Security Statistics

Cyber Crime Statistics by Attack Type

Zero-Day Attack Statistics

Source: PurpleSec

• Zero-day malware increased to 67.2% in Q3 2021, up 3% in the previous quarter.
• Zero-day malware over TLS rose to 47% in Q3 2021 up from 31.6% in the previous quarter.
• A total of 83 zero-days were recorded in 2021 up 55% from 2020, which recorded 36 zero-days.
• From 2016 through 2020, between 12 and 25 zero-day attacks were identified each year, about 21 per year on average.
• 80% of all successful data breaches in 2019 directly resulted from zero-day attacks.
• It’s estimated that 42% of all attacks in 2021 were zero-day attacks.
• The price of an Android exploit chain increased 1150% over the last 3 years from $200,000 to $2.5 million.
• The price of a full exploit chain for Apple iOS is estimated at $2 million.

Ransomware Statistics

Source: PurpleSec

• The average ransomware payment in 2021 increased by 82% year over year to $570,000.
• 121 ransomware incidents have been reported in the first half of 2021, up 64% year-over-year.
• The largest ransom demand observed so far in 2021 is $100 million.
• 21% of ransomware involved social actions, such as phishing.
• It’s estimated that a business will fall victim to a ransomware attack every 14 seconds.
• The average cost of a ransomware attack on businesses was $133,000.
• Businesses lost around $8,500 per hour due to ransomware-induced downtime.
• The individual ransom of 1,400 clinics, hospitals, and other healthcare organizations varied from $1,600 to $14 million per attack.
• 20% of ransomware victims are small to mid-sized businesses.
• 85% of MSPs report ransomware as a common threat to small to mid-sized businesses.
• 29% of small businesses had experience with ransomware, making them more likely to be unprepared for the threat.
• 90% of all financial institutions have experienced ransomware in the past year.
• More than 204,448 users experienced an attempt to log their banking information.
• Ransomware is a rising threat to small banks and credit unions with less than $35 million in annual revenue

Malware Statistics

Source: PurpleSec

• 92% of malware is delivered by email.
• Third-party app stores host 99.9% of discovered mobile malware.
• More than 250,000 unique users were attacked by Trojan-Banker.AndroidOS.Asacub malware application.
• 98% of mobile malware target Android devices.
• Over the last year, MacOS malware has increased by 165%.
• Malware development rates for Windows decreased by 11.6% since reaching an all-time high in 2015.
• Malware is still the preferred distribution model, used 71.14% of the time over the last 12 months, while PUAs were only used in 28.86% of instances.
• Gamut spambot was the most frequently used, with over 86% of all spambot cases involving its use.
• The United States continues to host the most botnet control servers in the world. Over the last year, 36% of these servers were hosted in America, while 24% were hosted in undefined countries.
• Trojans make up 51.45% of all malware.
• 7 out of every 10 malware payloads were ransomware.
• 230,000 new malware samples are produced every day — and this is predicted to only keep growing.
• Malware and web-based attacks are the two most costly attack types — companies spent an average of US $2.4 million in defense.
• Overall business detections of malware rose 79% from 2017 due to an increase in backdoors, miners, spyware, and information stealers.
• Over 18 million websites are infected with malware at a given time each week.
• 34% of businesses hit with malware took a week or more to regain access to their data.

