The Independent’s journalism is supported by our readers. When you purchase through links on our site, we may earn commission. Why trust us?
Picture this – an email pops into your inbox, and it’s from Apple.
“Your iCloud storage has expired,” it warns. “Upgrade before Sunday to claim a discount on your subscription, and avoid losing access to your saved photos.” Panicked, you click the link in the email, enter your card details and renew your subscription – or so you think.
It’s not until a week later, when you start to notice several strange transactions on your bank statement, that you start to suspect wrongdoing. And that, in fact, you may have been phished.
This is a common phishing scenario – but there are plenty like it. From ‘smishing’ and ‘vishing’ to spear phishing and whaling, there are certainly plenty of phish in the sea. And we mean plenty – there were 4.7 million phishing attacks in 2022 alone, representing more than a 150 per cent per-year increase since the beginning of 2019.
So what can you do to ensure your personal and professional safety online – and protect yourself, and your business, from phishing?
First, you need to understand it. That’s why below, we’re explaining what phishing is and how it works, before unpacking 30-plus of our top phishing statistics – from both abroad, and right here in the UK. We’ll then answer phishing’s most frequently asked questions, and explain how you can safeguard yourself (and your staff) from phishing in 2023.
Phishing is a form of fraud or cyberattack in which a fraudster attempts to trick individuals into revealing sensitive information, including usernames, passwords, credit card details, or other personal and financial data. The cybercriminal can then use this information to make unauthorised purchases on the person’s card, or assume control over their online accounts.
Much as a fisher attracts a fish with bait, a phisher also lures its victims in – typically by posing as a trustworthy entity (a process called ‘spoofing’), or through the insidious strategy of ‘social engineering’.
Let us explain.
Phishing works by exploiting human psychology – and our innate capacity for trust – to trick people into revealing sensitive information, or taking actions that benefit the phisher.
This is called social engineering. It’s a form of manipulation that – unlike traditional cyberattacks, which target websites – targets people. Social engineers deploy techniques of psychological persuasion (like enticing the target with an inviting deal or discount, or threatening repercussions if swift action isn’t taken) to trick their targets into giving up important details around their bank account and identity.
To achieve this, scammers use a variety of platforms – including SMS, email, and phone – with contact details bought on the Dark Web, or pilfered from various online sources (such as social media profiles, company bios, or leaked data).
The phisher then reaches out to the target with a call or a message to their email or phone. The message is often crafted to appear as though from a legitimate company and often will use the branding, logos, and language of the trusted organisation it’s attempting to impersonate (typically a bank, government agency, or other well-known business).
Phishing communications usually leverage human emotions – fear, greed, urgency, or simple curiosity – to solicit a quick response from the victim. One common phishing tactic, for example, is for a scammer to claim that a victim’s bank account has been compromised – and the only way to save the money is by transferring it to a new, ‘safe’ account that the fraudster has access to.
This is what’s known as a phishing ‘call-to-action’ (CTA). In the case of email or SMS phishing, it usually comes in the form of a link that the target must click to take a specific action. This might be to safeguard an account that’s been ‘closed’ or ‘hacked’, to renew a service that has recently ‘expired’, or to claim delivery of a package that has been ‘suspended’.
Here’s an example our researcher recently received.
At first glance, this phishing email might look legitimate. But look closer, and inconsistencies appear: the 60 days the copy invites us to claim free, versus the button which offers 90 days, for instance. Plus, the email is asking us to enter our credit card details to ‘validate’ our Spotify ID. Oh – and our researcher’s Spotify membership is still very much active.
As the Spotify-impersonating phishing email above demonstrates, the attacker will include links that appear to link to legitimate websites – but in fact direct the victim to a fake website that mimics the real thing. When there, they’ll be encouraged to enter their personal and credit card details to ‘authenticate’ their identity, and avoid the unwanted action the phishing email is threatening them with. When the victim does that, it’s simply a matter of the phisher collecting the data – then using it to defraud the customer of their money or infiltrate their accounts.
Not all phishing attacks work this way, however. Some trick the target into downloading malware onto their device, which then does the phisher’s work for them.
