Phishing and Cybercrime Growth

Cybercriminal activity is reaching new heights as phishing attacks and related online scams continue to grow in both volume and sophistication. Phishing – the practice of deceiving individuals into divulging credentials or installing malware, typically via fraudulent emails or messages – remains the number one threat vector for most cyber attacks. Its prevalence has fueled an overall surge in cybercrime losses globally, making it a critical focus for organizations’ security strategies.

Scale of Phishing Attacks

The scope of phishing is enormous and still expanding. The Anti-Phishing Working Group (APWG) observed nearly 5 million phishing attacks in 2023, the highest annual number ever recorded. After a brief dip in mid-2023, phishing ramped up to record levels by the end of the year – the APWG reported over 1,000,000 phishing sites detected in Q4 2023 alone. This trend continued into 2024, with Q1 2024 also seeing around 1,003,000 phishing attacks (one of the largest quarterly volumes to date).

In short, criminals are churning out phishing campaigns at an unprecedented rate, aided by readily available phishing kits, email templates, and mailing lists on the dark web. These attacks target organizations of all sizes and across sectors, exploiting human trust and curiosity. Verizon’s Data Breach Investigations Report consistently finds that a significant portion of breaches (often ~15-20%) begin with a phishing email that tricks an employee into providing a foothold for attackers.

In the broader threat landscape, phishing (including related social engineering like vishing and smishing) was the top reported cybercrime by volume in 2024, per the FBI. The FBI’s Internet Crime Complaint Center (IC3) received more victim reports about phishing (and spoofing) than any other complaint category last year. This places phishing ahead of other high-frequency crimes like extortion and identity theft in terms of number of incidents.

Cybercrime Losses Rising

As phishing facilitates a range of financially motivated crimes – from business email compromise to ransomware – the monetary toll of cybercrime has surged. The FBI’s latest annual report reveals that in 2024, reported cybercrime losses hit $16.6 billion, a jump of 33% compared to 2023. This staggering figure was spread across some 859,000 complaints lodged to IC3.

To put it in perspective, five years ago losses were around $2-3B annually; now a single year sees well over $16B lost to online scams, frauds, and attacks. Moreover, the average loss per reported incident is climbing – from about $14,000 previously to $19,400 per victim in 2024.

A few categories dominate these losses. Investment scams (often cryptocurrency-related) were the costliest type of cybercrime in 2024, accounting for $6.5 billion in losses. These often begin with phishing or social engineering to lure victims into fraudulent investments. Close behind, Business Email Compromise (BEC) – essentially a specialized phishing that tricks businesses into sending funds to fraudsters – caused $2.77 billion in reported losses in 2024. BEC scams typically involve spoofing or hacking corporate email accounts and then impersonating a vendor, CEO, or other trusted party to induce wire transfers. While fewer in number than broad phishing, BEC attacks yield very large payouts per incident (often hundreds of thousands or even millions lost in a single transaction).

Another data point: between June and December 2024, analysts identified over 1,560 direct threats against CEOs on dark web forums and social media, much of it tied to chatter after a high-profile CEO was murdered. Many of those threats involve doxing and harassment that originate via phishing for personal information.

In essence, the growth of phishing has enabled a whole underground economy of cybercrime – from stealing credentials to facilitate fraud, to planting ransomware, to conducting espionage.

Techniques and Evolution of Phishing

Traditional phishing is sent by email, often using spoofed sender addresses and deceptive content (“Your account is locked, click here to reset password,” etc.). These lures have grown more convincing over time, often copying legitimate branding and language from the companies they impersonate. Cybercriminals also rapidly adapt topical lures – for example, during the COVID-19 pandemic, phishing emails pretended to be vaccine registrations or stimulus payments.

Lately, attackers are leveraging new technologies. There’s a rise in “deepfake” phishing, where AI-generated audio or video mimics a trusted person. One notorious tactic is using deepfake voice audio to impersonate a CEO or executive in a phone call to authorize a fraudulent bank transfer (essentially an AI-enhanced BEC). Security teams are warning that AI-driven disinformation and deepfakes represent a next generation of phishing, creating highly believable scams at scale. Already, we saw cases where deepfake audio was reportedly used to fool employees into moving money.

