Below is a comprehensive list of key data points on phishing from 2023 onward, organized by category. These statistics cover attack volumes, growth trends, targeted industries, common tactics, success rates and losses, regional insights, security awareness, emerging attacker techniques, and notable recent phishing incidents.
Phishing Attack Volume & Overall Trends Stats
Record-high phishing volume: Nearly 5 million phishing attacks were observed in 2023, the worst year on record. This was slightly above 2022’s total (~4.74 million), continuing an upward trend.
Trillions of phishing emails: An estimated 3.4 billion phishing emails are sent each day globally, over 1 trillion per year, making phishing the most pervasive form of cybercrime.
Most common cybercrime by count: Phishing (including email/social media scams) is the #1 reported cybercrime category. In 2022, the FBI’s IC3 received 300,497 phishing/smishing/vishing complaints – more than any other cybercrime type. 2023 saw a similar volume with over 298,000 phishing incidents reported in the U.S.
Phishing complaint trends: The FBI noted phishing complaints doubled from 2018 to 2022 (from ~160k to 300k+). Overall cybercrime reports reached a record 880,000+ in 2023, with phishing consistently the top complaint for 4+ years.
Global detections rising: Kaspersky’s anti-phishing systems blocked 709.6 million phishing attempts in 2023, a 40% increase from the previous year. Attacks surged notably in May–June and remained high through year-end (likely tied to holiday scams).
Quarterly spikes: Phishing volumes can spike dramatically – e.g., one security provider saw phishing emails jump 173% in Q3 2023 vs. Q2 (493.2 million vs 180.4 million in their telemetry). Such spikes suggest large-scale campaigns or improved detection.
Late-2023 resurgence: After a dip in early 2023, phishing rebounded strongly. Q4 2023 alone saw 1,077,501 attacks reported to APWG. The mid-2023 lull was partly due to the shutdown of a free domain service abused by phishers (Freenom), but attackers adapted with new resources by Q4.
Incidence frequency: Phishing attempts are a daily headache – 57% of organizations encounter phishing attacks at least weekly or daily. Virtually every business can expect phishing emails to hit their inboxes regularly.
Organizations targeted: 94% of organizations were victims of phishing attacks in 2023, and 96% of those affected suffered negative impacts (financial or otherwise). This underscores that almost every company is in the crosshairs.
User encounter rates: Globally, 18.9% of internet users in Vietnam faced a phishing attack in 2023, the highest user-encounter rate of any country. (By comparison, the rate was ~12–17% in the next most-targeted countries.)
Email remains dominant: Roughly 96% of phishing attacks arrive via email. Despite the rise of text and voice scams, email continues to be the primary delivery mechanism for phishing globally.
Phishing Year-over-Year Growth Rates
Continued growth: Phishing attack volumes have grown exponentially in recent years. APWG recorded ~779,000 attacks in 2019, but 4.74 million in 2022 – a ~6× increase in three years. 2023’s total (~4.99 million) was 5% higher than 2022, reaching a new peak.
Double-digit annual jumps: Yearly phishing totals jumped +137% (2019–2020), +54% (2020–2021), and +66% (2021–2022). While growth slowed in 2023, the overall trend is a sharp rise compared to pre-2020 levels.
Enterprise impact up: Even as the percentage of organizations hit by successful phish slightly declined (84% in 2022 to 71% in 2023), the consequences worsened. Reports of regulatory fines (financial penalties) due to phishing rose 144% year-over-year, and reports of reputational damage rose 50%.
Mid-2024 uptick: Phishing remains on the upswing into 2024. Q3 2024 saw 932,923 attacks, up from ~877,536 in Q2. This ~6% quarterly increase suggests 2024 may set another record if trends hold.
Smishing growth: SMS-based phishing (smishing) is increasing rapidly. Smishing attacks rose 22% in Q3 2024 alone. Over 28% of all phishing attacks in 2023 were delivered via text messages, reflecting how attackers are diversifying beyond email.
Industries & Sectors Most Targeted by Phishing
Social media & SaaS on top: Toward late 2023, social media became the most phished sector – 42.8% of all phishing attacks in Q4 2023 targeted social media platforms. (This was a huge jump from 18.9% in Q3, indicating a surge in Facebook/Instagram/LinkedIn impersonation and account theft scams.)
Financial institutions: Banking and finance consistently rank among top targets. In mid-2023, 23% of phishing attacks targeted financial institutions (e.g. banks, online payment services). Financial services had been the #1 sector in many prior reports, though it fluctuates quarter by quarter.
Email/Web services: Webmail and SaaS (software/web services) accounted for ~22.3% of phish attacks in Q2 2023. Cloud service login pages and email login scams (Microsoft 365, Google Workspace, etc.) are prime phishing lures given their broad user base.
