UK phishing statistics and how to guard against threats

Picture this – an email pops into your inbox, and it’s from Apple.

“Your iCloud storage has expired,” it warns. “Upgrade before Sunday to claim a discount on your subscription, and avoid losing access to your saved photos.” Panicked, you click the link in the email, enter your card details and renew your subscription – or so you think.

It’s not until a week later, when you start to notice several strange transactions on your bank statement, that you start to suspect wrongdoing. And that, in fact, you may have been phished.

This is a common phishing scenario – but there are plenty like it. From ‘smishing’ and ‘vishing’ to spear phishing and whaling, there are certainly plenty of phish in the sea. And we mean plenty – there were 4.7 million phishing attacks in 2022 alone, representing more than a 150 per cent per-year increase since the beginning of 2019.

So what can you do to ensure your personal and professional safety online – and protect yourself, and your business, from phishing?

First, you need to understand it. That’s why below, we’re explaining what phishing is and how it works, before unpacking 30-plus of our top phishing statistics – from both abroad, and right here in the UK. We’ll then answer phishing’s most frequently asked questions, and explain how you can safeguard yourself (and your staff) from phishing in 2023.

Phishing is a form of fraud or cyberattack in which a fraudster attempts to trick individuals into revealing sensitive information, including usernames, passwords, credit card details, or other personal and financial data. The cybercriminal can then use this information to make unauthorised purchases on the person’s card, or assume control over their online accounts.

Much as a fisher attracts a fish with bait, a phisher also lures its victims in – typically by posing as a trustworthy entity (a process called ‘spoofing’), or through the insidious strategy of ‘social engineering’.

Let us explain.

The mechanics of phishing

Phishing works by exploiting human psychology – and our innate capacity for trust – to trick people into revealing sensitive information, or taking actions that benefit the phisher.

This is called social engineering. It’s a form of manipulation that – unlike traditional cyberattacks, which target websites – targets people. Social engineers deploy techniques of psychological persuasion (like enticing the target with an inviting deal or discount, or threatening repercussions if swift action isn’t taken) to trick their targets into giving up important details around their bank account and identity.

To achieve this, scammers use a variety of platforms – including SMS, email, and phone – with contact details bought on the Dark Web, or pilfered from various online sources (such as social media profiles, company bios, or leaked data).

The phisher then reaches out to the target with a call or a message to their email or phone. The message is often crafted to appear as though from a legitimate company and often will use the branding, logos, and language of the trusted organisation it’s attempting to impersonate (typically a bank, government agency, or other well-known business).

Phishing communications usually leverage human emotions – fear, greed, urgency, or simple curiosity – to solicit a quick response from the victim. One common phishing tactic, for example, is for a scammer to claim that a victim’s bank account has been compromised – and the only way to save the money is by transferring it to a new, ‘safe’ account that the fraudster has access to.

This is what’s known as a phishing ‘call-to-action’ (CTA). In the case of email or SMS phishing, it usually comes in the form of a link that the target must click to take a specific action. This might be to safeguard an account that’s been ‘closed’ or ‘hacked’, to renew a service that has recently ‘expired’, or to claim delivery of a package that has been ‘suspended’.

Here’s an example our researcher recently received.

At first glance, this phishing email might look legitimate. But look closer, and inconsistencies appear: the 60 days the copy invites us to claim free, versus the button which offers 90 days, for instance. Plus, the email is asking us to enter our credit card details to ‘validate’ our Spotify ID. Oh – and our researcher’s Spotify membership is still very much active.

As the Spotify-impersonating phishing email above demonstrates, the attacker will include links that appear to link to legitimate websites – but in fact direct the victim to a fake website that mimics the real thing. When there, they’ll be encouraged to enter their personal and credit card details to ‘authenticate’ their identity, and avoid the unwanted action the phishing email is threatening them with. When the victim does that, it’s simply a matter of the phisher collecting the data – then using it to defraud the customer of their money or infiltrate their accounts.