Phishing Statistics

Overview

Source: PurpleSec

• Phishing attacks on finance employees increased by 87% while attacks on C-Suite decreased by 37%.
• Business email compromise is the most expensive phishing attack with 19,369 complaints with an adjusted loss of approximately$1.8 billion.
• Phishing scams were also prominent: 241,342 complaints, with adjusted losses of over $54 million.
• 40% of phishing websites were hosted on .com domains.
• Threat actors also used other seemingly legit domains, such as .org (1.8%) and .net (3%). However, many opted for phishy-looking domains like.xyz (5.84%) and .buzz (2.57%). Other top-level domains used in phishing attacks inculde .ru (2.93%), .tk (1.47%), and .ml (1.3%).
• 1 out of 10 spear-phishing emails is part of a sextortion scam
• Phishing was the second most commonly used infection vector, employed in 33% of attacks—slightly up 31% from 2019 —suggesting that attackers’ changing techniques and defensive mechanisms against phishing are keeping pace.
• 44% of users are not aware of the security solution available for mobile devices.
• Mobile phishing attacks have grown at a consistent rate of 85% annually since 2011.
• IC3 received a record number of complaints from the American public in 2020: 791,790, with reported losses exceeding $4.1 billion.
• Total phishing complaints reported by the public increased 69% from 2019.
• Business email compromise is the most expensive phishing attack with 19,369 complaints with an adjusted loss of approximately$1.8 billion.
• Phishing scams were also prominent: 241,342 complaints, with adjusted losses of over $54 million.
• Phishing attack statistics show that the average cost of a data breach in 2018 was $3.9 million, or $150 for each record compromised.
• A total of 146,994 unique phishing sites were discovered in Q2 of 2020.
• During the Q3 of 2020, 40% of phishing websites were hosted on .com domains.
• Threat actors also used other seemingly legit domains, such as .org (1.8%) and .net (3%). However, many opted for phishy-looking domains like.xyz (5.84%) and .buzz (2.57%). Other top-level domains used in phishing attacks inculde .ru (2.93%), .tk (1.47%), and .ml (1.3%).
• 88% of organizations experienced targeted phishing attacks in 2019.
• 86% of organizations had their business email network compromised by threat actors in 2019.
• In 2018, more than 50% of phishing websites used SSL certificates.
• Google and Facebook lost $100 million in 2017 as a result of phishing attacks.
• Companies phishing attacks targeted worldwide in 2020:
  • Software-as-a-Service (SaaS) companies and webmail providers (34.7%)
  • Financial institutions (18%)
  • Payment platforms (11.8%)
  • Social media websites (10.8%)
  • e-commerce businesses (7.5%)
• US organizations were the main targets of threat actors, having been on the receiving end of 84% of all phishing attacks in 2018.
• Canada was in second place with just 4% of attacks, while China and France tied for third place with 2%.
• Gmail’s built-in filters block more than 100 million phishing emails daily. 68% of cases blocked emails as part of a previously unknown phishing scam.
• In one study, 61% of participants couldn’t tell the difference between the genuine and fake Amazon login page.
• Almost half of all malicious email attachments came in the form of Microsoft Office documents:
  • Microsoft Word (39.3%)
  • Microsoft Excel (8.7%)
  • Executable (19.5%)
  • Rich text (14%)
  • Java archive files (5.6%)
• The most common words used in phishing emails that targeted businesses are:
  • Urgent (8%)
  • Important (5.4%)
  • Important update (3.1%)
  • Attn (2.3%)
• More than 1,506 data breaches occurred due to data phishing attacks, compromising 164.68 million records – an increase of 19.8% from 1,258 breaches in 2018.
• The most impersonated brands to carry out phishing attacks include:
  • Google (13%)
  • Amazon (13%)
  • Facebook & WhatsApp (9%)
  • Microsoft (7%)
  • Apple (2%)
  • Netflix (2%)
  • PayPal (2%)
• 96% of threat actors use spear-phishing to gather intelligence.
• Threat actors cite disruption (10%) and financial gain (6%) as their main motivators for launching a spear-phishing attack.
• The number of known spear-phishing groups has grown from 116 in 2016 to over 250 in 2018.
• The top countries with these groups include:
  • Japan (69)
  • China (44)
  • Turkey (43)
  • Saudi Arabia (42)
  • South Korea (40)
  • Taiwan (37)
  • United Arab Emirates (30)
• 1 out of 10 spear-phishing emails is part of a sextortion scam
• Phishing was the second most commonly used infection vector, employed in 33% of attacks—slightly up 31% from 2019 —suggesting that attackers’ changing techniques and defensive mechanisms against phishing are keeping pace.