Shift in target mix: The targeting mix is evolving – earlier in 2023 finance was top, but by Q3–Q4 attacks against social media users exploded, overtaking financial phishing. This suggests cybercriminals chasing social media credentials (which can be monetized or used for further fraud) at unprecedented levels.
Other heavily targeted sectors: Government agencies, military contractors, and education/research organizations also face high rates of phishing attacks. From Q3 2022 to Q3 2023, the top three sectors for social-engineering attacks were government (44% of incidents), defense industry (19%), and science/education (14%). These targeted attacks often aim at espionage or data theft.
Brands impersonated: Phishers often impersonate well-known brands to gain trust. Over 55% of phishing emails spoof or reference a popular brand name in the content. For example, LinkedIn was the single most imitated brand in one analysis (appearing in 52% of brand-phishing attempts globally), and other top spoofed brands include DHL (14%), Google (7%), Microsoft (6%), and Amazon.
Q3 2024 snapshot: As of Q3 2024, social media (30.5%), webmail/SaaS (~22%), and financial services remain the most attacked sectors. Phishing attacks on social platforms have consistently led, reflecting attackers’ interest in social accounts.
Sector-specific spikes: Certain industries saw dramatic spikes in phishing in 2023. For instance, one report noted phishing targeting government jumped ~292% in one quarter, while attacks on media and finance sectors each more than doubled (+125% or more) in that period. Even traditionally lower-target sectors (e.g. logistics) saw increases, indicating no industry is safe.
Common Phishing Tactics, Vectors & Methods
Email is king: Email delivers over 90% of phishing attacks. Estimates indicate 91% of all cyber-attacks begin with a phishing email entry point. This includes everything from broad spam campaigns to targeted spear-phishing.
Alternate channels rising: Attackers are also exploiting other channels: a third of IT professionals report increases in phishing on messaging platforms. Phishing isn’t limited to email – 44% of organizations have seen phishing via video conferencing apps, 40% via business chat apps, 40% via file-sharing services, and 36% via SMS texts.
SMS phishing prevalence: Smishing (SMS/text phishing) comprises roughly 28% of phishing attacks as of 2023, and nearly 40% of all mobile device threats are credential-phishing via SMS. Fake package delivery texts, bank alerts, and MFA code scams via SMS are extremely common.
Voice phishing (vishing): Phone-based phishing is surging. Vishing incidents rose over 16% in Q4 2023 from the previous quarter, and a staggering 260% compared to Q4 2022. Attackers increasingly call victims pretending to be tech support, customer service, etc., to steal credentials or money.
Hybrid “callback” scams: A blend of email and phone tactics, telephone-oriented attack delivery (TOAD) scams have spiked. These attacks start with an email containing only a phone number, prompting the user to call a fake helpdesk. About 10 million TOAD/phishing callback attempts occur per month on average, peaking at 13 million in August 2023. This method lures victims into divulging info or allowing remote access by phone.
Business Email Compromise (BEC): BEC scams (impersonating a colleague or boss to trick employees) remain highly damaging. The FBI reports BEC scams caused $50.8 billion in losses between 2013 and 2022. In 2022 alone, there were ~21,832 BEC complaints with $2.7B in losses in the U.S. While BEC volume in English-speaking countries stabilized in 2023, BEC attack volume grew in regions like Japan (+35%), South Korea (+31%), and UAE (+29%) as criminals leveraged better translation (often via AI).
Links vs. attachments: The most common phishing technique is still deceptive URLs embedded in messages. Malicious links account for ~35–36% of phishing threats analyzed in large email datasets. Attachments are used slightly less often – but when they are, PDFs and Office docs are popular.
Popular attachment types: PDF files are the most common malicious email attachments, comprising ~50% of malicious file attachments in phishing emails (as of Q3 2023). Attackers favor PDFs (and Office docs) because they appear innocuous or business-related. Compressed archives (ZIP, RAR, 7z) are also frequently used – about 37% of phishing attachments are archives, and ~30% are document files (often containing macros or malware).
Credential input pages: Phishing links often lead to fake login pages. About 50% of phishing URLs direct victims to fraudulent data-entry sites that mimic legitimate login portals. The goal is to steal usernames, passwords, 2FA codes, etc., which are then used to breach accounts.
Use of legitimate services: Attackers abuse trusted platforms to evade detection. For instance, 91% of bait phishing emails are sent from newly created Gmail accounts (free webmail is used to appear more legitimate and to get past some filters). Phishers also host scam pages on platforms like Google Sites, Microsoft Forms, Dropbox, etc., to leverage those domains’ reputations.
Spear-phishing vs bulk: Highly targeted phishing (spear-phishing) is rare but potent. Spear-phishing emails make up under 0.1% of total email volume, yet they account for 66% of data breaches. This highlights that tailored attacks aimed at specific individuals (often with personal or organizational context) are far more effective than generic spam blasts.
