54% of successful phishing attacks end in customers' data breach

Ruth C. | May 17, 2022

While not all cyberattacks succeed, those that do usually have devastating consequences for both organizations and their clients.

According to the data presented by the Atlas VPN team, more than half (54%) of successful phishing attacks end in a customer or client data breach, followed by credential and account compromise (48%). Overall, 83% of organizations reported they had experienced a successful phishing attack in 2021.

The data is based on Proofpoint's 2022 State of the Phish Report. The report features data from a survey with 600 IT security professionals from Australia, France, Germany, Japan, Spain, the United Kingdom, and the United States, which were asked about their organization's experiences in 2021. You can also check out our report on phishing statistics 2022.

Following customer or client data breach and credential and account compromise were ransomware infections. They accounted for 46% of successful phishing attack results last year. Ransomware is the type of malware that blocks access to a victim's data unless a ransom is paid.

Other common consequences of phishing attacks include loss of data and intellectual property (44%), malware other than ransomware (27%), reputational damage (24%), widespread network outage and downtime (22%), advanced persistent threat (18%), financial loss (17%), zero-day exploit (15%), and financial penalty or regulatory fine (11%).

Social engineering attacks like phishing heavily rely on human factors, such as an employee clicking a malicious link in order to be successful. Therefore, the most effective way to safeguard against such attacks is to invest in employee training where employees would be educated on recognizing cyberattack attempts and how to act when they do.

Bulk phishing attacks were most frequently faced by organizations

While cybercriminals tried various phishing methods to lure in the victims, some attack types were more common than others. Out of all, bulk phishing was the most frequently used attack. In total, 86% of companies experienced bulk phishing attacks last year.

In bulk phishing attacks, cybercriminals send out generic phishing emails to a vast number of targets in hopes that at least some will fall for the attack.

The second most common type of phishing attacks organizations faced was spear phishing and whaling. Such targeted attacks hit 79% of companies worldwide.

In contrast to bulk phishing, spear phishing is a targeted attack where cybercriminals have researched their victim beforehand and use personal information they have found to make their message more believable. Meanwhile, whaling phishing attacks are particularly targeted at high-profile people to maximize gain.

Email-based ransomware attacks occupy the third spot on the list. They affected 78% of organizations.

In the meantime, business email compromise (BEC) attacks were encountered by 77% of companies. In BEC attacks, cybercriminals send out emails that look like they come from a known source, such as a colleague or a vendor, in hopes of getting the receiver to reveal sensitive information or transfer funds.

However, email was not the only medium where criminals tried to phish victims. Other types of phishing attacks that plagued organizations last year include smishing (74%), social media attacks (74%), vishing (69%), and malicious USB drops (64%).

Study: Amazon, DHL, and DocuSign most imitated brands in phishing emails