Many phishers will also have an exit strategy to conceal the fraud, and buy them more time to take advantage of the stolen details before the victim realises and cancels their card. To achieve this, the attacker may redirect the victim to the legitimate website after they’ve stolen their details – leaving them unaware that their security has been breached.
Phishing comes in many forms, and utilises different targets, methods, and platforms.
The first distinction is the way in which the phisher solicits contact with the victim. This could be through:
With that in mind, here’s a summary of the myriad types of phishing attack to look out for:
Bulk phishing (also known as ‘mass phishing’) is when the phisher sends out a huge number of phishing emails or messages to a large audience.
These emails are rarely tailored to the specific recipient, so they’re less convincing than the more customised approaches of spear fishing and whaling. But they also require less effort to plan and put together – and, by casting the net as far and wide as possible, bulk phishers increase their chances of landing upon at least a handful of unsuspecting victims.
Spear phishing is a targeted form of phishing, in which fraudsters customise their messages to specific individuals or organisations.
Rather than a blanket email that can be sent to hundreds or thousands of email accounts, a spear phishing attack involves communication that has been tailored to an individual recipient. To obtain the information they need, spear phishers often comb through an individual’s personal and professional online profiles for any details that add authenticity and legitimacy to the email.
In 2022, more than three-quarters (76 per cent) of phishing attacks were targeted – so it’s a threat you need to remain on the lookout for.
Whaling is a subset of spear phishing that targets high-ranking executives – such as CEOs or CFOs – within a company.
Hackers will do their research beforehand to compose an email that looks convincing – and use their pre-prepared knowledge of the target to trick them into revealing sensitive corporate information, or transferring funds to fraudulent accounts. Because of the target’s senior position in their company, whaling can often have the most serious consequences (both financial and reputational) for a business.
Business email compromise (BEC) fraud is similar to whaling in that it involves high-ranking executives within a company. But instead of targeting them (as with whaling), BEC phishers impersonate these executives – then use their online identities to trick other employees within the company into disclosing sensitive information.
Clone phishing involves an attacker creating a near-identical copy of a legitimate email that the victim has recently received and engaged with. The cloned email includes malicious links or attachments that – when opened – install malware on the target’s device, or encourage them to enter their details.
Like the other more targeted forms of phishing here, clone phishing can be extremely convincing, because the victim – having recently replied to a similar-looking email – is tricked into thinking it’s a legitimate follow-up.
Pharming attacks manipulate a website’s DNS (Domain Name System) settings to redirect internet users to fraudulent websites – even if the victims entered the correct website’s URL into their browsers. The bogey site will often be close to an exact replica of the original – meaning victims are unaware they’ve been redirected before it’s too late.
Search engine phishing (also known as SEO poisoning or SEO Trojans) is when scammers manipulate results in search engines such as Google or Bing to make their own (fraudulent) websites rank highly.
When unsuspecting users come along, they’re tricked into clicking on the phishing website, mistaking it for a legitimate answer to their query.
As the Anti-Phishing Working Group’s (APWG) Phishing Activity Trends Report for Q4 2022 reports, there were more than 4.7 million attacks in 2022. These attacks seem to be on an upward trajectory too, with more than a quarter of the year’s overall phishing (1.35 million, or 29 per cent) occurring in its final quarter alone.
Phishing may be on the rise, then – but how does it compare with other forms of online fraud and cybercrime? Which countries and industries are most targeted by phishers, how many phishing sites are lurking out there on the web – and which brand names are phishers most liable to hijack for their own purposes?
Let’s take a look.
Let’s first take a look at phishing’s state of play – from a worldwide perspective.
Now let’s hone in on the UK. What kind of an impact is phishing having on our homegrown businesses – and how rife is phishing on British soil?
Well, according to SlashNext’s 2022 report – dubbed ‘The State of Phishing’ – the UK is the most targeted country in Europe for phishing.
The SlashNext data shows that in 2022, a staggering 96 per cent of British companies were the subject of phishing attempts. Spain (94 per cent) came second, while France (85 per cent) and Italy (79 per cent) got off comparatively lightly.