Spear-phishing targeting organizations: Half of large organizations (50%) reported being targeted by spear-phishing in 2022, receiving on average 5 spear-phishing emails per day. These often impersonate executives, vendors, or VIP clients to trick employees.
Whaling (CEO fraud): “Whaling” attacks that impersonate senior executives skyrocketed with remote work reliance. Between Q1 2020 and Q1 2021, reported whaling attempts increased 131%. This trend continued as attackers capitalized on the chaos of shifting work environments to prey on high-level targets.
Brand impersonation tactics: 51.7% of malicious emails analyzed by Cloudflare were disguised as coming from Microsoft, Google, Amazon or other major tech brands. Overall, approximately 3 in 5 phishing attacks (55–60%) involve a well-known brand logo or name to appear legitimate. Common spoofs include package delivery notices (DHL/FedEx), social networks (Facebook/LinkedIn), streaming services, and banks.
Typical phishing lures: Phishing emails often use urgent or business-like language. Top phishing email subject keywords include terms like “Invoice”, “Payment”, “Required”, “Urgent”, “Document”, “Request”, “Verification”, etc.. These trigger words are meant to lower the recipient’s guard by implying an expected or pressing matter.
Evading detection with QR codes: Attackers have started embedding QR codes in phishing emails (within images/PDFs) to bypass URL filters. The use of QR codes in phishing rose in Q3 2023, as security scanners struggle to read them compared to plain text links. Scanning the QR takes the victim to a malicious site.
“Phishing-as-a-Service” toolkits: The underground market offers ready-made phishing kits and services. Phishing-as-a-Service (PhaaS) platforms (like EvilProxy) provide criminals with pre-built phishing infrastructure (web templates, domains, etc.). Over 1 million attacks per month are launched using the EvilProxy phishing framework, which even enables stealing MFA tokens. This commoditization makes it easier for less-skilled attackers to phish at scale.
Phishing Success Rates & Consequences
Human element in breaches: Roughly 36% of all data breaches in 2022–2023 involved phishing as a vector. Verizon’s data shows 74% of breaches involve the “human element” (errors, social engineering, or misuse), and phishing is a leading cause of that human factor. IBM reports phishing was the top initial attack vector in 2023 breaches, responsible for 41% of incidents.
Organization breach frequency: 71% of organizations experienced at least one successful phishing attack in 2023 (down from 84% in 2022). In other words, about 3 in 4 companies fell victim despite defense efforts. Many suffered multiple incidents.
Rapid victim response: When phishing emails do reach users, they often work within seconds. The median time to click a phishing link is only 21 seconds after opening the email, and the median time to then submit credentials or data on the phishing site is just 28 seconds more. In total, it takes under 60 seconds for the average user to fall for a phish – extremely little time for intervention.
Click rates: In phishing simulation tests, about 17–18% of users on average click malicious links (as of 2021). While many users are cautious, a subset consistently fall prey. Even a ~4% click rate (often cited in real attacks) is enough for attackers, given they send millions of emails.
Under-reporting: Alarmingly, most users who do click phishing emails fail to report it. Verizon found 89% of users who clicked a malicious link didn’t report the incident to IT. This means incidents may go undetected until damage is done.
Account takeovers (ATO) rising: According to a 2024 survey, 58% of organizations suffered account takeover incidents in the past year, and 79% of those ATO attacks started with a phishing email harvesting employee credentials. In 83% of those cases, the compromised accounts were protected by multi-factor authentication that the attackers managed to bypass (often via MFA fatigue attacks or stealing session tokens).
Financial losses per attack: Phishing attacks carry hefty price tags. $17,700 is lost per minute to phishing attacks globally – equivalent to over $9 billion annually. These losses come from fraud, business disruption, incident response, and reputational damage.
Average breach cost: IBM estimates the average cost of a data breach caused by phishing is ~$4.65 million (2022 figure). Another study calculated that phishing attacks cost large enterprises $15 million annually, or over $1,500 per employee when factoring in downtime, recovery, and preventive measures.
Cost per credential: On a micro level, each set of credentials or personal info stolen via phishing costs a business about $180 on average (in recovery, fraud, etc.)
Ransomware linkage: Phishing is a common entry for ransomware. About 35%–45% of ransomware attacks are initiated via phishing emails. Thus, many costly ransomware incidents ($1.5M+ recovery costs on average) start with an employee clicking a bad link or attachment.
Business impact: The fallout from phishing is not just immediate theft – it includes compliance fines, customer churn, and reputation damage. In 2023, 47% of companies hit by phishing reported losing customers (and revenue) due to the incident, and 42% said their brand reputation suffered harm as a result. Additionally, 22% faced lengthy remediation and some even had legal action due to breaches.
Incidents per company: Many organizations face multiple phishing-induced incidents. For example, 69% of organizations experienced a ransomware infection in the past year (often phishing-enabled), and 60% of those had more than one distinct ransomware event – showing that one successful phish can invite more attacks if not properly contained.