Not all phishing attacks work this way, however. Some trick the target into downloading malware onto their device, which then does the phisher’s work for them.

Many phishers will also have an exit strategy to conceal the fraud, and buy them more time to take advantage of the stolen details before the victim realises and cancels their card. To achieve this, the attacker may redirect the victim to the legitimate website after they’ve stolen their details – leaving them unaware that their security has been breached.

Phishing comes in many forms, and utilises different targets, methods, and platforms.

The first distinction is the way in which the phisher solicits contact with the victim. This could be through:

• Email phishing: emails that contain links to malicious websites or software.
• Voice phishing (‘vishing’): a phone call in which a hacker impersonates a legitimate organisation. Often, hackers use caller ID spoofing to masquerade their calls under the actual number of the company they’re pretending to be.
• SMS phishing (‘smishing’): text messages that encourage the recipient to click on fraudulent links or download malware.

With that in mind, here’s a summary of the myriad types of phishing attack to look out for:

Bulk phishing

Bulk phishing (also known as ‘mass phishing’) is when the phisher sends out a huge number of phishing emails or messages to a large audience.

These emails are rarely tailored to the specific recipient, so they’re less convincing than the more customised approaches of spear fishing and whaling. But they also require less effort to plan and put together – and, by casting the net as far and wide as possible, bulk phishers increase their chances of landing upon at least a handful of unsuspecting victims.

Spear phishing

Spear phishing is a targeted form of phishing, in which fraudsters customise their messages to specific individuals or organisations.

Rather than a blanket email that can be sent to hundreds or thousands of email accounts, a spear phishing attack involves communication that has been tailored to an individual recipient. To obtain the information they need, spear phishers often comb through an individual’s personal and professional online profiles for any details that add authenticity and legitimacy to the email.

In 2022, more than three-quarters (76 per cent) of phishing attacks were targeted – so it’s a threat you need to remain on the lookout for.

Whaling

Whaling is a subset of spear phishing that targets high-ranking executives – such as CEOs or CFOs – within a company.

Hackers will do their research beforehand to compose an email that looks convincing – and use their pre-prepared knowledge of the target to trick them into revealing sensitive corporate information, or transferring funds to fraudulent accounts. Because of the target’s senior position in their company, whaling can often have the most serious consequences (both financial and reputational) for a business.

Business email compromise

Business email compromise (BEC) fraud is similar to whaling in that it involves high-ranking executives within a company. But instead of targeting them (as with whaling), BEC phishers impersonate these executives – then use their online identities to trick other employees within the company into disclosing sensitive information.

Clone phishing

Clone phishing involves an attacker creating a near-identical copy of a legitimate email that the victim has recently received and engaged with. The cloned email includes malicious links or attachments that – when opened – install malware on the target’s device, or encourage them to enter their details.

Like the other more targeted forms of phishing here, clone phishing can be extremely convincing, because the victim – having recently replied to a similar-looking email – is tricked into thinking it’s a legitimate follow-up.

Pharming

Pharming attacks manipulate a website’s DNS (Domain Name System) settings to redirect internet users to fraudulent websites – even if the victims entered the correct website’s URL into their browsers. The bogey site will often be close to an exact replica of the original – meaning victims are unaware they’ve been redirected before it’s too late.

Search engine phishing

Search engine phishing (also known as SEO poisoning or SEO Trojans) is when scammers manipulate results in search engines such as Google or Bing to make their own (fraudulent) websites rank highly.

When unsuspecting users come along, they’re tricked into clicking on the phishing website, mistaking it for a legitimate answer to their query.

Let’s first take a look at phishing’s state of play – from a worldwide perspective.

