14 Spear Phishing Statistics to Keep You Alert

Important – Urgent attention is required!

That’s the header example for emails that make it to tons of mailboxes daily.3

While they look innocent, many carry dangerous messages. And it gets worse if you can’t verify the sender straight away.

Simply put, it’s a spear phishing campaign aiming to obtain a company’s sensitive data. The targets are primarily important people within an organization.  

Such emails contain info that convinces you to click the attached contents. Once done, spyware, malware, or virus gets installed on your system to steal data.

That’s why these spear phishing statistics are what you need to stay alert. You don’t want to expose your company to cybercriminals for something avoidable.

Let’s get down to business.


Shocking Spear Phishing Statistics

Here are some intriguing spear phishing highlights you need to know:

  • Spear phishing accounts for 65% of cyberattacks targeting organizations.
  • Over 42% of employees admit to clicking malicious attachments on emails.
  • 27.6% of attacks focus on financial services, representing the most-targeted industry. 
  • A single spear phishing attack costs an average of $1.6 million.
  • 62.9% of organizations paid a ransom to recover compromised data in 2022.

General spear phishing stats and facts

Spear phishing is a top security concern for organizations. The general stats below highlight the extent of this problem.

1. 65% of cyber attacks targeting organizations are spear phishing emails.

(Source: Symantec)

Statistics on spear phishing show that it’s among the most common methods for compromising organizations. It’s effective due to the use of emotionally deceptive messages that convince targets to take action. 

This also indicates a lapse in company security systems to block such emails. Eventually, the emails get past spam filters, and firewalls can’t prevent the attacks.

2. Over 40% of employees admit to clicking attachments on malicious emails.

(Source: Proofpoint)

According to Proofpoint, 42% of employees fail to adhere to workplaces’ cybersecurity policies. They admit to taking dangerous action on phishing emails. 

Among behaviors exhibited include opening attachments, clicking links, and providing sensitive personal credentials. Even worse, workers report downloading and installing malware from spear phishing emails.

The targets?

3. 27.6% of attacks target the financial sector.  

(Source: APWG)

Spear phishing stats by APWG show Financial services providers are hit the hardest, with almost a third of attacks targetting the financial sector.

Here’s the complete industry-based breakdown:

  • Financial Institutions – 27.6%
  • SaaS/Webmail – 19.1%
  • Social Media – 15.3%
  • Other – 14.7%
  • Payments – 6.3%
  • Ecommerce – 5.6%
  • Cryptocurrency – 4.5%
  • Logistics/Shipping – 4.3%
  • Telecom – 2.6%

And you know what? There’s a huge price to pay.

4. The average cost of a single spear phishing attack is $1.6 million.

(Source: Cloudmark)

The average cost of a spear phishing attack is $1.6 million. But companies in the United States paid an average of $200,000 more than businesses from the rest of the world. 

Spear phishing differs from generic phishing in terms of the costs the attacks incur. The former is typically pricier for affected parties since the attacker targets individuals with ready access to funds or information. With high chances of falling victim to such attacks and resources at stake, the consequences can be severe. 

Spear phishing attacks statistics for companies that pay ransoms are even more shocking!

5. Almost two-thirds of companies paid ransomware to recover their data in 2022.

(Source: Statista)

Spear phishing is one of the main ransomware attack vectors.

Statista reports that 71% of companies worldwide fell prey to data breaches in 2022. Of this number, 62.9% of targets paid a ransom to hackers. 

Spear phishing attacks in 2022

Here’s a roundup of spear phishing incidents that took place in 2022.

6. Cyber attackers sent out 255 million phishing attacks in 2022.

(Source: Slashnext)

Spear phishing data by Slashnext revealed a 61% increase in malicious emailing aiming corporates. The study uncovered 255 million phishing attacks detected in 2022.

Cybercriminals widely targeted unprotected communication channels in organizations. Employee mobile devices were the primary targets, where security tools could not keep up.

The most affected companies in 2022 are as follows:  

  • Uber
  • Cloudflare
  • Twilio
  • Cisco

Of course, hackers are getting smarter!

7. 76% of the zero-hour attacks detected in 2022 were spear phishing credential harvesting. 

(Source: Slashnext)

Slashnext observed a 48% increase in zero-hour threats in 2022. It represents cyber attacks that have yet to be seen or reported before.

To do this, hackers rely on machine learning and automation to boost the chances of compromising targets. Moreover, they’re embracing newer communication channels like SMS, WhatsApp, and Slack to hoodwink victims. 

Some 76% of all zero-hour attacks were spear phishing credential harvesting. Scams accounted for 15%, while ransomware, malware, and exploits represented just 1% of the total.