Employee consequences: Companies are responding firmly to phishing-induced breaches. In 74% of organizations where a phishing attack succeeded, the employee(s) who fell for it were disciplined or even terminated/resigned afterwards. This underscores the serious internal fallout that can follow a security lapse.
Regional Insights on Phishing Prevalence
Top countries targeted: According to one analysis, the Netherlands received the highest share of phishing attacks in 2022 (17.7% of global phishing emails), followed by Russia, Moldova, the USA, and Thailand. (These figures likely reflect where phishing emails were directed, not necessarily origin.)
Highest victim rates: As noted, Vietnam had the highest user exposure rate (18.9% in 2023). Other countries with high phishing encounter rates among users include Mongolia, Russia, and several in Southeast Asia, each typically seeing 10–17% of users targeted in a year.
Regional targeting shifts: Attackers adjust lures by region. For instance, BEC (business email compromise) historically hit English-speaking countries hardest, but in 2023 BEC incidents grew in East Asia and the Middle East (+30% in countries like Japan, South Korea, UAE) as attackers use localized languages. Meanwhile, some Western countries saw a slight decline in BEC, indicating a geographical re-focusing by scammers.
By continent: Users in Asia and Africa face phishing at higher rates than those in Europe/North America, according to cybersecurity surveys. However, North America still leads in absolute numbers of attacks (due to a large online population and wealth), and Europe sees sophisticated targeted campaigns as well.
Phishing via messaging apps by country: A Kaspersky study of phishing on messaging platforms (like Telegram) found Russia had the most such phishing redirect attempts in 2023, with Brazil second (Brazil’s count doubled from the prior year). Turkey, India, Germany, and Italy were also in the top tier for messenger-based phishing activity. This often correlates with user base size and cybercrime activity in those regions.
Mobile phishing regional stats: Smartphone users in different regions see varying mobile phishing rates. In Q2 2023, for example, North American mobile users encountered ~484,500 phishing and malicious links (likely the highest), while other regions like Asia and Europe saw hundreds of thousands as well. Mobile phishing is truly global, following smartphone penetration.
Emerging economies: Cybercriminals often target countries with growing internet populations but perhaps less awareness. For instance, financial phishing attacks in Southeast Asia have spiked – Thailand saw ~141,000 financial phishing incidents in H1 2023, Vietnam ~40,000. Similarly, African and Latin American nations have seen rising phishing as more people come online.
Regional scams: The themes of phishing often vary by region/language. In the US and Europe, phishers exploit tax season, banking, and e-commerce themes. In Asia, gaming and messaging app scams are common. In the Middle East, crypto investment and lottery scams have gained traction. The holiday/travel scam spike in mid-2023 (fake airline tickets, hotel deals) was noted globally but especially in regions with big travel seasons.
Law enforcement and reporting differences: Regions with strong reporting (US, EU) show phishing as top reported e-crime. Some countries have less reporting but are heavily targeted. International law enforcement collaborations (like through Interpol) have noted West African and South Asian cybercrime rings heavily involved in global phishing, affecting victims across continents.
Corporate & Individual Phishing Awareness and Defenses
Risky behavior despite training: 71% of working adults admit to taking some cybersecurity risk action (clicking a suspicious link, reusing passwords, etc.), and 96% of those knew it was risky when they did it. This means 68% of employees knowingly undermine security for the sake of convenience or speed – a major challenge for security teams.
Security awareness vs behavior gap: 85% of security professionals believe most employees understand their role in protecting the organization, yet 59% of employees themselves say they aren’t sure or don’t feel responsible for security. This disconnect highlights that knowledge doesn’t always translate to cautious behavior.
Effect of training: Proper training significantly reduces phishing susceptibility. Without training, 32.4% of employees are likely to fall for phishing (on phishing tests). With regular training and simulations, click rates drop substantially. However, many organizations still struggle to train effectively.
Training frequency: Nearly 1 in 5 organizations provide formal anti-phishing training only once per year. Infrequent training means employees may forget best practices or miss new phishing tactics. Continuous education is not yet universal.
Training gaps for new tech: As workplaces adopt new communication tools, training hasn’t kept up. 47% of employees have received no security awareness training for instant messaging or collaboration apps they use. Phishers exploit these new channels (Slack/Teams chats, etc.), and lack of user vigilance there is a weak link.
Incidence response burden: It takes IT/security teams on average 27.5 minutes to handle a single phishing email (investigating, removing from inboxes, etc.). The estimated cost to discover and remediate a single phishing email is ~$31 for labor/time. Multiply this by thousands of phishing emails and the operational impact is significant.
Employee reporting and culture: Encouragingly, user reporting of suspected phish is increasing. Verizon found users are reporting more phishing emails than before. However, as noted, many who click do not report. Building a culture where employees promptly report mistakes or suspicious emails can dramatically improve an organization’s response and containment.