• As of January 2023, almost a third (30 per cent) of adults worldwide had experienced a phishing scam. Phishing was the third-most encountered form of cybercrime, behind only a computer/mobile virus (experienced by 41 per cent) and mobile/SMS scams (35 per cent).
• In 2022, Vietnam was the most targeted by phishing attacks, with the country’s internet users witnessing a phishing attack rate of 17.03 per cent. Macau, in China, was next with close to 14 per cent; Madagascar, at 12 per cent, came third.
• Peru, in 2022, had the highest mobile phishing encounter rate in the world, with the Bahamas hot on its heels in second.
• As of Q4 2022, there were more than 1.35 million phishing sites detected throughout the internet. Looking deeper at the data, the Covid-19 pandemic clearly played a role: the biggest rise in phishing sites globally was between the lockdown months of Q2 and Q3 2020, in which the number rose from just under 147,000 to nearly 572,000.
• In 2022, bulk phishing was phishing’s most common manifestation, with 85 per cent of companies around the world going through it. At 75 per cent, spear phishing was the second-most experienced type of phishing in 2022.
• 74 per cent of organisations worldwide reported having experienced smishing in 2022, while 70 per cent have faced vishing.
• In 2022, most BEC threats (26.3 per cent) targeted users in the Americas, with Europe (10 per cent), Oceania (9.5 per cent), and Asia (3.3 per cent) also popular.
• The average BEC attack in 2022 attempted to steal US$132,559 (APWG).
• In October 2022, 599 brand names were impersonated (or ‘spoofed’) by phishers, with Microsoft, Google, Yahoo!, Facebook, Outlook, Apple, Adobe, AOL, PayPal, and Office365 all among the most-hijacked brands. In financial phishing attacks, PayPal was impersonated by 84 per cent of phishers – way ahead of Mastercard’s 4 per cent.
• Of the malicious emails reported by employees worldwide in Q1 2023, almost six in 10 (58.2 per cent) were designed to steal credentials. 40.5 per cent were response-based (impersonating legitimate employees) and just 1.3 per cent involved malware.
• In 2022, a breach of customer or client data was phishing’s biggest consequence, with 44 per cent of phished companies experiencing this. Phishing-caused ransomware infection (43 per cent) was the next biggest repercussion, followed by the compromise of accounts or login credentials (36 per cent), and the loss of data or intellectual property (33 per cent).
• ChatGPT can both enable and prevent phishing. While the AI tool can create fake login and landing pages with ease, it also has an 87.2 per cent success rate when it comes to detecting phishing links.
• Larger organisations are less likely to be phished, according to Symantec. Its research states that companies with one to 250 employees can expect around one in 323 emails to be phishing; while organisations with 1,001 to 1,500 staff have a phishing email ratio of 1:823.
• October 2022 was a huge month for phishing, with the 101,104 unique phishing email subjects the largest ever recorded by the APWG.

Now let’s hone in on the UK. What kind of an impact is phishing having on our homegrown businesses – and how rife is phishing on British soil?

Well, according to SlashNext’s 2022 report – dubbed ‘The State of Phishing’ – the UK is the most targeted country in Europe for phishing.

The SlashNext data shows that in 2022, a staggering 96 per cent of British companies were the subject of phishing attempts. Spain (94 per cent) came second, while France (85 per cent) and Italy (79 per cent) got off comparatively lightly.

Here are some more UK phishing statistics to explore:

