Optistar uses cookies to make our website work properly and to provide the most relevant content and services to our clients and site visitors.


10 Phishing Facts: Employee Behavior & Insider Risk

April 14, 2022

These Phishing Facts Illustrate the Dangers of Employee Mistakes

Phishing is one of the biggest threats that any organization faces today. An estimated 80% of companies say that they experienced an increase in the number of phishing attacks they faced in 2021, and no one expects that to slow down anytime soon. The precursor to damaging cyberattacks like business email compromise, ransomware, account takeover and more, a strong defense against phishing is an important foundational element of any strong cyber defense. These phishing facts help illustrate the importance of building that strong defense against phishing. 

That’s what makes employee behavior around phishing so critical to keeping organizations safe from cybercrime. Unfortunately, employee behavior can be unpredictable, and employees will inevitably make mistakes. Human error causes, like an employee opening a dodgy email, are responsible for an estimated 90% of security breaches at organizations of every size according to IBM’s X-Force Threat Intelligence Index. Learning more about employee behavior and insider risk in relation to phishing can help keep organizations away from phishing trouble. 

10 Phishing Facts About Dangerous Employee Behavior

  • One-fifth of employees in a study interacted with spurious emails.  
  • 45% of employees click emails they consider to be suspicious “just in case it’s important.”  
  • 1 in 3 employees are likely to click the links in phishing emails.    
  • 41% of employees failed to notice a phishing message because they were tired.    
  • 47% of workers cited distraction as the main factor in their failure to spot phishing attempts.  
  • 30% of phishing messages get opened by targeted users. 
  • 1 in 8 employees are likely to share information requested in a phishing email.      
  • 60% of employees opened emails they weren’t fully confident were safe.    
  • 45% of employees never report suspicious messages to IT for review.       
  • 97% of employees cannot spot a sophisticated phishing email. 

It’s a Sad but True Phishing Fact: Employees Encounter Brand Fraud and Spoofing Every Day  

Every day, employees receive an ever-growing volume of email messages, and how those messages are handled can make or break a company’s security and its budget. Especially when those messages are phishing attacks – an estimated 65% of insider threat incidents are caused by employee actions around phishing. Many of those email messages are supposedly from well-known brands. But not all of those messages are trustworthy.

Brand impersonation is a common cybercriminal tactic – 25% of all branded emails that companies receive are spoofed or brand impersonation attempts. Traditionally Microsoft holds the top spot. But DHL surpassed them at the end of 2021. Microsoft came in at number two, the brand that cybercriminals mimicked for one-fifth of phishing schemes. Communication juggernaut WhatsApp came in third with Google just on its heels. LinkedIn is still a cybercriminal go-to, but Facebook (now going by Meta) dropped out of the top 10 in 2021.   

Phishing Facts: The 10 Most Impersonated Brands

  1. DHL 23%  
  2. Microsoft 20%  
  3. WhatsApp 11%  
  4. Google 10%  
  5. LinkedIn  8%  
  6. Amazon  4%  
  7. Roblox  3%  
  8. FedEx  3%  
  9. PayPal  2%  
  10. Apple  2% 

These Phishing Facts Show That Every Industry is At Risk of Trouble

Approximately 145 million people use Microsoft 365 every day. That’s a big reason why Microsoft is the perennial champion of brands that are imitated for attachments. Employees handle a lot of Office files giving cybercriminals plenty of openings to deploy ransomware or other dirty tricks. Just under 50% of malicious email attachments arrive in Microsoft Office formats. Microsoft Office formats like Word, PowerPoint and Excel are popular file extensions for cybercriminals to use when transmitting malware via email, accounting for 38% of phishing attacks. The next most popular delivery method: archived files such as .zip and .jar, which account for about 37% of malicious transmissions.   