8. Almost half of the top company executives got spoofed by these attacks.

(Source: Usecure)

Spear phishing statistics by Usecure note that cybercriminals targeted 59% of organizations. Even with the security systems, 42% of executives still fell victim. 

This doesn’t come as a surprise because high-level corporate staffers receive such emails once every month. With zero-hour threats on the rise, it’s easy to fall for such tricks.

Spear phishing success rate 

So, what’s the success rate of spear phishing campaigns? The results are mind-blowing!

9. Almost half of all phishing attacks are successful. 

(Source: Ivanti) 

Recent spear phishing stats by Ivanti show the campaigns have a 47% success rate. This is surprising, especially given that the main targets are IT staff.

But 34% of organizations acknowledge such attacks are increasingly becoming sophisticated. As a result, employees usually need more know-how to handle such malicious messages.

10. Spear phishing emails have an open rate of 70%.   

(Source: N-Able)

N-Able’s research established spear phishing emails have an open rate of 70%. Moreover, it states that around 50% of the recipients clicked on the links. 

Such a dangerous action is ten times higher than what’s experienced with standard phishing. Furthermore, it explains why emails are still the main target despite the emergence of newer communications tools.

Spear phishing vs standard phishing

Standard phishing works similarly to spear phishing. But unlike its sibling, its primary target is pretty much everyone within an organization. 

Let’s look at how both compare: 

11. Standard phishing widely targets the financial sector. 

(Source: Statista)

Targets of standard phishing show an almost identical trend to spear phishing. According to Statista, such attacks hit financial services the most in 2022.

SaaS/webmail, ecommerce/retail, and social media also follow in that order. The breakdown of the industry numbers is as follows below: 

  • Financial Institutions – 23.6%
  • SaaS/Webmail – 20.5%
  • Ecommerce – 14.6%
  • Other – 13.4%
  • Social Media – 12.6%
  • Cryptocurrency – 6.6%
  • Payments – 5%
  • Logistics/Shipping – 3.8%

12. 90% of cyber attacks on organizations start with standard phishing emails.

(Source: Cisco)

Cisco reports that 90% of cyber attacks on organizations were regular phishing emails. As mentioned earlier, this figure is 35% higher than spear phishing, which targets specific high-ranking employees. 

The good news?

13. Standard phishing has lower click rates.

(Source: N-Able)  

Malicious email blasting has a click-through rate of around 5%. This is way lower than the average of 50%.

The best of all? 

14. Standard phishing incidents incur lower costs.

(Source: Verizon)

Verizon’s study of standard phishing incidents revealed its less costly to mitigate breaches. Most companies would part with an average of $178,000. 

This is significantly lower than it takes to resolve a spear phishing attack.


The above spear phishing statistics should make you think twice about interacting with malicious messages. Ultimately, you’ll want to stay on your toes by being vigilant. 

Make it a habit to verify the source before clicking on any attachments. If necessary, double-check with colleagues conversant in cyber attacks. 

You surely don’t want to engage in anything that would jeopardize your job security. Above all, you’ll save your company from parting with tons of money in ransom. 

Frequently asked questions

Is spear phishing easy to spot?

It’s challenging to notice spear phishing because emerging exploits make detecting it complex. Cyber attackers increasingly use machine learning to outsmart security systems and target victims. 

But you can avoid such scams by adhering to certain measures. For instance, you should start by double-checking a message to verify its source. 

You should also not be in a hurry to click on links in your emails. It’s the only way to avoid installing malware, spyware, and viruses on your system.   

How common are spear phishing attacks? 

Spear phishing facts indicate that 65% of hackers use this method to penetrate businesses. Its focus on high-level employees makes it a common tool among cyber attackers.     

How successful is spear phishing?

Around 47% of spear phishing attacks are successful. This is attributed to the use of emotional messages that convince victims to take action.

Hackers also include attachments to install malicious software when clicked. This enables the stealing of sensitive data to be steadfast.  

What percentage of attacks use spear phishing as an intrusion means?

Spear phishing statistics show that 65% of attacks use this method to comprise businesses. It’s common because it’s easier to trick targets into providing sensitive information.

How many businesses are targeted by spear phishing attacks each day?

Cybercriminals dispatch over 255 million phishing campaigns targeting senior company employees yearly. This loosely translates to about 700,000 attacks daily. 


  1. Symantec
  2. Proofpoint
  3. APWG
  4. Cloudmark
  5. Statista
  6. Slashnext
  7. Slashnext
  8. Usecure
  9. Ivanti
  10. N-Able
  11. Statista
  12. Cisco
  13. N-Able
  14. Verizon