• A 2023 study by the UK government – which surveyed 2,263 UK businesses and 1,174 charities – reported that 79 per cent of UK businesses (and 83 per cent of charities) faced a phishing attack in the last 12 months. Phishing was, by far, the most-reported form of cybercrime in the study.
• The 79 per cent of businesses that faced phishing in the survey is up a lot from 2017’s total of 72 per cent – although down from the 83 per cent observed in 2022.
• Phishing was considered the most disruptive type of attack by 59 per cent of the UK businesses – and 64 per cent of the charities – that have faced one in the last year.
• The same research also found that a meagre 19 per cent of businesses had tested their staff with phishing simulation exercises; for charities, it was just 16 per cent.
• That Home Office report also found UK businesses are loosening their grip on anti-phishing measures. While 57 per cent of the surveyed businesses had agreed-on processes for dealing with phishing emails in 2022, this fell to just 48 per cent in 2023.
• The percentage of British-based businesses using malware protection (83 to 76 per cent), password policies (75 to 70 per cent), and network firewalls (74 to 66 per cent) in 2023 all decreased from their 2022 numbers, too.
• According to data from the Telephone-operated Crime Survey of England and Wales (TCSEW), people in the UK aged 25 to 44 years are the most likely to be targeted by phishing schemes.
• In 2021, 6.42 per cent of internet users in the UK attempted to open a phishing link. This was around half of the 12.39 per cent of Brazil, the worst offender, and the 12.21 per cent of France.
• Of the UK internet users who reply to or click on a link in a phishing message, 35 per cent do so for financial gain, while 30 per cent do it to pay a bill or invoice (TCSEW).
• Bigger organisations are more likely to report phishing attacks. In the UK, 93 per cent of large businesses and 84 per cent of medium-sized businesses reported phishing, in contrast to the overall figures of 79 per cent (UK Government).
• According to Kaspersky, around 1.6 per cent of all spam – which includes phishing emails – comes from the UK. The biggest culprits in this regard, though, are Russia (24.77 per cent), Germany (14.12 per cent), and the US (10.46 per cent).
• Similarly, 1.2 per cent of all phishing websites have a .co.uk domain. The top culprits are .com (31.55 per cent of all scam websites) and .xyz (13.71 per cent), according to Kaspersky.

When it comes to the specific industries phishers tend to target, not all sectors are created equal – and some, say the data, are much more prone to phishing attacks.

According to Statista – which measured the industries worldwide most affected by phishing as of Q4 2022 – financial institutions are the most likely to find themselves in the crosshairs of phishers. A staggering 27.7 per cent of phishing attacks on businesses in Q4 2022 focused on companies in the financial services industry – but it’s far from alone in its victimisation.

The other industries most targeted by phishing include:

• SaaS (Software-as-a-Service)/webmail: 17.7 per cent
• Social media: 10.4 per cent
• Logistics/Shipping: 9 per cent
• Payment: 6 per cent
• Ecommerce/Retail: 5.6 per cent
• Telecom: 3.1 per cent
• Cryptocurrency: 2.3 per cent
• Other: 18.2 per cent

Diving deeper into phishing’s industry-related data, and we see an interesting trend – that the industries most affected by phishing aren’t necessarily the ones this form of fraud has the greatest (monetary, at least) impact on.

That’s because the average cost of the most financially damaging email-based phishing attack worldwide – around US$1.5 billion – was in the business and professional services industry, which doesn’t feature in the above list of the most affected countries. The media, leisure, and entertainment sectors – with average losses of around US$1.47 million – placed second.

As for how prepared and vigilant these industries are around phishing, Statista looked at the average failure rates for phishing simulations in organisations. Phishing simulations involve sending a fake phishing email to employees to test how well they flag and report it.

In 2022, employees in the electronics (14 per cent), aerospace (13 per cent) and mining (13 per cent) sectors had the highest phishing simulation failure rate; followed closely by their counterparts in the business services, consulting, food and beverage, and technology industries (all 12 per cent).

The lowest phishing simulation failure rates (perhaps unsurprisingly) were in the legal sector, with 8 per cent.

As we’ve seen with the phishing statistics above, this form of fraud is startlingly common – not only in the UK, but around the world.

Which begs the question – how can you protect yourself from it?

Read on to find out how to recognise phishing emails and websites, and which tools and best practices can help you fight it – as well as the importance of education in safeguarding your team and business from phishing threats.

When it comes to safeguarding your personal and professional life from phishing attacks, being forewarned is forearmed – and that starts with knowing exactly what a phishing email looks like. So here are our top tips for spotting a phishing email – before you engage with it.

