In 2022 phishing will be bigger than it ever has been, with sophisticated new methods meaning that an increasing number of people are falling for attackers’ tricks, regardless of their tech literacy.
Since May 2021, Google Threat Analysis Group has blocked 1.6 million phishing emails and according to the FBI, phishing is currently the most common type of cybercrime. Whilst at one point phishing wasn’t a cyberattack method commonly known to the general public, there are now 75 times as many phishing sites than there are malware sites – which used to be the most prevalent form of cybercrime.
In this report, SecureTeam has collated industry-wide research to provide a comprehensive overview of phishing in 2022, detailing which individuals are most at risk, and how phishing attempts can be avoided.
Article Index:
Most Targeted Organisation Functions
Most Targeted Organisation Types by Size
Small Organisations (1 – 249 Employees)
Medium Organisations (250 – 999 Employees)
Large Organisations (1000+ Employees)
Which Gender is Most at Risk of Phishing?
Which Age Group is Most at Risk of Phishing?
What Time of Year Are You Most at Risk?
Most Impersonated Brands in Phishing Attacks
How to Avoid Becoming Victim of a Phishing Scam
What is Phishing?
The term ‘Phishing’ is derived from the notion of hackers ‘fishing’ for sensitive information by creating ‘bait’ in the form of deceitful emails and texts. Hackers commonly replace ‘f’ with ‘ph’ in their online language which is where the exact term comes from.
Examples of Phishing
Phishing is most common in the form of an email, although mobile-phishing methods are quickly on the rise. Phishing typically involves a criminal impersonating a well-known brand to encourage victims to either click a certain link that will allow the hacker access to their computer, or enter sensitive information under false pretences.
Typical examples include an ‘urgent’, ‘important’ or ‘take action’ style email claiming that you need to perform a specific action as soon as possible to avoid some sort of inconvenience or fine. Commonly, individuals are targeted with an email or text that at first glance resembles a legitimate communication from a trusted organisation. But there will always be an urgency to perform a certain action to avoid an unwanted outcome, and this is how the cybercriminals manipulate your trust to get you to respond to the panic they’ve created to capture your sensitive data.
Most Targeted Industries
We analysed the most recent report released by The Information Commissioner’s Office to determine which industries have recently had the most reported cybersecurity phishing incidents. These are the current findings:
- Retail and manufacture
- Education and childcare
- Legal
- Finance, insurance and credit
- Charitable and voluntary
- Land or property services
- General business
- Health
- Transport and leisure
- Online Technology and Telecoms
- Social care
- Membership association
- Local government
- Marketing
- Religious
- Utilities
- Media
Most Targeted Organisation Functions
These are the company types reportedly most likely to be targeted by phishing attempts:
- Online Stores – 15.77%
- Global Internet Portals – 15.50%
- Banks – 10.04%
- Payment Systems – 7.63%
- Social Networks & Blogs – 6.10%
- IMS – 3.34%
- Telecommunication Companies – 2.67%
- IT Companies – 2.62%
- Financial Services – 1.75%
- Delivery Companies – 0.82%
- ‘Other’ – 33.76%
Most Targeted Organisation Types by Size
Research suggests that the most targeted industry sectors change depending on the scale of the business. For example, a smaller healthcare company is much more likely to be targeted than a large organisation. Similarly, a large bank is likely to become a target for phishing attempts according to the data:
Small Organisations (1 – 249 Employees)
- Healthcare & Pharmaceuticals – 34%
- Energy & Utilities – 32.90%
- Not For Profit – 31.20%
Medium Organisations (250 – 999 Employees)
- Hospitality – 42.30%
- Energy & Utilities – 35.70%
- Healthcare & Pharmaceuticals – 35.60%
Large Organisations (1000+ Employees)
- Energy & Utilities – 52.40%
- Insurance – 51.60%
- Banking – 47.50%
Which Gender is Most at Risk of Phishing?
According to a 2021 analysis of phishing emails, women are less likely to both open and enter their data in a malicious phishing attempt. Reportedly, males are 225% more likely to respond to phishing emails than females.
This new research contradicts the findings of a 2010 study by Sheng et al. which suggested that men were less susceptible to being caught in a phishing attempt due to their better education in technical areas. However, in 2022 the educational gap in STEM subjects is much smaller and this is no longer the case.
Which Age Group is Most at Risk of Phishing?
