How Many Phishing Emails Are Sent Daily in 2024? (New Stats)
Introduction
Phishing emails continue to be one of the most persistent cybersecurity threats facing individuals and organizations worldwide. These fraudulent emails are designed to trick unsuspecting users into handing over sensitive information or installing malware. But just how pervasive is the phishing epidemic? As a cybersecurity analyst, I‘ve dug into the latest data to find out exactly how many of these deceptive messages are sent each day.
Defining Phishing
For those less familiar with phishing, let‘s quickly define what it is before diving into the numbers. Phishing is a form of social engineering attack often carried out through email, where an attacker masquerades as a trusted entity to trick victims into revealing login credentials, financial information, or other sensitive data.
These messages often have a sense of urgency or leverage fear to pressure victims into immediate action before they have time to think things through.
Common phishing tactics include:
- Spoofing the sender address so the email appears to come from a legitimate organization
- Embedding fake system alerts about account lockouts or failed payments needing immediate attention
- Directing victims to sophisticated fake login pages to harvest account credentials
- Malicious attachments that install malware if opened
- Links to phishing kits designed to mimic trusted websites and capture entered data
Anatomy of a Phishing Email
While phishing emails may seem easy to spot, today‘s more sophisticated attacks often slip past spam filters and trained eyes. Let‘s break down the typical anatomy:
- Subject lines create a sense of urgency like "Alert: Failed Payment" or "Account Lockout"
- Spoofed sender addresses feature minor misspellings of real domains
- Embedding brand logos and HTML templates matching legitimate sites
- Body content full of alarming (but vague) warnings demanding account updates
- Links and forms pointing users to credential harvesting pages mimicking employer/vendor portals
Even trained security experts can struggle to identify dead giveaways. Attackers use just enough legitimacy across design, domain names, and language to trick their targets into lowering their guard.
Global Phishing Volumes
According to the Anti-Phishing Working Group, roughly 1 million new phishing sites now launch each month. With an average of over 30,000 unique sites created daily, this translates into:
- Over 1 billion phishing attacks sent globally per year
- 3 million phishing emails sent every day
- 125,000 phishing emails sent every hour
| Annual Phishing Emails | 1 billion+ |
| Daily Phishing Emails | 3 million+ |
| Hourly Phishing Email Volume | 125,000+ |
And again, these estimates focus solely on attacks leveraging newly created phishing sites. The total volume spikes even higher when you factor in email campaigns orchestrated through compromised infrastructure rather than disposable domains.
Based on phishing takedowns by hosting providers and registrars, phishing sites have an average lifespan of just 8 hours. However, nearly 50% last over 24 hours before getting shut down.
This means even short-lived sites can churn out thousands of attacks before blacklisting. Attackers simply absorb the site losses as the cost of doing business.
Pandemic Impact on Phishing
Phishing attack volumes saw explosive growth during the COVID-19 pandemic as both individuals and organizations relied more heavily on digital services.
With corporate VPN usage surging due to remote work policies, phishers targeted everything from video conferencing credentials to file storage links. Out-of-date patches on quickly-deployed machines also expanded vulnerabilities.
Phishing appears to have leveled off post-pandemic based on 2023 data. However, attack volumes remain well above pre-pandemic figures.
Clearly, the phishing threat isn‘t going away anytime soon as cybercriminals shift tactics to match current events. Next let‘s break down which sectors attackers target most frequently.
Industries Most Phished
While phishing scams take a broad approach across sectors, some industries face more frequent bombardment than others.
An analysis by PhishLabs found the following breakdown of sectors most targeted by phishing sites and emails:
| Software-as-a-Service (SaaS) | 25% |
| Payment Services | 22% |
| Retail/Ecommerce | 10% |
| Financial Institutions | 8% |
| Social Media | 7% |
| Shipping/Logistics | 6% |
| Media/Entertainment | 5% |
| Government/Public Sector | 4% |
Software platforms like Google Workspace and Office 365 make prime targets due to the breadth of apps and interconnectivity across both personal and professional contexts. Just think about all the data access and account controls bound to Gmail or Outlook alone.
Payment brands also deal with endless attacks due to the potential for monetizing compromised accounts through fraudulent purchases and transfers.
Retail faces assaults for similar reasons as attackers cash in on account credential theft. Media, shipping, and government sectors also get targeted aggressively as well due to deep supply chain connectivity.
Basically any industry that provides either highly valuable account access or critical downstream supplier access faces heavy phishing activity these days.
Countries Most Phished
No region escapes the phishing epidemic, but attack volumes concentrate more heavily across certain geographies.