Check the sender

Unless the phisher has gained access to the actual account of someone you know, their email will never come from that (legitimate) email address.

However, phishers can ‘spoof’ email addresses – that is, make email addresses with a similar name and construction – to trick you into thinking it’s the real person. So if you receive an email that looks even vaguely suspicious, run a magnifying glass over the address it came from – and double-check their email ID against messages you’ve previously received from that sender.

Pay attention to the details

Often, phishers – particularly bulk phishers, who rely on a ‘scattergun’ approach – aren’t the most fastidious when it comes to spelling and grammar.

While this isn’t a blanket rule (spear fishers and whalers, for instance, tend to be more detail-oriented), what it means is that the content and format of phishing emails often contain errors and inconsistencies that few legitimate professional communications would. Looking for these can soon help you separate the real emails from the fraudulent.

Beware of urgency

One of the tactics of psychological manipulation phishers use is urgency – imploring the victim to do something quickly, or face the consequences of inaction. Through this, the phisher minimises the space the victim has to sit, wait, and contemplate the situation in full – while maximising the likelihood they’ll end up doing something they don’t want to.

So remain vigilant towards emails that threaten consequences, or impose arbitrary timelines on action – they’re a good indicator that you’re being phished.

Sometimes, this urgency isn’t outright stated by the phisher – it’s implied. Take the following phishing email, for example. It purports to be from Facebook, explaining that an unknown user logged into their account from a different device. While the email doesn’t demand action (although it does encourage the recipient to ‘Report the user’), it does elicit a sense of urgency, in that the recipient must act quickly or risk losing their Facebook account.

Be suspicious of special offers

Just as phishers use the stick of consequence to threaten victims into compliance, they also use the carrot of reward to lure victims in with the promise of a special deal or discount.

Needless to say, stay wary of any unsolicited offers you receive via email – especially if they’re not with companies whose mailing list you’ve subscribed to. And remember the old adage – if it sounds too good to be true, it probably is.

When it comes to telling phishing websites apart from their legitimate counterparts, many of the above rules apply, including checking for content and design inconsistencies, and remaining wary of threats or overpromises.

However, there are some more specific strategies you can use to spot a phishing website. These include:

• Check the website’s URL carefully before entering any information into it. If it doesn’t quite look right, Google the name of the company and cross-reference the website you’re on with the real website (it should be at the top of the search results).
• Look for secure connection indicators, such as an SSL certificate. This will show up as a small padlock icon in your browser, and as an ‘s’ in the URL prefix ‘https’. It demonstrates that the website is safe to access.
• Be wary of pop-ups. They’re a common tactic used by phishers to solicit personal information while you browse. Legitimate organisations will never, ever request sensitive data from you this way.

Protecting yourself, your brand, and your bottom line from phishing can be a big task – but it’s not one you have to do alone. The following tools can help:

• Email security solutions: these platforms – which include Proofpoint, Mimecast, and Barracuda – analyse and filter out phishing emails before they reach your inbox.
• Endpoint protection software: these guard against phishing attempts, as well as malware – so even if you do accidentally click on a fraudulent attachment, your device will still be protected from it. Popular endpoint security options include Symantec, McAFee, and Trend Micro. Security software goes hand-in-hand with other solutions, such as a virtual private network (VPN), to provide comprehensive protection. Many of the best VPNs on the market also offer added defence in the form of malware blockers and phishing detection. 
• Password managers: through generating and securely storing complex passwords, password managers like LastPass, 1Password, Dashlane and NordPass help you squirrel your login information away where phishers can’t find it.
• DNS filtering services: these tools, which include Cisco Umbrella and OpenDNS, block malicious websites.

