36 Phishing Statistics in 2022: Don’t Take the Bait!

Niek has worked at Eftsure for several years and has developed a clear understanding of the cyber threat landscape and the controls Australian businesses put in place to combat these threats.

Recognise an unknown email with a suspicious link or attachment. Do not open it.

Cyber criminals are producing new creative methods in trying to attain your accounts payable sensitive information to infiltrate your email accounts and company database. Phishing statistics demonstrate that organisations are targeted with countless phishing attacks in the form of emails, phishing sites, text messages and more.

They may target your organisation during a critical time when you least suspect an attack such as the end of the fiscal year period. A simple mistake can cost your business thousands or millions of dollars. By acting with caution and always double-checking, there is a strong chance you can avoid being defrauded.

The following phishing statistics highlight the types of phishing attacks you should be on the lookout for and how organisations are defending themselves.

Author’s Top Picks

  • In 2022 currently, over $3.2 million were lost due to phishing emails.
  • In March 2022, phishing texts rose 28% from February 2022 and increased by 1,024% from April 2021.
  • The Netherlands leads the list of targeted countries for phishing attacks, followed by Russia, Moldova and the U.S. in January 2022.
  • 1 in 5 SMBs did not know the term “phishing”.

Phishing Statistics

1. In the first half of 2022, the ACCC received reports of 11,395 incidents of business email compromise costing businesses a total of $12.3 million.

Based on the statistic above, the most common contact method cyber criminals use against businesses was email. This is also known as business email compromise (BEC) which is a form of targeted phishing or spear phishing.

2. 90% or more of Australian respondents said their organisation faced spear phishing, BEC and email-based ransomware attacks in 2021.

Phishing statistics in 2022 dictate that Australia is one of the most targeted countries in phishing. The Australian Competition and Consumer Commission (ACCC) shows that Australians lost a total of $95 million to all types of scams in March 2022. Phishing attacks are becoming more prevalent and show no signs of slowing down in the upcoming years.

3. In 2022 currently, over $3.2 million were lost due to phishing emails.

Emails can be considered an easy phishing campaign for some scammers. These spoofed emails aim to deceive your accounts payable teams into revealing sensitive information such as usernames, passwords, online banking logins, credit card details and more.

4. 48% of malicious email attachments are Microsoft Office Files.

Phishing attacks can come in various forms. For instance, scammers that send malicious email attachments typically use Microsoft Office formats to seem more genuine like Word documents, PowerPoint presentations or Excel spreadsheets.

It’s no surprise that most targeted attacks are some form of malicious software (malware). Through phishing emails, cybercriminals implement malware that may be located on email attachments or some form of a link. Once activated, criminals can steal passwords, delete files, hijack the organisation’s network and more.

6. LinkedIn users are targeted in 52% of all phishing attacks globally in Q1 2022.

Scammers are impersonating reputable organisations via email, text messages, phone or on social media. Though Q1 2022 demonstrates a trend of phishing attacks globally with criminals now using LinkedIn as the next distribution of choice. This is reinforced by a 2020 Atlas VPN study that revealed that emails impersonating LinkedIn were the most click-on social media phishing attacks.

7. 54% of successful phishing attacks end in customers’ data breaches.

One of the reasons why cybercriminals target customer data is that they can make a profit from stolen data by selling it on the dark web or to other organised groups. Not only do organisations have to prioritise their cybersecurity measures but also protect customer data.

8. According to IBM’s 2021 Cost of a Data Breach Report, phishing is the second most expensive attack vector, costing organisations an average of $4.65 million.

Phishing scams can cost millions of dollars to an organisation and have long-lasting consequences. Other than the obvious financial consequence, enterprises may face backlash & loss of trust from customers, theft of intellectual property, business disruption and reputational damage. As cybercrime increases, businesses will have to stay one step ahead.

9. In March 2022, phishing texts rose 28% from February 2022 and increased by 1,024% from April 2021.

Businesses and individuals might be puzzled when receiving a phishing message impersonating a bank or government entity. Unfortunately, there is publicly available information on the web on various individuals that can include phone numbers, social media profiles, emails, etc. Scammers use this information along with social engineering tactics to call phone numbers and attempt phishing texts.

10. In 2021, 214,345 unique phishing websites were identified, and the number of recent phishing attacks has doubled since early 2020.

Phishing websites are a popular tactic scammers use if they fail to succeed with phishing text messages or calls. These websites may impersonate legitimate businesses or suppliers in hopes of organisations disclosing their sensitive information. Without knowing what to look out for and identify a phishing website, you may fall victim.

11. 57% of respondents said the finance department is the most frequent victim of spear-phishing attempts.

According to phishing statistics, financial leaders and finance departments are the most targeted in phishing attacks. Cybercriminals understand that there are millions of dollars invested in financial industries and typically the motivation behind the attack is financial gain.

12. 97% of individuals around the globe are unable to identify a sophisticated phishing email.

