Annual Probability of a Business Experiencing Phishing

Phishing remains the most common cyber attack vector: approximately 83% of organizations reported experiencing at least one phishing attack in 2023, according to the Proofpoint State of the Phish report. Phishing attacks have increased by over 150% per year since 2019, driven by increasingly sophisticated techniques and AI-generated content.

Business email compromise (BEC), a sophisticated form of phishing where attackers impersonate executives or trusted partners, caused approximately $2.7 billion in reported losses in 2023 according to the FBI's IC3 report. The average BEC attack costs businesses $125,000-$130,000. Common BEC scenarios include fake invoice fraud, CEO fraud (impersonating executives requesting wire transfers), and vendor email compromise.

About 84% of organizations use security awareness training, but the average click rate on simulated phishing emails remains about 10-15%. Factors that make phishing effective include urgency language, authority impersonation, curiosity triggers, and fear-based messaging. Technical defenses include email filtering, DMARC/DKIM/SPF authentication, multi-factor authentication (which blocks about 99.9% of account compromise attempts), and endpoint detection. About 36% of data breaches involve phishing as the initial access vector.