Common and destructive.

Information security is paramount for all businesses, and phishing poses a serious threat. Below are some interesting phishing facts to support the need to address the phishing threat vector. Please share these critical information security facts with others.


of all security breaches involve the human element.

It takes less than 60 seconds

for users to fall for a phishing attack.


of social engineering attack motivation is financially driven.




Phishing accounted for more than 30% of social engineering action varieties while pretexting held steady at 40%
Email comprised nearly 100% of the top action vectors within social engineering breaches
External actors account for 65% of breaches while internal actors account for 35% of breaches (up from 20% last year, but 73% of internally caused breaches were mistaken error)
68% of breaches involved mistaken human element errors
The median time for users to fall for a phishing email is less than 60 seconds
20% of users reported phishing in simulation engagements, and 11% of the users who clicked the email also reported
Carelessness appeared in 98% of breaches, making it the most common error vector
Misdelivery (sending something to the wrong recipient) accounted for 43% of breach-related errors
86% of breaches involved the use of stolen credentials
Social engineering accounted for 17% of breaches and 10% of incidents
7% of data breaches resulted in a median loss of $26,000 (more than double the FBI's previous reported figure of $11,500 from 2021)
24% of breaches had a ransomware component
95% of data breaches were financially driven
74% of breaches involved the human element
82% of breaches involved the human element
35% of ransomware attacks are delivered via email
Phishing remains one of the four main entry points to an organization, accounting for more than 60% of all social engineering attacks
14% of business email compromises in the United States recovered none of their financial losses
95% of Business Email Compromise losses were between $250 and $984,855
85% of breaches involved the human element
35% of breaches in North America involved social engineering
70% of breaches in Asia Pacific involved social engineering
Social Engineering was responsible for over 69% of breaches within the Public Administration sector
Almost 100% of social attacks in the Public Administration sector involved phishing
Social Engineering accounts for 86% of the breaches within the Mining, Quarrying, Oil & Gas Extraction, and Utilities industries
Within the manufacturing industry, over 75% of social engineering attacks involved phishing
67% of breaches can be attributed to human risk: credential threat, errors, and social attacks
46% of organizations received malware via email
96% of social attacks arrive via email
86% of breaches were financially motivated
28% of breaches involved small businesses
27% of malware incidents involved ransomware
22% of breaches involve social attacks
Business E-mail Compromise (BEC) schemes resulted in an annual loss of approximately $1.8 billion for U.S. consumers and businesses
Phishing scams resulted in an annual loss of over $54 million for U.S. consumers and businesses
33% of breaches included social attacks
65% of attacker groups used spear phishing as the primary infection vector
29% of breaches involved use of stolen credentials
48% of malicious email attachments are Office files
94% of malware was delivered via email
64% of organizations have experienced a phishing attack in the past year
22% of organizations see phishing as their greatest security threat
77% of IT professionals feel their security teams are unprepared for today’s cybersecurity challenges
34% of organizations see careless or unaware employees as a vulnerability
59% of phishing attacks in the Americas relate to finance
70% of breaches associated with a nation-state or state-affiliated actors involved phishing
71.4% of targeted attacks involved the use of spear-phishing emails
66% of malware is installed via malicious email attachments
49% of non-point-of-sale malware was installed via malicious email
43% of all breaches included social tactics
93% of social attacks were phishing related
64% of organizations have experienced a phishing attack in the past year
28% of phishing attacks are targeted
21% of ransomware involved social actions, such as phishing
Finance faced 59% of phishing attacks in the Americas
74% of cyber-espionage actions within the public sector involved phishing
82% of manufacturers have experienced a phishing attack in the past year
90% of incidences and breaches included a phishing element
In 2016, 89% of all attacks involved financial or espionage motivations.
30% of phishing messages were opened in 2016 – up from 23% in 2015.
95% of breaches and 86% of security incidents fall into nine patterns.
70% of cyber attacks use a combination of phishing and hacking.
63% of confirmed data breaches involved weak, default, or stolen passwords.
The top 3 industries affected by security incidents are public, information, and financial services.
50% of recipients open emails and click on phishing links within the first hour of them being sent.
Almost half of all phishing attacks registered in 2016 were aimed at stealing a target's money.
Phishing emails include fake notifications from banks, e-payment systems, email providers, social networks, online games, etc.
34.9% of all spear-phishing email was directed at an organization in the financial industry.
The number of spear-phishing campaigns targeting employees increased by 55%.
The APWG announced the number of observed phishing attacks in Q1 2016 was higher than any total since 2004.