina: 2.60%

Top Ten Country by Users Attacked

  1. Brazil: 21.5%
  2. China 16.7%
  3. Great Britain: 14.6%
  4. Japan: 13.8%
  5. India: 13.1%
  6. Australia: 12.9%
  7. Bangladesh: 12.4%
  8. Canada: 12.4%
  9. Ecuador: 12.2%
  10. Ireland: 12%

Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.