by Matt Solomo

If You’re Wondering Which Industries Saw the Most Phishing Last Year, We’ll Tell You!

Phishing emails are a fast road to ruin for businesses. These pernicious threats bring devastating consequences like ransomware in their wake. Experts estimate that 60% of companies go out of business after a successful cyberattack. Every employee and every industry is at risk of being victimized by a phishing attack, but some are more likely targets than others. Which industries saw the most phishing last year? Take a look at the industries most likely to be hit by phishing as well as why they’re so vulnerable and how to prevent it from happening to your business. 

Threats Are Around Every Corner

Phishing is the gateway to many cybersecurity woes. In an atmosphere of heightened risk, phishing is the threat that every business needs to be most cognizant about. An estimated 75% of organizations around the world experienced some kind of phishing attack in 2020. One of the reasons why phishing is so popular is because it’s extremely effective. Nearly 75% percent of organizations in the United States experienced a successful phishing attack last year. Those attacks packed a punch. In the 2020 IC3 Report, the US Federal Bureau of Investigation estimated that businesses lost $4.2B to cybercrime in 2020 led by phishing.  

It’s especially essential to keep phishing away from your business to avoid expensive ransomware disasters. An estimated 65% of active cybercriminal gangs use spear phishing as their favored method of delivery for ransomware. Ransomware is also the weapon of choice for nation-state threat actors. These days, every business is at risk for a ransomware attack. Cybercriminals aren’t just after your data, either. In 2020, a cybercrime trend developed in which ransomware was used to shut down production lines and snarl operations at infrastructure, business support and manufacturing targets. That trend looks set to continue in 2021 as borne out by the Colonial Pipeline hack.  

These Industries Saw the Most Phishing Last Year

In a survey of responses to phishing simulations, every industry had problems with employees clicking on a phishing email. CyberNews reports that 1 in 3 employees are likely to click the links in phishing emails, and 1 in 8 employees are likely to share information requested in a phishing email. This is especially problematic in some industries.   

In which industries are you going to find the people most likely to click on a phishing link? These are the top 5 most vulnerable industries. 

  • Consulting
  • Apparel and accessories
  • Education
  • Technology
  • Conglomerates

In which industries will cybercriminals find the people who are most likely to submit credentials or share information? These are the top 5 most vulnerable industries: 

  • Apparel and accessories
  • Consulting
  • Securities and commodity exchanges
  • Education
  • Conglomerates 

Why Are These Industries at Risk? 

Phishing risk isn’t easy to quantify. Cybercrime boomed in 2020. Cybercriminals have been constantly innovating in their delivery methods, and which industries are most at risk changes constantly. The laws of supply and demand apply to cybercrime just like any other business. Plus, constant shifts in opportunity and vulnerability due to world events and market fluctuations create new pitfalls every day. That said, three major factors can put specific industries at higher risk for phishing problems than others, and they hit especially hard in the industries that saw the most phishing last year


Phishing risk increased dramatically in 2020. One of the drivers of that risk was the opportunity for exploitation that cybercriminals found in many industries that were under pressure. Bad actors were quick to use ransomware to achieve their ends. Ransomware was the most common reason behind Microsoft incident response engagements from October 2019 through July 2020. In fact, the huge upswings in phishing (more than 600%) and ransomware (nearly 150%) were so alarming that The US Cybersecurity Infrastructure Security Agency (CISA) established a new one-stop resource center to help organizations stem the tide in January 2021. 

Phishing and ransomware exploded in the medical industry in 2020 because of the extraordinary circumstances creating extraordinary opportunities for cybercrime. During the height of the COVID-19 pandemic, medical facilities were heavily targeted for a while, then that focus shifted to pharmaceutical companies, followed by a foray into transportation and logistics as the path of the pandemic shifted from disease treatment to vaccine development to vaccine transportation. This is a common pattern. When an industry is exceptionally relevant and unusually stressed, cybercriminals are quick to jump on the opportunity to undertake operations against them. 

Remote and Hybrid Workforce Support 

Remote and hybrid workers are extremely dependent on email. However, the flexibility that comes with supporting a remote or hybrid workforce opens companies up to more risk. In a 2020 survey of remote worker habits, about 60% of employees noted that they are working in environments where distractions are commonplace. Many of those employees have adopted an always-at-work approach that can lead to email handling errors — 73% of the employees surveyed said that they regularly read and respond to work email outside of their working hours, and almost one-quarter of employees (24%) reported they handle work email while doing other things. 

Some of those risks were exacerbated by both a lack of preparation and readiness to go fully remote — 98% of IT professionals in an international survey said their organization experienced security challenges including phishing incidents within the first two months of the pandemic. Only 42% of those survey respondents felt that their organization was “well prepared” for moving to remote work, compared to 45% percent that considered their companies “somewhat prepared” and 13% who stated that their businesses were not prepared at all. 

Email Volume Boom 

More remote workers means more email. Workers handled 72% more emails in 2020 than the year before, and email is the primary communication tool of business these days. Many companies had employees working fully remotely for the first time, and some had never allowed anyone to work remotely before, creating a huge pool of employees who were not trained on the cybersecurity hazards that remote workers can face. Add in a heaping helping of pandemic-related stress for everyone, and you’ve got an environment that is ripe for cybercriminals exploitation. Those bad actors were not hesitant to pounce. Phishing threats took their biggest jump in Q2 2020, escalating an eye-popping 660% according to Google. Even in Q4 2020, the increase was lower but still epic: phishing was up more than 220%. 

A new record for email volume was achieved at 306.4 billion emails sent and received each day in 2020. While many of those messages were legitimate, a huge volume increase gives cybercriminals more opportunity to slip in phishing attempts. More than 30% of the email sent in all of 2020 was a pandemic-themed phishing attempt, and a whopping 72% of all phishing email was COVID-19 themed. Experts at BitDam estimate that in an average organization with 1–250 employees, one in 323 emails will be malicious. In particularly challenged industries, like healthcare was in 2020, that estimate climbs to 1 in 99 messages. Larger companies get off a bit easier. Only one in 823 emails will be malicious in an organization of 1001–1500 employees. 

Fix This Problem 

Every organization’s phishing risk calculus is complicated, but how to help businesses reduce the chances that their employees will click on phishing links is easy. Increased security awareness training that includes phishing resistance is the cornerstone of building a security culture that’s savvy about phishing. A recent study showed that companies that run phishing simulators for the first time learn that 40% to 60% of their employees are likely to open malicious links or attachments. But it also showed that consistent training made a huge difference. In follow-up testing, after about 6 months of training, that percentage drops 20% to 25% and after 3 to 6 months more training, that number can drop to only 10% to 18%. 

Let us help you engage employees to actively participate
and make fundamental changes to the security process. Contact us today!

Comments are closed.