Your employees may be your organisation’s weakest security link when it comes to detecting phishing emails. To combat this cyber-attack, CFOs & IT security teams must implement security practices such as increasing security awareness training and investing in security detection tools or a password manager.

Phishing by Country Statistics

13. 74% of organisations in the United States experienced a successful phishing attack in 2020.

In 2021 Tessian research found that Microsoft, ADP, Amazon, Adobe Sign and Zoom are the most impersonated brands when it comes to phishing attacks. These brands are most targeted because of the frequent email communications between these brands and their consumers. In addition, these brands are some of the most trusted, making phishing email impersonations more likely to succeed.

14. In 2021, the country that had the most phishing attack rate (12.39%) among internet users in the country was Brazil.

According to various reports and research, Brazil became the world leader in phishing attacks. On the other side of this statistic, Kaspersky noted there was an improvement in the level of awareness of security threats online. Favio Assolini, a senior security analyst at Kaspersky Brazil states “we need to improve our digital education.”

15. 91% of UK survey respondents said their organisation faced bulk phishing attacks in 2021.

The COVID-19 pandemic was a great opportunity for cyber criminals to conduct various attacks that may involve viruses, worms, DDOS attacks, phishing attacks and more. As employees were transitioning into remote work, some organisations were not able to keep up with security training.

16. 63% of Japanese workers know that familiar logos in emails do not equate to safety.

Identifying cyber threats does not necessarily equate to preventing them. As part of the cybersecurity training, organisations must conduct pressure testing, phishing attack simulations and more for employees to defend against cyber-attacks confidently. Safeguarding emails requires detailed clarity between types of email attack techniques as well as knowing the correct response in each situation.

17. 46% of US workers think that all files stored in the cloud are safe.

Any data storage management requires every form of protection to minimise the risk of a data breach. For instance, implementing complex passwords, adding 2FA or MFA, encrypting files, security technology and more. This makes it much more difficult for scammers to penetrate your files, enhancing your cloud email security.

18. Overall, 24.77% of the global spam emails volume originated from IPs based in Russia in 2021.

Statista and Kaspersky note that a quarter of all spam emails sent in 2021 originated from Russia. This research analysed close to 150 million malicious email attachments that involved topics like money and investment, and the pandemic.

19. The Netherlands leads the list of targeted countries for phishing attacks, followed by Russia, Moldova and the U.S. in January 2022.

Comparing the countries that are targeted over the past years, the targeted destination of cyber-attacks has changed in 2022. The number of malicious emails that were sent to the Netherlands was 68,908,098 (17.6777%) leading as the highest targeted countries. Russia coming in second place had received 53,211,482 emails totalling 13.6509%.

20. In Australia, the most targeted age group in phishing attacks were individuals aged over 65 amounting to a total loss of $6.6million currently in 2022.

It is no surprise that the elderly are more targeted than the younger demographic in phishing attacks. Seniors are thought to have more money sitting in their bank accounts than younger consumers. Other factors are involved which include businesses, pensions, tax advantages and more.

21. Most compromised attachments were found in images (55.6%), followed by PDFs (15%) and binary files (10%) in Australia.

The number of unique file attachments found in malicious emails varies from PDFs, text documents, images, binary files, HTML web applications (web links), etc. Cybercriminals that are impersonating suppliers often mimic business email communications that involve sending PDFs and binary files like invoices and important documents.

Executive Impersonation Statistics

22. In 2021, IC3 reported Business Email Compromise attacks were the biggest contributor to cybercrime losses, with victims losing 42.4 billion from 19,954 complaints.

Business email compromise (BEC) and phishing go hand in hand when targeting large enterprises. In simple terms, BEC is a form of targeted phishing or spear phishing. Perpetrators who plan and target organisations use emails impersonating a third-party supplier to deceive your accounts payable team into revealing sensitive company information. If successful, this can result in payment fraud or identity theft.

23. Over a third of credential phishing attacks involving brand impersonation targeted educational institutions and religious organisations.

Other than financial gain, there are various motivations and motives behind a cyber-attack. For instance, cybercriminals may attack to make a social or political point, they may collaborate with an insider threat, sense achievement or recognition, commit corporate espionage to gain competitive advantage and more.

24. 22% of CEOs are targeted by spear phishing.

Other than brands and businesses, CEOs can be targeted by cybercriminals through a tactic known as ‘whale phishing’ or ‘spear phishing. Hackers impersonate CEOs, COOs, or CFOs to invoke a sense of urgency and send fake emails to employees to hand over sensitive information or to give hackers access to certain platforms and accounts. For example, access to an ERP system, Microsoft account or banking portal.

25. CEO fraud (business email compromise) caused $2.4 billion in losses to US businesses in 2021.

According to Phoenixnap phishing statistics, the three main stages of CEO fraud are the research phase, planning phase and execution stage. Usually, CEO fraud is not successful if there has not been any research done before the attack. Criminals may collect information about their targets like the organisation’s website, social media accounts, YouTube channels, business email communications, PR and any news relating to the enterprise.