Contrary to what most people would believe, the most recent study into the demographic of victims of phishing suggests that the younger audience is more at risk than the elderly.
A study into the demographic of targeted individuals concluded that participants between 18-25 were most susceptible to phishing attempts because of their lower level of world experience, less exposure to training materials and less knowledge of the real risks.
What Time of Year is Phishing Most Common?
Whilst phishing scams are active all year round, January can be considered the most dangerous time of the year and individuals need to be extra vigilant of phishing scams.
According to Google Search Data, the phrases ‘report phishing scam’ and ‘report email scam’ are searched the most in January each year. With searches increasing by 44% in January 2021 compared to December 2020.
Reeling from a hectic Christmas period, people tend to be ‘off-guard’ in January, and bargain hunters shopping the post-Christmas sales are more likely to be sucked in by too-good-to-be-true offers and phishing emails.
On top of this, Glassdoor reports that job applications started on the platform go up by 17% in January as there is a surge in people wanting to change jobs, which means there are a lot of new starters, in new industries, untrained regarding the risks of poor cybersecurity practise.
Most Impersonated Brands in Phishing Attacks
Ranked by their appearance in phishing attempts, as reported by Check Point, these are the brands most commonly impersonated in 2021:
- Microsoft(related to 45% of all brand phishing attempts globally)
- DHL (26%)
- Amazon (11%)
- Bestbuy (4%)
- Google (3%)
- LinkedIn (3%)
- Dropbox (1%)
- Chase (1%)
- Apple (1%)
- Paypal (0.5%)
For email-based phishing attempts specifically, independent research found that these are the most common brands impersonated:
- PayPal
- Amazon
- DPD
- DVLA
- Apple
- Royal Mail
- Halifax
- Virgin Media
- Gov.UK
- Boots
Further highlighting the extent to which trusted brands are carefully mimicked in cybersecurity scams, the UK’s tax authority HMRC has been reported more than one million times for “suspicious contact”, with other 13,000 malicious web pages impersonating the company identified online in 2020 and 2021.
How to Avoid Becoming Victim of a Phishing Scam
- Question anything wanting you to ‘act quickly’
If an email or text from a brand has made you panic about something, then this should be the first trigger that something isn’t right. Often if there is something seriously wrong with a payment or something of that nature, then the business involved will call you, not text.
Phishing scams are designed to panic you so that you act quickly without having the time to second-guess what you’re doing. So if you receive an ‘urgent’ message that requires you to enter any sensitive information – the chances are that it’s a phishing attempt.
- Check the sender’s address
As a first precaution, always check the sending address for any communication received, and we encourage you to get familiar with the address commonly used by your bank and any companies you commonly receive communication from. That way you’ll be able to spot when something isn’t right.
Sender address manipulation is often very subtle, such as a plural added to a company name or an extra specific address such as @lloydscustomerservice.co.uk rather than @lloydsbank.co.uk. If in any doubt, a quick Google search can often highlight any issues.
- Don’t click any links or attachments
In many cases, you don’t even need to input any data for the attacker to capture your sensitive information. In sophisticated hacking attempts, as soon as you click on a suspicious link or attachment then you immediately give the hacker access to your computer’s storage. This is why you need to avoid clicking anything at all to be safe.
If you get an email from your bank for example and are worried about your account, don’t click through via the email, instead, log in as you usually would and check if everything appears normal that way.
- Hover over links
A quick way to check the real URL of a link on a desktop device is to scroll over it with your cursor without clicking on it. This displays the real address of the website that clicking the link would take you to.
You need to be super vigilant for strange or incorrect spelling, unusual URL slugs (such as lots of numbers), and unexpected page addresses given the context of the communication. This is best practice for all links even in emails you aren’t immediately suspicious about.
- Look out for mistakes
Typos are often the tell-tale sign of a fraudulent email or message, this is why we recommended using a spell-checker extension to check the content of your incoming messages for mistakes that could point to a malicious phishing attempt.
- Compare to legitimate past emails
Because of the increase in phishing attempts, big brands have a lot of information and resources available to help customers spot fraudulent emails and these are commonly available online if you look for them.
Take time to familiarise yourself with the standard email format, sender address and timings of contact from your bank or Royal Mail for example. This will help you to quickly spot an email that doesn’t follow the norm.
“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”
Aim Ltd Chief Technology Officer (CTO)