Here are some more UK phishing statistics to explore:
When it comes to the specific industries phishers tend to target, not all sectors are created equal – and some, say the data, are much more prone to phishing attacks.
According to Statista – which measured the industries worldwide most affected by phishing as of Q4 2022 – financial institutions are the most likely to find themselves in the crosshairs of phishers. A staggering 27.7 per cent of phishing attacks on businesses in Q4 2022 focused on companies in the financial services industry – but it’s far from alone in its victimisation.
The other industries most targeted by phishing include:
Diving deeper into phishing’s industry-related data, and we see an interesting trend – that the industries most affected by phishing aren’t necessarily the ones this form of fraud has the greatest (monetary, at least) impact on.
That’s because the average cost of the most financially damaging email-based phishing attack worldwide – around US$1.5 billion – was in the business and professional services industry, which doesn’t feature in the above list of the most affected countries. The media, leisure, and entertainment sectors – with average losses of around US$1.47 million – placed second.
As for how prepared and vigilant these industries are around phishing, Statista looked at the average failure rates for phishing simulations in organisations. Phishing simulations involve sending a fake phishing email to employees to test how well they flag and report it.
In 2022, employees in the electronics (14 per cent), aerospace (13 per cent) and mining (13 per cent) sectors had the highest phishing simulation failure rate; followed closely by their counterparts in the business services, consulting, food and beverage, and technology industries (all 12 per cent).
The lowest phishing simulation failure rates (perhaps unsurprisingly) were in the legal sector, with 8 per cent.
As we’ve seen with the phishing statistics above, this form of fraud is startlingly common – not only in the UK, but around the world.
Which begs the question – how can you protect yourself from it?
Read on to find out how to recognise phishing emails and websites, and which tools and best practices can help you fight it – as well as the importance of education in safeguarding your team and business from phishing threats.
When it comes to safeguarding your personal and professional life from phishing attacks, being forewarned is forearmed – and that starts with knowing exactly what a phishing email looks like. So here are our top tips for spotting a phishing email – before you engage with it.
Unless the phisher has gained access to the actual account of someone you know, their email will never come from that (legitimate) email address.
However, phishers can ‘spoof’ email addresses – that is, make email addresses with a similar name and construction – to trick you into thinking it’s the real person. So if you receive an email that looks even vaguely suspicious, run a magnifying glass over the address it came from – and double-check their email ID against messages you’ve previously received from that sender.
Often, phishers – particularly bulk phishers, who rely on a ‘scattergun’ approach – aren’t the most fastidious when it comes to spelling and grammar.
While this isn’t a blanket rule (spear fishers and whalers, for instance, tend to be more detail-oriented), what it means is that the content and format of phishing emails often contain errors and inconsistencies that few legitimate professional communications would. Looking for these can soon help you separate the real emails from the fraudulent.
One of the tactics of psychological manipulation phishers use is urgency – imploring the victim to do something quickly, or face the consequences of inaction. Through this, the phisher minimises the space the victim has to sit, wait, and contemplate the situation in full – while maximising the likelihood they’ll end up doing something they don’t want to.
So remain vigilant towards emails that threaten consequences, or impose arbitrary timelines on action – they’re a good indicator that you’re being phished.
Sometimes, this urgency isn’t outright stated by the phisher – it’s implied. Take the following phishing email, for example. It purports to be from Facebook, explaining that an unknown user logged into their account from a different device. While the email doesn’t demand action (although it does encourage the recipient to ‘Report the user’), it does elicit a sense of urgency, in that the recipient must act quickly or risk losing their Facebook account.
Just as phishers use the stick of consequence to threaten victims into compliance, they also use the carrot of reward to lure victims in with the promise of a special deal or discount.
Needless to say, stay wary of any unsolicited offers you receive via email – especially if they’re not with companies whose mailing list you’ve subscribed to. And remember the old adage – if it sounds too good to be true, it probably is.
Never click on a link in, or download an attachment from, an unsolicited email. If it is legitimate, there will always be some way – whether that’s through a phone call, a text message, or a live chat conversation – to verify the communication’s authenticity some other way.