26. Whaling and executive impersonations have seen an increase of 131% between Q1 2020 and Q1 2021. Costing organisations approximately $1.8billion.

To identify these types of threats, you should always make sure you analyse the email before doing anything. For instance, check the email address, see how the email is written, and identify if there are any potential malicious links or attachments attached or unusual requests. Always verify with the sender by phone call before following through with the email.

In addition to identifying phishing emails, never accept or open emails outside of the corporate network, emails that contain similar domain names such as your organisation’s name or a supplier’s domain name. A good practice is to follow your organisation’s cybersecurity protocols and education.

Phishing Defences Statistics

28. 99% of organisations have a security awareness training program but only 57% provide organisation-wide training and only 85% educate employees who fall for real or simulated phishing attacks.

To minimise the risk of fraud or human error, security awareness training is a great start for organisations to start training their employers and employees. Several enterprise security providers supply security awareness training such as training modules, productions, and materials around various aspects of cybersecurity.

29. 81% of organisations stated that more than half of their employees are working remotely since the COVID-19 pandemic. However, just 37% educate their employees on best practices for remote working.

In 2022, remote work has become the norm for most organisations across the globe. To keep up with cybercrime, organisations need to constantly evolve their cyber security training. For instance, security awareness training programmes should use a variety of tools when educating users. A tailored and interactive training programme are two key components in making your employees competent in cybersecurity.

30. 82% of senior management rate cyber security as a ‘very high’ or ‘fairly high’ priority, an increase of 77% in 2021.

More CFOs and CEOs are recognising the increasing threat of cybercrime in 2021 encouraging the practice of anti-phishing. Yet some still fall victim to cyber threats. According to the UK government, when respondents were asked “how often are senior managers updated on cyber security?” 16% of businesses said never.

A cybersecurity strategy needs to be constantly updated each year to keep up with the rise of attacks.

31. 1 in 5 SMBs did not know the term “phishing”.

According to the ACSC, Australian SMBs know cyber security is important, but there are barriers to implementing good practices. They further state the types of barriers businesses come across when implementing a cybercrime strategy such as, not having dedicated staff with an IT security focus, complexity and self-efficacy and underestimating the risk and consequences of a cyber-attack.

32. 84% of US-based organisations state that security awareness training has lowered phishing failure rates.

Each security awareness training should have three main components such as assessment, change of behaviour and evaluation. CFOs need to build a culture of cybersecurity and shape unsafe behaviours through a training program that identifies behaviour, changes behaviour and evaluates the success rate of preventing an attack.

33. In 2021, according to survey participants, simulated phishing emails (41%) were the most used phishing training method.

Along with simulated phishing emails, other formal education sessions include newsletters or informative emails (39%), awareness posters or videos (35%), smishing and/or vishing simulations (33%) and internal cybersecurity chat channel (32%).

One of the best cybersecurity training activities is mimicking or simulating real scenario attacks. This will allow the employee to practice understanding how the attack is orchestrated, as well as what to look out for and immediately act appropriately.

35. Cyber teams indicate that protecting their partner ecosystem and supply chains, with 79% stating it is just as important as building their own organisation’s cyber defences.

Another motivation behind an attack is to target an organisation’s supply chains to commit further fraudulent activities on other businesses. Accounts payable teams not only need to be prepared for direct attacks but need to be tested through different scenarios and understand the depth and breadth of potential cyber incidents.

36. According to a February 2022 Microsoft report, Multi-factor authentication (MFA) enterprise adoption is slow at 22%.

MFA has been around for several years, yet few enterprises have fully embraced the security practice. According to research, when asking the respondents why they do not use MFA, the overall reason is that change is hard and inconvenient.


Phishing is one of the oldest types of cyberattacks, it is quick and easy for cyber criminals to prepare and execute. The aim of a phishing technique is for victims to hand over sensitive information or download malware that gives fraudsters access to the business’s network.

The five most common types of phishing attacks include email phishing, spear phishing, whaling, smishing and vishing. Depending on the cybercriminal, phishing attacks can be targeted at a specified individual or business through various distribution channels

In general, smaller businesses are more likely to face any form of cybercrime attack than large enterprises. The reason for this is that SMEs are faced with low awareness of cyber threats, inadequate protection for intellectual property, lack of budget to cover costs of cybersecurity software or awareness training and low management support. Overall, the security defence of SMEs is much smaller making them more vulnerable to cyber attacks compared to large enterprises.

Every organisation must implement some form of security measure around the individuals they employ, their security software and the processes of how the business operates. With a combination of an interactive security awareness training program, security technology and cybersecurity culture, you can significantly minimise the risk of phishing.

BEC Incident Response Guide for Finance Teams
Learn how to respond to a Business Email Compromise attack by following the necessary steps.

Download the Business Email Compromise (BEC) Incident Response Guide today to strengthen the odds of recovering your funds following a BEC attack.

Subscribe to our blog

Subscribe to the eftsure blog to receive updates when we post.

The new security standard for business payments

Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.