Policy compliance issues: 58% of employees admit to ignoring cybersecurity guidelines at work (at least occasionally). Additionally, 39% say they are unlikely to report a security incident or mistake out of fear or embarrassment. This highlights a need for non-punitive incident response cultures.
Over-reliance on tech controls: Many firms assume their email filters will catch everything, but 90% of confirmed phishing breaches occurred in organizations that had secure email gateways and filters in place. Technical defenses, while essential, are not foolproof – some phish will slip through, and user awareness remains critical.
MFA is not a panacea: Multi-factor authentication is important, but 89% of security leaders mistakenly believe MFA alone completely protects against account compromise. In reality, attackers are finding ways around MFA (for instance, via OAuth token theft or prompting users to approve rogue logins). Users and admins must remain vigilant even with MFA.
Leadership concerns: Security leaders are increasingly worried about new phishing methods. 63% are concerned about deepfake voice/video being used in phishing, and 61% are specifically worried about AI chatbots drafting phishing emails that are harder to spot. Despite training efforts, 91% of orgs still experienced negative fallout from phishing incidents in the past year, indicating more needs to be done.
Positive signs: On the bright side, security awareness training is reaching more people – global phishing simulation campaigns sent by providers numbered in the hundreds of millions. Many companies are also rolling out phishing-resistant authentication (like security keys) and doing phishing drills. These efforts are slowly chipping away at the threat, but phishing remains largely a human problem requiring a human-centric solution.
Emerging Phishing Trends & Attack Techniques
AI-crafted phishing emails: Attackers are increasingly using generative AI (like ChatGPT) to write more convincing phishing messages. Early 2023 saw a 135% increase in malicious emails with AI-polished language (better grammar, syntax, etc.), correlating with the public availability of tools like ChatGPT. This makes phishing emails harder to distinguish from legitimate communications.
Deepfake voice scams: AI-powered voice cloning is poised to revolutionize vishing (voice phishing). APWG warns of an “epoch of AI‐powered vishing” where criminals use deepfake audio to mimic voices of trusted people (family, CEOs) with high realism. In 2023, there were already cases of scammers using AI-synthesized voices on phone calls to authorize fraudulent bank transfers.
Hybrid attack chains: Phishers are blending multiple channels in one attack. “Hybrid vishing” (email + phone) emerged in 2023, where an email instructs the target to call a number, leading to a vishing scam. By Q4 2023, hybrid vishing made up 6.1% of all phishing incidents observed by one security firm – a notable new category. This multi-step approach filters for more gullible victims (those who call) and often evades detection since the initial email might not contain a payload.
Growth of callback scams: As noted, telephone-oriented phishing (callback scams like fake tech support) are flourishing. Attackers set up fraudulent call centers to handle the volume of victims who respond. This trend expanded in 2023 with millions of such calls being placed or received monthly.
MFA bypass techniques: With more accounts protected by MFA, phishers innovate to capture one-time codes or bypass MFA entirely. Phishing kits like EvilProxy and MODlishka allow attackers to steal session cookies or OAuth tokens, letting them hijack accounts without needing the second factor. The broad availability of these tools (PhaaS) means even mid-tier cybercriminals can defeat MFA at scale.
Use of chatbots in scams: Scammers have started deploying malicious chatbots on phishing sites or messaging apps to automate social engineering. For example, a fake bank support chat that interacts with victims to persuade them to divulge OTPs or credit card info. This automation can handle many simultaneous victims with personalized pre-scripted dialogue, increasing yield.
Convincing lures via AI: Generative AI can also produce extremely realistic fake images, videos, and documents. In 2023 we saw phishing emails with AI-generated profile photos and synthetic “proof” documents. Future phish could include a realistic AI-generated video message from an executive urging an action, or fake “live” chats. Over 60% of security leaders worry about AI being used for sophisticated impersonation and supply chain phishing.
Targeted phishing of API/keys: An emerging vector is phishing for API keys, cloud tokens, or developer credentials (not just user passwords). As companies secure user accounts better, attackers pivot to tricking developers/IT into revealing secrets that grant deeper access (e.g. phishing emails to developers pretending to be from AWS/Azure asking to “validate” keys).
Phishing via social media and ads: Scammers are using social media ads and posts as phishing vectors – e.g. malicious sponsored ads that impersonate a brand and phish information when clicked. Additionally, phishing kits are now often optimized for mobile (since many users read email or messages on phones). Attackers craft fake login pages that mimic mobile app interfaces to fool users on smartphones.
Cryptocurrency-themed phish: With the rise of crypto, phishers lure victims with fake crypto exchange alerts or “investment opportunities.” In 2023, crypto-draining malware spread via phishing grew notably (discussions on dark web about “crypto drainer” tools were up 135%). Expect more phishing targeting crypto wallets, NFTs, and related accounts as crypto adoption continues.