We also recommend getting into the habit of implementing anti-phishing best practices, which include:

• Independently verifying any requests for sensitive information or financial transactions you receive via email. Look up the company, give it a call – or get in touch with its customer support team via official channels – to seek extra clarification about what details it needs from you, and why.
• Enabling multi-factor authentication across all your devices. This means that, even if a phisher does gain access to your personal details and passwords, they’ll still find it hard to access your online accounts.
• Using strong, unique passwords for each account you have – and not storing them in a place a phisher could hack into.
• Installing antivirus and anti-malware software, and keeping it (along with your browser, operating system, and the applications you use every day) regularly updated.
• Backing up your data to cloud or offline storage. This way, you can restore any information lost in a ransomware or malware attack with ease.

Phishing may be prevalent, but – as we saw earlier, with employees in leading industries failing phishing simulations at rates of 12 to 14 per cent – it’s not all that easy to detect.

That means it’s absolutely vital to educate yourself – and your staff – around phishing. What does it look like, in all its forms? Why does it happen – and how can you report it when it does?

So empower your team with the knowledge they need to identify, understand, and prevent phishing. This could include:

• Running phishing simulations. This involves sending simulated phishing emails to employees to gauge their ability to recognise – and report – these attempts, and identify where further training is needed.
• Utilise a security awareness training platform. These make it easy to train and test your staff in cybersecurity matters, while tracking progress against preset learning outcomes. KnowBe4 and PhishMe are both popular choices.
• Staying informed about the latest fraud trends. Phishers and fraudsters are always evolving and expanding; changing tack and gathering pace as technology facilitates ever-growing forms of cyber criminality. So stay in the know about threats, and the latest phishing tactics and trends, as they emerge – then use this knowledge to adapt.

If you’ve been phished, don’t panic – there’s still plenty you can do to mitigate the havoc the phisher can wreak on you or your business.

First up? Disconnect from the internet. If your device has been compromised, removing it from the web will prevent further communication with the attacker’s servers – and stop the immediate spread of any malware they might have installed.

Secondly? Change the passwords to any accounts which may have been compromised in the phishing attack. If you’ve entered your credit or debit card information anywhere, call your bank straight away – it’ll be able to cancel the compromised card so the phisher can’t use it to make unauthorised purchases. Similarly, if you’ve given away answers to the security questions on any of your online accounts, change them immediately by calling the company.

Next, report the phishing attempt to the relevant authorities. In the UK, the government recommends getting in touch with Action Fraud if you’ve lost money or been hacked because of an online scam – you can report a phishing attempt this way, or call 0300 123 2040. If the phishing has occurred in a work-related context, be sure to report it to your IT department, too.

Going forward, keep an eye on your accounts for suspicious or unauthorised activity – such as unfamiliar transactions, changes to account settings, or emails in your sent folder you don’t recognise. Report anything that doesn’t look right to your service provider.

You should also remain vigilant to phishing attacks in the future, reading up on what they are, the forms they take, and what you can do to stop them.

Many of us fancy ourselves as experts at spotting phishing emails. And some – like the examples we used above – are too obviously fake to cause us any issues. In fact, most phishing emails we receive we’ll never read – they’re simply filtered out by our email providers, and sit in our spam inboxes until we remember to delete them.

But the reality is, phishing emails are a real threat.

Emerging phishing techniques – such as spear fishing and whaling – show how phishing is becoming more tailored and targeted. And, armed with increasingly (and artificially) intelligent tools such as ChatGPT, fraudsters – many of whom are already astute psychological manipulators – have fewer and fewer barriers to creating convincing, customisable phishing communications.

It’s not all doom and gloom, though. As the phishers get smarter, so too does the technology individuals and businesses have to fend them off. Anti-malware software, multi-factor authentication, endpoint protection platforms, and password managers are all highly effective against phishers – and only scratch the surface of what’s available.

Your only responsibility? To use them.

What’s more, be sure to stay up to date with the latest phishing statistics – and trends – as they unfold; and keep you, your colleagues, and your loved ones in the know. Remember, your first and best defence against phishing is knowledge – so be sure to dip back into this article as we keep it updated with the latest phishing facts and figures.