The Top 5 Sectors in Which Employees Are Likely to Interact with Phishing Messages   

  1. Consulting  
  2. Apparel and accessories  
  3. Education  
  4. Technology  
  5. Conglomerates/Multi-Nationals  

In which industries will cybercriminals find the people who are most likely to submit credentials or share information? These are the top 5 most vulnerable industries:   

The Top 5 Sectors in Which Phishing Leads to Credential Compromise  

  1. Apparel and accessories  
  2. Consulting  
  3. Securities and commodity exchanges  
  4. Education  
  5. Conglomerates/Multi-Nationals 

Website Categories Most Targeted by Phishing Attacks  

As the percentage of total recorded phishing attacks in Q1 2021  

  1. Financial Services & Banking: 24.9%  
  2. Social Media: 23.6%  
  3. SaaS & Webmail: 19.6%  
  4. Payment: 8.5%  
  5. E-Commerce & Retail: 7.6%  
  6. Shipping & Logistics: 5.8%  
  7. Cryptocurrency: 2%  
  8. Other: 8% 

Where are the bad guys sending those messages inside an organization? A phishing study shows that the answer is: All over the place. No department is safe from the enticements of sophisticated phishing messages. Surprisingly, 75% of the respondents indicated that the targets of many phishing attempts were IT staffers themselves, who you’d think would be savvy to these attacks, except 40% of those IT staffers fell for the bait.     

Departments Most Likely to Be the Target of Phishing   

% of total attacks a business experiences

  1. IT = 75%   
  2. Sales =35%   
  3. Executives = 27%   
  4. Marketing = 25%   
  5. Customer Support = 21%  

It’s a Phishing Fact That It’s Growing More Expensive

Phishing volume reported to the U.S. Federal Bureau of Investigations Internet Crime Complaint Center (FBI IC3) had a solid 29% growth in 2021, rising from 241,342 in 2020 to 323,972 in 2021. Phishing has shown consistent growth year-on-year. 

The cost of phishing is also constantly growing. The 2021 Ponemon Cost of Phishing Study shed light on the massive revenue hits that companies can suffer in the wake of a successful phishing attack. The biggest takeaway from this report is the colossal increase in the cost of a phishing attack for businesses. Researchers say that the cost of phishing attacks has almost quadrupled over the past six years, with large US companies losing an average of $14.8 million annually (or $1,500 per employee) to phishing. That’s without adding the expense of dealing with an incident investigation, regulatory penalties or ransoms (and paying ransoms can be illegal).   

Ransomware attacks commonly start with a phishing message. IC3 received 3,729 complaints identified as ransomware in 2021, a 51% increase over 2020’s 2474. Those complaints also cost victims a lot more money than in previous years. Ransomware victims suffered losses of more than $49.2 million. That’s a 69% increase over the $29,157,405 recorded in 2020. 

By far the most financially damaging potential result of phishing is business email compromise (BEC). In fact, the FBI declared it 64x worse than ransomware for businesses. There was 28% growth in BEC losses between 2020 and 2021. The BEC/EAC category clocked in at a painful $2,395,953,296 in losses. That’s an average loss of $120,000 per victim, compared to last year’s $96,700 per victim. Investment scams rolled in in second place, up an astonishing 333% over 2020.    

 Source: FBI IC3

This Phishing Fact is Also True: Security and Compliance Awareness Training Reduces the Risk of An Employee Falling for Phishing 

Security awareness training has a huge effect on employee behaviors around phishing, bringing businesses an array of powerful benefits that save money and reduce risk fast. 

Protect Your Organization With Optistar’s Cybersecurity Solutions

At Optistar, we offer a full suite of industry-leading Cyber Defense solutions to keep you and your company safe and operating with a peace of mind most professional services firms do not have. Contact us for a FREE Consultation to learn how we can assist you and your organization.

Be sure to check out our blog section for technical tips, cybersecurity alerts and guidance. In addition, be sure to check out our past webinars here and keep an eye out for our next upcoming webinar!

Back to Insights
Sign up for More Insights