Attacks on MFA apps and QR-based login: As QR-code logins and authenticator apps become common, phishers are adapting. For instance, some phishing emails now include fake QR codes that, when scanned, ask for login details under the guise of MFA. Others trick users into revealing their authenticator app code or emergency backup codes. Attackers will continue to probe any weak link in two-factor authentication flows.
Supply chain phishing: Attackers are targeting smaller vendors or partners of big companies, compromising them, then sending phishing emails from the trusted partner’s email domain to the real target. These supply chain phishing attacks (using compromised business accounts to phish downstream) increased in 2023. They are hard to detect because the email comes from a legitimate (but hacked) source. We’ll likely see more of this “island hopping” strategy.
Increased phishing automation: Overall, phishing is becoming more automated and scalable. From AI-written emails to bulk validation of stolen credentials on login portals, attackers leverage tools to increase efficiency. At the same time, defensive AI is emerging (email filters using machine learning, user behaviour analytics, etc.), leading to an arms race between attacker AI and defender AI.
Notable Phishing Scams & Large-Scale Attacks (2023–2024)
Reddit breach (Feb 2023): Social news giant Reddit was breached after a “sophisticated and highly-targeted” phishing attack on employees. The attackers (ransomware group BlackCat) stole 80GB of data and demanded a $4.5 million ransom. Reddit staff were duped by a fake intranet site login, showing that even tech companies aren’t immune to well-crafted phish.
Twilio and Cloudflare (Aug 2022): This late-2022 incident (influencing 2023 security posture) saw Twilio employees phished via SMS, leading to a breach of OTP codes for 2FA. Cloudflare narrowly escaped the same campaign. This attack, by the “0ktapus” group, led to over 130 organizations’ user accounts being compromised using Twilio’s access, illustrating the ripple effect of one vendor phishing breach.
Activision game studio hack (Dec 2022): In a breach disclosed in 2023, a hacker tricked an Activision employee via SMS phishing (smishing), stealing credentials. They accessed sensitive data including upcoming game content and employee info. The incident showed how smishing can bypass corporate email defenses and lead to data loss in big enterprises.
MGM Resorts attack (Sept 2023): Casino giant MGM Resorts was hit by a multi-stage social engineering attack. Attackers reportedly impersonated an employee via phone (vishing) to obtain IT helpdesk credentials, having first gleaned info via a phishing email and LinkedIn research. The breach forced MGM to shut down systems, costing an estimated $100M+. It underscored how phishing combined with phone pretexting can defeat even well-resourced organizations.
Cisco Talos intelligence leak (2023): In 2023, a threat actor used phishing to compromise a Cisco employee’s personal Google account, which was synced to their work credentials. Though Cisco’s network wasn’t breached, some sensitive information was stolen. The incident highlighted risks of personal account phishing impacting corporate security.
Work-from-home scams (ongoing 2023): With widespread remote work, phishers ran large campaigns posing as IT support asking employees to “revalidate” VPN or Teams credentials. Many companies reported waves of these COVID-era phishing emails. Some even spoofed video-call invites (Zoom/Teams) to steal login details. This trend exploited the remote/hybrid work normalcy.
Student loan forgiveness phish (2023): The U.S. FBI warned in late 2023 of phishing schemes around student loan forgiveness programs. Scammers emailed students and grads with links to fake application sites to steal personal data and fees. This campaign capitalized on a timely topic, demonstrating how phishers latch onto current events or government programs.
Crypto “Pig Butchering” scams (2023): While more of a long-con scam than a single email, these campaigns often start with a phishing contact (text or social media message) that lures victims into fake crypto investment platforms. 2023 saw a rise in such large-scale operations, primarily run by criminal syndicates in Southeast Asia, defrauding victims worldwide of billions in cryptocurrency.
Notable brand impersonation waves: In 2023, Microsoft and Google users were heavily targeted by phishing that bypassed MFA – notably, an incident where attackers gained access to Microsoft cloud email accounts of high-profile targets by forging authentication tokens (not via user phishing but token theft). Microsoft attributed it to a Chinese threat actor. While not a classic phishing email case, it prompted improved security for cloud tokens. It shows attackers pivoting to whatever weakness is available.
Nation-state phishing: State-sponsored groups continued sophisticated phishing in 2023/24. Examples include Russian APTs phishing Ukrainian officials with tailored emails (60% of Russian-origin phishing in early 2023 was aimed at Ukraine), and North Korean actors phishing security researchers via LinkedIn and email. These campaigns often use advanced deception, including zero-day exploits via phish, demonstrating the high end of phishing threats.
Global police action: An international crackdown in 2023 led to the takedown of a phishing-as-a-service platform called “16Shop,” which had provided kits to thousands of cybercriminals. This was a notable win, but many other kits remain. It highlights that law enforcement is actively pursuing phishers, but the sheer volume of attacks means most continue unabated.