Phishing by Industry

Source: KnowBe4

• The FBI’s 2022 Internet Crime Complaint Center (IC3), continued to receive a record number of complaints from the American public: 800,944 reported complaints (2,175+ daily), which was a 5% increase from 2021, with potential losses exceeding $10.3 billion. Additionally, business email compromise incidents accounted for 21,832 complaints with an adjusted loss of nearly $2.7 billion.
• 58% of organizations in the U.S. suffered significant revenue losses as a direct result of a ransomware attack.
• 56% of U.S. organizations reported that their brand was negatively impacted by a ransomware attack. After the attack, 46% of these respondents said they regained access to their data, but some or all of the data was corrupted.
• According to the FBI, in 2022, BEC was responsible for a whopping $2.7 billion in losses – a stunning figure, especially when compared to something like credit card fraud, which we have all heard of and only accounted for $264 million.
• The FBI reports that Mexico had 1,119 cyber crime victims, Canada had 5,517 victims, and the U.S. alone had 479,181 victims. Within the U.S., California led the pack with 80,666 cyber crime victims within its borders alone, but the next highest, Florida, still had 42,792 victims.
• Who’s at Risk?
  • Small Businesses (1-249 employees)
    • 32.3% Healthcare & Pharmaceuticals
    • 31.6% Retail & Wholesale
    • 31.2% Education
  • Medium (250-999 employees)
    • 35.8% Healthcare & Pharmaceuticals
    • 33.6% Energy & Utilities
    • 31.3% Construction
  • Large (1000+ employees)
    • 53.2% Insurance
    • 51.1% Energy & Utilities
    • 48.2% Construction

Industry Specific Cybersecurity Statistics

Small Business

Source: PurpleSec

• 43% of cyber attacks target small business.
• 47% of small businesses had at lease on cyber attack in the past year, 44% of those had two to four attacks.
• 70% of small businesses are unprepared to deal with a cyber attack.
• 3 out of 4 small businesses say they don’t have sufficient personnel to address IT security.
• 66% of small business are very concerned about cyber security risk.
• 85% of small businesses plan to increase spending on managed security services.
• 51% of small businesses say they are not allocating any budget to cyber security.
• 58% of malware attack victims are categorized as small businesses.
• In 2018, cyber attacks cost small businesses an average of $34,604.
• Ransomware damage costs alone are on track to hit $11.5 billion in 2019, at which point it’s estimated that small businesses will fall victim to a ransomware attack every 14 seconds.
• 4% of malware sent to small businesses is delivered via email.
• The most common malicious email disguises are:
  • 7% bill / invoice
  • 3% email delivery failure notice
  • 4% package delivery
  • 1.1% legal/law enforcement message
  • 0.3% scanned document
• 60% of small businesses say attacks are becoming more severe and more sophisticated.
• Only 14% of small businesses rate their ability to mitigate cyber risks, vulnerabilities and attacks as highly effective.
• 60% of small companies go out of business within six months of a cyber attack.
• 48% of data security breaches are caused by acts of malicious intent. Human error or system failure account for the rest.
• Small businesses are most concerned about the security of customer data:
  • Consumer records 66%
  • Intellectual property 49%
  • Customer credit or debit card information 46%
  • Financial information 26%
  • Employee records 8%
  • Business correspondence 5%
  • Other 1%
• The types of cyber attacks on small businesses broke out as following:
  • Web-based attack 49%
  • Phishing / social engineering 43%
  • General malware 35%
  • SQL injection 26%
  • Compromised / stole devices 25%
  • Denial of services 21%
  • Advance malware / zero day attacks 14%
  • Malicious insider 13%
  • Cross-site scripting 11%
  • Ransomware 2%
  • Other 1%
• Percentage of small businesses that store valuable data
  • 68% store email addresses
  • 64% store phone numbers
  • 54% store billing addresses
• Small businesses are not investing in cyber security
  • 38% regularly upgrade software solutions
  • 31% monitor business credit reports
  • 22% encrypt databases
• 69% of small businesses do not strictly enforce password policies.
• 16% of small businesses say they had only reviewed their cyber security posture after they were hit by an attack.
• Only 16% of small business are very confident in their cyber security readiness. These areas are lacking:
  • Strategy – 52% of small business have a clearly defined strategy around cyber security.
  • Accountability – 23% of small businesses have a leadership role dedicated to cyber, whereas 46% have no defined role at all.
  • Willingness to respond – 65% of small businesses have failed to act following a cyber security incident.
  • Training – 32% of small businesses have conducted phishing experiments to assess employee behavior and readiness in the event of an attack.
  • Insurance – 21% of small businesses have a standalone cyber insurance policy, compared to 58% of large companies.
• 4 out of 5 small businesses report malware has evaded their antivirus.