The rule’s simple – if in doubt, just don’t click.
When it comes to telling phishing websites apart from their legitimate counterparts, many of the above rules apply, including checking for content and design inconsistencies, and remaining wary of threats or overpromises.
However, there are some more specific strategies you can use to spot a phishing website. These include:
Protecting yourself, your brand, and your bottom line from phishing can be a big task – but it’s not one you have to do alone. The following tools can help:
We also recommend getting into the habit of implementing anti-phishing best practices, which include:
Phishing may be prevalent, but – as we saw earlier, with employees in leading industries failing phishing simulations at rates of 12 to 14 per cent – it’s not all that easy to detect.
That means it’s absolutely vital to educate yourself – and your staff – around phishing. What does it look like, in all its forms? Why does it happen – and how can you report it when it does?
So empower your team with the knowledge they need to identify, understand, and prevent phishing. This could include:
If you’ve been phished, don’t panic – there’s still plenty you can do to mitigate the havoc the phisher can wreak on you or your business.
First up? Disconnect from the internet. If your device has been compromised, removing it from the web will prevent further communication with the attacker’s servers – and stop the immediate spread of any malware they might have installed.
Secondly? Change the passwords to any accounts which may have been compromised in the phishing attack. If you’ve entered your credit or debit card information anywhere, call your bank straight away – it’ll be able to cancel the compromised card so the phisher can’t use it to make unauthorised purchases. Similarly, if you’ve given away answers to the security questions on any of your online accounts, change them immediately by calling the company.
Next, report the phishing attempt to the relevant authorities. In the UK, the government recommends getting in touch with Action Fraud if you’ve lost money or been hacked because of an online scam – you can report a phishing attempt this way, or call 0300 123 2040. If the phishing has occurred in a work-related context, be sure to report it to your IT department, too.
Going forward, keep an eye on your accounts for suspicious or unauthorised activity – such as unfamiliar transactions, changes to account settings, or emails in your sent folder you don’t recognise. Report anything that doesn’t look right to your service provider.
You should also remain vigilant to phishing attacks in the future, reading up on what they are, the forms they take, and what you can do to stop them.
Phishing works so well because many phishers are skilled in the dark arts of psychological manipulation. These ‘social engineers’ blend a potent cocktail of persuasive language, exciting incentives, veiled threats, emotional appeals, and manufactured urgency to wear victims down and get under their skin – often with extremely high levels of success.
What’s more, the best phishers convey a strong sense of legitimacy. By creating emails and websites that closely mimic the brand, tone, and layout of the companies users know and love (if, that is, we don’t look too closely), phishers can seem authentic.
That’s not to say they’re impossible to stop – simply that often, we’re too distracted, disengaged, or time-poor to realise we’re being phished in the first place.
Modern enterprises tackle phishing with a variety of methods – many of which we’ve explored above. These include a combination of the following:
Many of us fancy ourselves as experts at spotting phishing emails. And some – like the examples we used above – are too obviously fake to cause us any issues. In fact, most phishing emails we receive we’ll never read – they’re simply filtered out by our email providers, and sit in our spam inboxes until we remember to delete them.
But the reality is, phishing emails are a real threat.
Emerging phishing techniques – such as spear fishing and whaling – show how phishing is becoming more tailored and targeted. And, armed with increasingly (and artificially) intelligent tools such as ChatGPT, fraudsters – many of whom are already astute psychological manipulators – have fewer and fewer barriers to creating convincing, customisable phishing communications.
It’s not all doom and gloom, though. As the phishers get smarter, so too does the technology individuals and businesses have to fend them off. Anti-malware software, multi-factor authentication, endpoint protection platforms, and password managers are all highly effective against phishers – and only scratch the surface of what’s available.
Your only responsibility? To use them.
What’s more, be sure to stay up to date with the latest phishing statistics – and trends – as they unfold; and keep you, your colleagues, and your loved ones in the know. Remember, your first and best defence against phishing is knowledge – so be sure to dip back into this article as we keep it updated with the latest phishing facts and figures.