Future Outlook: The Evolution of Phishing Attacks
Phishing shows no signs of fading – in fact, it’s continually evolving to outpace security improvements. As organizations deploy better defenses, attackers adapt their tactics in a cat-and-mouse cycle. What does the future hold for phishing?
Below, we explore upcoming trends, the impact of AI, new attack vectors, and how we can fight back in an engaging look ahead at the phishing landscape.
Smarter Phish for Smarter Defenses
Email filters and user training have forced phishers to get craftier. We’re already seeing phishing emails that are virtually indistinguishable from genuine business correspondence.
In the near future, expect phishers to double-down on personalization by leveraging stolen data and social media intel to craft emails that feel individually tailored.
For example, rather than a generic “Dear Customer” bank alert, a phisher might reference your actual recent transaction or include street-view images of your home in a supposed “security verification” email. These highly customized lures are designed to beat even a vigilant eye.
At the same time, attackers will likely pivot to new communication channels as email gateways improve. Collaboration tools (Slack, Teams), project management apps, and even voice assistants or IoT devices could become phishing conduits.
Imagine getting a voice message on your smart speaker that sounds like your boss instructing you to log into a site; that’s the kind of multi-platform phishing scenario we may encounter. Security teams will need to extend anti-phishing monitoring beyond just email inboxes.
The Rise of AI – Friend and Foe
Artificial Intelligence is a double-edged sword in phishing. On one side, AI empowers attackers: tools like ChatGPT can instantly generate fluent, convincing scam messages in any language, stripping away tell-tale grammar mistakes that gave phish away in the past.
Given a few prompts, AI can produce a spectrum of phishing content, from business email compromise scripts to romance scam chat dialogue tailored to maximize response.
Attackers can also use AI to masquerade as your colleagues in real time, perhaps via AI-driven chatbots that engage victims in conversation to collect info or via deepfake audio on phone calls.
It’s chilling but plausible to receive a voicemail that sounds exactly like a loved one, asking for urgent financial help, courtesy of AI voice cloning.
On the other side, defenders aren’t sitting idle. AI and machine learning are also being leveraged to detect phishing. Future email security may involve AI models that analyze writing style, message context, and historical communication patterns to flag anomalies (“This email asking for a wire transfer doesn’t sound like Alice’s usual writing”).
AI could also help automate incident response; for instance, identifying all users who received a phish and auto-removing those emails, or even chatting with a suspected phisher’s email to waste their time. The key will be a battle of algorithms: attacker AI vs. defender AI, each trying to outsmart the other.
Organizations should invest in AI-driven security but remain aware that attackers will probe for blind spots in those AI models.
New Attack Vectors and Threats
Looking ahead, phishing will continue expanding into any digital interaction where trust can be exploited. Mobile and social media phishing will grow as more of our communication shifts to those platforms.
We might see phishers creating fake mobile apps that mimic real ones (imagine a malicious app named “Outtlook” that looks like Outlook’s login), or injecting phishing links into QR codes at public places.
The concept of phishing could even extend to augmented reality (AR) or virtual reality (VR) spaces. For instance, in a future metaverse workplace, a scammer’s avatar might “shoulder surf” and send a private message with a malicious link.
Another emerging threat is phishing for non-traditional credentials. Instead of just website passwords, attackers might phish for things like API keys, OAuth tokens, cloud service keys, or biometric data.
As companies adopt passwordless auth and biometrics, cybercriminals will adapt with schemes to trick users into sharing fingerprint scans or facial ID under false pretenses (perhaps a phony “security update” that captures your face via your webcam).
We may also see phishing that targets software supply chains, e.g. emails to open-source developers to compromise libraries that infect many downstream users. Attackers cast a wide net; any asset or access point with potential value will become a target for social engineering.
Staying One Step Ahead – Defense Strategies
In this escalating fight, organizations and individuals must be proactive to mitigate future phishing risks. First and foremost, fostering a strong security culture is crucial.
This means regular, dynamic training that goes beyond boring slide decks; interactive phishing simulations, games, and even immersive training using VR to put people “in the hot seat” can reinforce good habits.
The goal is to make every user somewhat skeptical: one who can spot unusual requests and feels comfortable reporting them immediately.
On the technical side, companies should embrace an “assume breach” mindset with layered defenses. That includes robust email filtering, yes, but also network monitoring to catch the telltale signs if a phish does slip through (e.g. an employee’s device suddenly communicating with a known malicious host).
Implementing phishing-resistant authentication, like FIDO2 security keys or certificate-based auth, can greatly reduce risk. These methods are far harder to phish than SMS codes or passwords.
In addition, employing AI-driven anomaly detection can provide early warning of account compromise (for example, an employee account downloading masses of data at 3 AM after clicking a strange email might trigger an automated lockdown).
