Worldwide 2021 Email Phishing Statistics & Examples

With an influx of remote workers due to the pandemic, gaps in cloud security were exploited. Cybercriminals continued to leverage blind spots in email services’ built-in security—nearly 75% of all threats blocked by Trend Micro in 2021 were email threats.

Unfortunately, built-in security for popular email services, like Microsoft 365 and Google Workspace, is simply not enough to stop malicious emails from infiltrating enterprises.

In 2021 alone, Cloud App Security detected and blocked more than 33.6 million high-risk email threats in addition to those discovered by email services’ built-in security—a drastic 100% increase from the previous year.

Illustrating this clearly, in a single organization with 18,000 Microsoft 365 E3 users, Cloud App Security discovered over 33,142 high-risk email threats missed by the built-in security.

Malware and phishing attacks surged.

Malware attacks and subsequent detections increased by nearly 200% in 2021, with over 3.3 million total malware files thwarted by Cloud App Security. There was also a notable spike in both known and unknown malware detections by 133.8% and 221% respectively.

Email services like Microsoft 365 continue to be routinely targeted; Cloud App Security service detected and blocked more than 405,825 malware attacks from one organization with 75,000 Microsoft 365 users.

Cybercriminals continued to go phishing.

Credential phishing and phishing campaigns increased in 2021. Cloud App Security detected and blocked nearly 6.3 million credential phishing attacks in 2021, marking an overall increase of 15.4%. Similar to 2020, more known phishing attacks were detected than unknown, but that gap grew by a staggering 72.8%.

Trend Micro Research reported a 137.6% growth in phishing attacked blocked and detected in 2021, largely due to a 596% increase in spam.

Unsurprisingly, organizations are “concerned” or “extremely concerned” about phishing attempts exploiting their employees, according to an Osterman Research report.

BEC: Less doesn’t mean better.

Although business email compromise (BEC) attempts declined by 10.61%, they still proved to be costly for enterprises. In a report from the FBI’s IC3, BEC scams accounted for US$2.4 billion in adjusted losses for both businesses and consumers in 2021.

Cybercriminals continued to evolve their tactics to take advantage of new work setups. Trend Micro Research determined that BEC actors mostly impersonated executives or ranking management personnel by spoofing general employees’ names.

Complex attacks = complex solution? Think again.

Visibility across the enterprise is paramount in the new normal of remote and hybrid work environments. You need to continually discover, assess, and mitigate risk across your digital attack surface to keep users secure and the business out of the headlines.

To gain comprehensive visibility, cybersecurity leaders should leverage a SaaS-based platform that supplements the built-in security features in email platforms like Microsoft 365 and Google Workspace. SaaS-based solutions like Cloud App Security are easy to setup, use sophisticated techniques like machine learning (ML), and are a part of a broader unified platform that delivers key capabilities like extended detection and response (XDR) to better protect your enterprise from threats.

Learn more about the facts and figures of email threats for 2021 as well as mitigation strategies in our annual report.