Phishing: A Look Inside the Statistics

In a recent post, Will New Domain Names Help Stop Phishing, a reader commented that he would like to see some statistics specific to phishing and small businesses.

Since we love our readers, here is a list of statistics that center around the dangers associated with phishing.

Phishing Costs

When the Magill Report interviewed Sam Masiello, the general manager for anti-phishing services for Return Path, he stated that:

“when a company gets phished, the costs are enormous.”

And why is that? Because customers are 42 percent less likely to do business with you if you are being targeted by a phishing attack.

What’s more, phishing costs brands and corporations more than 98 billion dollars a year according to a Cisco white paper.

Spear-Phishing vs Mass Phishing

If you aren’t aware of the differences, mass phishing is an attack where victims are randomly chosen. Spearphishing is a targeted attack against a high value asset.

In a mass phishing attack, it is estimated that 3 percent of all emails are opened. Spearphishing attacks yield a 70 percent open rate because people trust the messenger.

The value of the victims differ as well with a mass phishing victim being worth about 2000 dollars whereas the victim of a spearphishing attack could net the attacker around 70,000 dollars.

But spearphishing campaigns are more expensive to run; costing the attacker around 10,000 dollars as opposed to 2,000 dollars to manage a mass phishing campaign.

As for the number people who fall victim to a phishing scam; mass phishing generally produces about 8 victims for every 100,000 targeted users. Spearphishing attacks generally yield 2 victims for every 1,000 targeted users. Overall, the attacker can expect a 150,000 dollar profit from a spearphising attack as opposed to netting 14,000 dollars for a mass phishing campaing.

Phishing and Domains

In order to trick victims into falling for their scams, the attacker needs to either create a domain to use for their attacks or spoof an existing domain. Let’s take a look at these numbers…

In the second half of 2011, there were 83,083 unique phishing domains worldwide; 200 of them were considered top level domains according to the Global Phishing Survey. In the same time period, 520 existing domains (like financial institutions and social networking sites) were targeted for phishing attacks. The top 20 targets accounted for 78 percent of all attacks.

In the first half of 2011, PayPal was the number one targeted domain for phishing attacks with a recorded 34,209 attacks. In the second half of 2011, the number of PayPal attacks dropped to 7,169 attacks and, a Chinese site, took over the top spot with a recorded 18,508 attacks.

Of the domains used for phishing in the second half of 2011 25 percent were registered maliciously by phishers; 75 percent of the attacks came from domains that were compromised by cyber-criminals.

Finally, URL shortening was only used in 398 attacks in the second half of 2011, probably because users have come to lose trust in URLs that are hidden by shortening services.

Using existing companies as bait for phishing attacks seems to be on the rise again as shown by the fact that 400 brands have been used in phishing emails in the first quarter of 2012 alone.

The Volume of Phishing Emails

Of course you can’t talk about phishing statistics without looking at the sheer volume of emails send out by scammers that attempt to lure victims into divulging sensitive information, giving up their user credentials or downloading malware.

An article by Smart Money showed how one phishing attack that used the Virginia based payment processing company Nacha sent out 167 million forged emails in a single day. These emails contained the company logo, their contact information and even content taken directly from their web site.

According to Dr. Dobb’s, 500 million phishing emails appear in user inboxes every day.

With numbers like these, it is evident that phishing isn’t going anywhere. We can expect the number of incidents that are driven by spearphishing attacks to steadily increase as more money is made from these attacks.

To fight back organizations need to not only secure their email systems using anti-spam filtering technologies, but also to provide training for their staff that helps them better identify, and in turn avoid, phishing attempts.

Written by Jeff


  1. Jessica Craig · September 12, 2012

    If these figures are correct, it seems that the profit from a mass campaign is higher than the profit from a spearphishing one. In the first case you invest $2,000 but get back $14,000 (or 7 times difference), while in the second it is $70,000 upfront for a profit of $150,000 (or only two times the investment). If these are correct, then we should be seeing less of the more destructive type of campaigns, which is very good.

  2. Clarisse Mulder · September 13, 2012

    I actually didn’t know that there are different kinds of phishing, so this is such an insightful article for me. But then again, whatever it is, it doesn’t really matter. The bottom line is, phishing drains a lot of money not only of the businesses but also of the government and all the organizations that are working their asses off to ensure that this unscrupulous practice is stopped once and for all. The reality, however, is these guys just keep getting better and better. They do have a very good chance of beating every security system we could have in place.

  3. Brandon Redfearn · September 14, 2012

    Actually, the figures state that the upfront cost for spear phishing is $10,000 (the $70,000 was in reference to the net-worth of a spear phishing victim). This would result in a profit equaling 15 times the investment. Unfortunately, that statistic is not encouraging.

  4. Jeff Orloff · September 27, 2012

    That is one way to look at it, but so many more phishers are going after the big targets because lower end anti-spam filters are still good at catching mass emailings. Spear phishing campaigns are much more targeted so they are able to trick some of these inadequate solutions, thus they will remain more profitable.

Leave A Reply