Organizations should also plan and rehearse their response to phishing incidents. Speed is everything; if you can detect and contain a phishing-led breach within minutes, damage is minimized.
This might involve playbooks that include isolating affected accounts, stripping malicious emails from mailboxes enterprise-wide, and having a recovery strategy for ransomware in case a phishing attack unleashes crypto-malware.
Incident response drills that specifically simulate phishing scenarios (like a fake CEO email asking for fund transfers) can test if employees follow protocol under pressure.
For individuals, skepticism and verification are your best friends. In the future, the default stance should be zero-trust for unexpected requests: Verify via a separate channel if you get an odd email (“call the supposed sender on a known number to confirm”), hover over links and QR codes to inspect them, and remember that anyone can be impersonated online.
As deepfakes emerge, we’ll even have to verify voices or video, for critical requests, a quick callback to a known number or a face-to-face confirmation might be needed.
It’s inconvenient, but a healthy level of paranoia will be necessary as phishing grows more sophisticated.
Conclusion
More sophistication, more channels, and more automation will mark the future of phishing. Attackers will leverage cutting-edge technology to craft deceptive experiences that can fool even savvy users, from AI-written emails to fake voices and beyond.
However, awareness and technology on the defensive side are advancing as well. By staying informed of phishing trends, harnessing AI for defense, and cultivating a culture of vigilance, organizations and users can stay one step ahead. Phishing may always be a threat, rooted in the fundamental fallibility of human trust.
Still, with adaptive strategies and a bit of caution, we can significantly blunt its impact in the years to come. In the cat-and-mouse game of cybersecurity, preparation and prudence will remain our best tools to ensure that the phishers of the future won’t have an easy catch.
References
Anti-Phishing Working Group (APWG). (2023). Phishing Activity Trends Reports (Q1–Q4 2023). Retrieved from https://apwg.org
FBI Internet Crime Complaint Center (IC3). (2023). 2022 Internet Crime Report (published in early 2023). Retrieved from https://www.ic3.gov
Proofpoint. (2023). State of the Phish 2023 Report. Retrieved from https://www.proofpoint.com/us/resources/threat-reports
Verizon. (2023). 2023 Data Breach Investigations Report (DBIR). Retrieved from https://www.verizon.com/business/resources/reports/dbir/
IBM Security. (2023). Cost of a Data Breach Report 2023. Retrieved from https://www.ibm.com/security/data-breach
Kaspersky Lab. (2023). Spam and Phishing in Q2–Q3 2023 (Quarterly Threat Intelligence). Retrieved from https://securelist.com/tag/spam-report
Microsoft. (2023). Digital Defense Report. Retrieved from https://www.microsoft.com/en-us/security/business/digital-defense-report
Cisco Talos / Cisco Security. (2023). Cisco 2023 Global Networking Trends & Security Highlights. Retrieved from https://blog.talosintelligence.com
https://www.cisco.com/c/en/us/products/security/reports-resources.html
ESET. (2023). Threat Report 2023 (H1–H2 analyses). Retrieved from https://www.eset.com/int/about/newsroom/reports
PhishLabs by HelpSystems. (2023). Phishing & Threat Intelligence Report (Q2–Q3 2023). Retrieved from https://www.phishlabs.com/resources/threat-reports/
Check Point Research. (2023). Brand Phishing Report: 2023 Trends. Retrieved from https://research.checkpoint.com
Palo Alto Networks Unit 42. (2023). Threat Brief: Phishing Attacks & Ransomware Trends 2023. Retrieved from https://unit42.paloaltonetworks.com
Group-IB. (2023). Hi-Tech Crime Trends 2023/2024. Retrieved from https://www.group-ib.com/resources
INTERPOL & ASEAN Cybercrime Operations. (2023). ASEAN Cyberthreat Assessment Report. Available via official INTERPOL channels.
Mandiant (Google Cloud). (2023). Mandiant Threat Intelligence: Trends in Phishing & Social Engineering 2023. Retrieved from https://www.mandiant.com/resources/threat-research
BlackCat / ALPHV Ransomware Group disclosures & security community analyses (multiple 2023 disclosures related to breaches). Documented in relevant vendor bulletins and FBI IC3 advisories.
Sector-Specific & Regional Insights
Asia-Pacific Computer Emergency Response Teams (CERTs) – annual & quarterly phishing bulletins (2023).
ENISA (European Union Agency for Cybersecurity) – ENISA Threat Landscape 2023.
US-CERT / CISA (Cybersecurity & Infrastructure Security Agency) – Alerts and Analysis 2023.
Interpol – Cybercrime Analysis Report 2023/2024, focusing on global coordinated takedowns of phishing groups.
Additional Industry Surveys (various 2023) capturing user behavior, corporate security practices, and training effectiveness:
ISACA, State of Cybersecurity 2023
SANS Institute, 2023 Security Awareness Report
Cybersecurity Insiders, Phishing & Email Security Survey 2023