Healthcare

Source: PurpleSec

• 16% of healthcare providers report having a “fully functional” cyber security program.
• 43% say that they are either still developing security programs or have not developed one.
• 82% of surveyed healthcare organizations say that security is a top concern.
• 69% of those in the healthcare industry believe they are at risk for a data breach.
• 94% are now using some form of advanced DLP software to protect sensitive data.
• 89% of healthcare organization had patient data lost or stolen in the past two years.
• Patient health records can be sold for as much as $363 on the black market, which is more than any piece of information from other industries.
• 93% of healthcare organizations are currently using some form of cloud services.
• 63% plan to use multiple cloud vendors.
• 25% of healthcare organizations using the public cloud report that they are not encrypting patient data.
• Healthcare has the highest number of attacks by ransomware over any other industry.
• The healthcare industry was the victim of 88% of all ransomware attacks in US industries in 2016.
• 20% of healthcare domain emails were fraudulent in 2017.
• Healthcare organizations were targeted 473% more often in Q4 2018 vs Q1 2017.
• 54% of healthcare business associates say their top vulnerability is tied to employee negligence in handling patient information.
• 81% of healthcare cyber security incidents are rooted in employee negligence.
• 69% of healthcare organizations cite negligent or careless employees as their top worry for security incidents, followed by cyber attacks (45%) and insecure mobile devices (30%).
• The average cost of a cyber attack in healthcare is $3.62 million.
• Data breaches are costing the US healthcare industry about $6.2 billion per year.

Financial Services

Source: PurpleSec

• 67% of financial institutions reported an increase in cyber attacks over the past year.
• 26% of financial enterprises faced a destructive attack.
• 79% of financial CISOs said threat actors are deploying more sophisticated attacks.
• 21% suffered a watering-hole attack in the last year.
• 32% of financial institutions encountered island hopping, is leveraging one compromised organization to gain entry into another.
• 25% of all malware attacks hit banks and other financial industries, more than any other industry
• Credit card compromised increased by 212% year over year, credential leaks experienced a similar increase of 129%, and malicious apps increased by 102%.
• 47% of financial institutions reported an increase in wire transfer fraud.
• 31% of financial institutions reported an increase in home equity loan fraud.
• 79% of financial institutions said cybercriminals have become more sophisticated, leveraging highly targeted social engineering attacks.
• 32% of financial institutions reported experiencing counter incident response.
• 21% of financial institutions reported experiencing C2 on a sleep cycle.
• 70% of financial institutions said they are most concerned about financially motivated attackers.
• 30% of financial institutions said they are most concerned with nation-state activity.
• Global attack types and sources on financial sectors:
  • Web attacks – 46%
  • Service-specific attacks – 28%
  • DoS/DDoS 8%
• 69% of financial institution CISOs are planning to increase cyber security spending by 10% or more in 2019.
• 47% of financial institution CISOs said their organizations are operating threat hunt teams.
• 32% of financial institution CISOs said they conduct threat hunts on a monthly basis.
• 70% of cyber crimes targeting surveyed financial institutions involve lateral movement