A broad analysis across over 500 billion phishing emails revealed the following country breakdown:
| United States | 28.4% |
| Brazil | 14.2% |
| France | 6.1% |
| United Kingdom | 5.7% |
| Canada | 4.7% |
The U.S. suffers from the highest concentration of phishing attempts driven by immense consumer spending power and payments volume. Plus English remains the language of business, even internationally.
Highly connected emerging economies like Brazil and Indonesia also attract waves of attacks. Growth often outpaces security for developing digital markets.
Europe sees aggressive phishing reflecting heavy ecommerce adoption. And Canada faces perpetual attacks as fraudsters follow the money trail of its educated, tech-savvy population.
Essentially any region with an extensive online population faces heavy bombardment. Attackers localize messages across dialects, brands, events, and cultural references to boost response rates. Criminals pursue the path of least resistance wherever opportunities appear globally.
Seasonal Phishing Trends
Beyond geographic breakdowns, phishing volumes actually fluctuate based on seasons and events throughout the year.
Analysis from ProofPoint found the spikes in reported phishing attempts across industries as follows:
| Winter Holidays | 19% increase |
| Summer | 13% increase |
| Back-to-School | 12% increase |
| New Year | 11% increase |
Holiday phishing aims to catch consumers off-guard during busy shopping periods, relying on fears over missed deliveries, payment issues, or account lockouts.
Back-to-school targeted parents, students, and teachers equally across sectors. Retail and payment brands faced the most pressure during peak periods.
IT and security teams should factor in these seasonal spikes as they allocate resources to phishing defense.
Latest Phishing Threat Trends
While email remains the top conduit for phishing attacks globally, emerging platforms also offer rich attack surfaces for fraudsters:
Mobile Phishing
With society now perpetually connected via smart devices, mobile users make prime targets from anywhere, at any time:
- Over 200 million mobile phishing attempts occur globally per year
- 43% of mobile users don‘t know how to identify suspicious texts or websites
- iOS users get targeted most due to higher incomes and digital spending
Tactics like SMS phishing and smishing leverage system alerts to trick mobile users into clicking links. App permissions also provide access to contacts and networks prized by attackers.
As mobile messaging explodes globally, expect phishing volumes to follow.
Voice Phishing (Vishing)
Call spoofing now lets attackers mask numbers to imitate banks, tech support, or other sources by phone:
- Losses from voice phishing near $30 billion since 2016 in the U.S.
- Microsoft warns enterprise vishing attacks jumped 100% year-over-year
From individuals to massive call centers, cheap VoIP infrastructure drives automated call scams globally. Tactics aim to harvest credentials or install remote access malware. Defenses remain low as users opt for convenience over call verification.
As voice channels continue growing around account security and commerce, voice phishing will scale exponentially.
IT Security Best Practices
For enterprise security leaders looking to upgrade phishing defenses, layers remain key:
- Enable DMARC email authentication across all domains to block spoofing.
- Mandate security training to spots signs of phishing techniques.
- Test employees against simulated phishing attacks to track response rates.
- Confirm reported phishing emails with providers to strengthen filters.
- Multi-factor authenticate critical account access.
- Install a secure email gateway for deeper scam inspection.
With scam techniques constantly evolving, even the most trained users make mistakes. Bolster technological controls to reduce reliance on human accuracy alone.
Prioritize defenses across teams most targeted by attackers due to access privileges or public visibility. Ultimately phishing resilience requires layers across people, process & technology.
Financial Damage Totals
The monetary damage inflicted by phishing totals in the billions annually at this point:
- Over $40 billion lost to BEC phishing since 2016 in the U.S.
- $14,700 average loss per enterprise phishing breach
From compromised corporate accounts to stolen consumer credentials spread across dark web marketplaces, the cumulative costs run high.
And those figures don‘t even touch the brand and reputation damage caused by high-profile breaches. Phishing risks should rank high on the priority scale for leadership across sectors.
Outlook on the Phishing Landscape
Despite phishing prevention advancing across training and technology, attack volumes continue setting new records annually:
- 30,000+ new phishing sites launched every single day
- 3+ million phishing emails sent each day worldwide
- $40+ billion in losses to phishing since 2016
With online activity skyrocketing globally across business and consumer audiences alike, expect phishing attempts to follow suit. The past decade shows cybercriminals relentlessly innovating new techniques to bypass protective measures in pursuit of valuable data.
But with a layered defense model across security awareness, email protections, endpoint security, and access governance, organizations can drastically reduce breach rates. By understanding the sheer scale and variety of phishing threats across attack vectors, IT and security teams can strategically allocate resources.
There‘s no panacea against phishing in the modern threat landscape. Resilience requires playing both strong offense and defense across all fronts. But with billions invested annually into information security, the economic incentives now drive innovation across technologies to counter the endless creativity of cybercrime around the world.