Federal and Local Government

Source: PurpleSec

• Nearly 60 million Americans have been affected by identity theft.
• U.S. government to spend $15 billion on cyber security related activities in 2019 up 4% over the previous year.
• The United States is the number one target for targeted cyber attacks.
  • United States: 38%.
  • India: 17%.
  • Japan: 11%.
  • Taiwan: 7%.
  • Ukraine: 6%.
  • South Korea: 6%.
  • Brunei: 4%.
  • Russia: 4%.
  • Vietnam: 4%.
  • Pakistan: 3%.

Higher Education and School Districts

• The education industry is ranked last in cyber security preparedness out of 17 major industries.
• 41% of higher education cyber security incidents and breaches were caused by social engineering attacks.
• There were 455 cyber security incidents in the educational sector last year.
• Educational records can fetch up to $265 on the black market.
• 43% have had student data attacked, including dissertation materials and exam results.
• 25% have experienced critical intellectual property theft.
• 28% have had grant holder research data attacked.
• 87% have experienced at least one successful cyber attack.
• 83% believe cyber attacks are increasing in frequency and sophistication.
• 79% universities have experienced damage to reputation and almost 74% have had to halt a valuable research project as a result of a cyber attack.
• 77% also say a cyber breach has the potential to impact national security, due to the potentially sensitive nature of the information which could been compromised.
• 64% don’t believe their existing IT infrastructure will protect them against cyber attacks in next 12-18 months.
• 27% see the current security of their data center as ‘inadequate’ and in urgent need of updating.
• 85% of universities agree that more funding must be given to IT security to protect critical research IP.
• On average, 30% of users in the education industry have fallen for phishing emails.
• The education sector accounted for 13% of all data security breaches during the first half of 2017, resulting in the compromise of some 32 million personal records.
• In March 2018, over 300 universities worldwide suffered from a giant cyber attack organized by nine Iranian hackers. According to the official information, 31 terabytes of “valuable intellectual property and data” was exposed.

CompTIA Facts

Source: CompTIA

• In 2022, only 25% of survey respondents felt that the overall state of cybersecurity in the economy was improving dramatically. In 2023, that number increased to 27%.
• In 2022, only 24% of respondents said their organization’s cybersecurity was completely satisfactory. In 2023, that number grew to 28%.
• According to Microsoft, nearly 80% of nation-state attackers targeted government agencies, thinks tanks and other non-government organizations.
• Microsoft also reports that 58% of cyberattacks from nation states originated in Russia.
• The United States remains the most highly targeted country with 46% of global cyberattacks being directed towards Americans.
• Twitter experienced a data breach that allegedly affected millions across the United States and Europe but had not been previously reported.
• Carding marketplace Biden Cash released the details of 1.2 million credit cards for free on October 12, 2022.
• Australian telecommunications company Optus suffered a devastating data breach on September 22, 2022, that led to the details of 11 million customers being accessed.
• On November 16, 2022, a hacker posted the data set to BreachForums containing what they claimed to be up-to-date personal information of 487 million WhatsApp users.
• On October 13, 2022, 97 million people's information was stolen when Australian healthcare and insurance provider Medibank suffered a data leak.
• Phishing attacks increased by 48% in the first half of 2022, with reports of 11,395 incidents costing businesses a total of $12.3 million.
• Research suggests that up to 40% of cyber threats are now occurring directly through the supply chain.
• Ransomware attacks grew by 41% in 2022 and identification and remediation for a breach took 49 days longer than the average breach.
• As the internet of things (IoT) continues to grow in scope, sophistication, and accessibility, it’s becoming an increasingly tempting target for cybercriminals.
• The cost of cyber crime has risen 10% in the past year.
• The average cost of a data breach in the United States in 2022 was $9.44 million, according to IBM data.
• Cybersecurity Ventures predicts cybercrime will cost $10,5 trillion annually by 2025.