Another evolution is the broad use of phishing kits and automation: attackers can deploy kits that generate fake login pages and capture credentials, then automatically log in to the real site to bypass two-factor codes in real time (a “man-in-the-middle” phishing). For instance, recent attacks against Microsoft 365 users employed kits that proxy the login session – even if the user enters an MFA code, the attacker captures the session cookie and can take over the account.

Phishing is also no longer confined to email. “Smishing” (SMS/text phishing) and “vishing” (voice call phishing) have proliferated. Users might receive texts claiming to be from their bank (“Your account is compromised, call this number immediately”), and when they call, they reach a scam call center where operators extract their credentials – this happened in the high-profile MGM Resorts breach of 2023, where attackers from the group “Scattered Spider” phoned an MGM help desk and impersonated an IT staffer, convincing the employee to reset a password, which let the attackers into MGM’s network. In that case, a simple voice phishing call ultimately led to a major ransomware incident and days-long business outage for a large company. It underscores how a well-crafted social engineering attack can bypass expensive technical defenses.

Similarly, Google and Facebook were victimized out of $100 million between 2013-2015 by a criminal who simply sent fake invoices via email (a form of phishing/BEC) and managed to get paid – showing that even tech-savvy firms can be tricked by basic deception if internal controls aren’t strict.

Real-World Impact of Phishing Attacks

The consequences of successful phishing can be severe. Many data breaches begin with a phished credential. For example, the massive 2013 Target retail breach (40 million credit cards stolen) started when an HVAC contractor was phished, giving attackers a foothold into Target’s network. In 2020, the Twitter hack – where celebrity accounts like Elon Musk and Apple tweeted a crypto scam – was accomplished by spear-phishing Twitter employees via phone, obtaining admin credentials to access internal tools. That incident, though short-lived, demonstrated how a social engineering attack could compromise a major platform and even potentially move markets or international relations, had the attackers chosen different messages.

Another scenario is phishing leading to ransomware: CISA notes that email phishing is one of the top initial access vectors for ransomware groups. A single employee falling for a malicious email attachment could unleash ransomware that paralyzes an entire enterprise. The city of Baltimore’s costly 2019 ransomware event and the 2017 global WannaCry outbreak both had elements of phishing/social engineering in their spread.

Even beyond organizations, phishing fuels crimes against individuals. Identity theft often begins with someone being tricked into entering personal info on a fake site. There’s also been an explosion of phishing targeting remote workforce and cloud services – e.g., fake Office 365 login pages to steal company email passwords. With so much business workflow moving to cloud apps, phishers target those logins to gain broader access.

A disturbing trend is the convergence of phishing with other cybercrime services. For instance, criminals now combine phishing with “pharming” (malicious DNS redirection) or use info from breaches to craft more convincing spear-phishing (targeted personal attacks). They also share techniques on dark web forums to improve success rates. According to the FBI, many criminals, including foreign state-sponsored actors, leverage phishing because it’s low-cost and low-risk. The FBI’s 2024 report emphasizes that “the same old play is still beating us” – tried-and-true methods like email scams are causing the big jump in losses, even more so than exotic new hacks.

Mitigation Strategies

Combating phishing and the wider growth of cybercrime requires layered defenses and user vigilance. A multi-pronged approach includes:

User Education and Simulation

Regular security awareness training is vital. Users should learn how to spot common phishing signs – mismatched URLs, urgent language, unexpected attachments, etc. But given how convincing phishing has become, training must be ongoing and updated with new examples (like texts or phone scam scenarios). Many organizations run phishing simulation campaigns – sending test phishing emails to employees to see how they respond. These exercises, when done periodically, condition users to be more cautious and provide metrics on improvement. The Verizon DBIR 2024 noted in phishing simulations, only ~11% of users clicked the phony email when 20% actually reported it – a positive ratio. That kind of reporting culture can significantly aid early detection (if an employee reports a phishing email they received, IT can quickly alert others and block that sender or domain).

Email Security Technology

Modern secure email gateways and cloud email security add-ons use filters and machine learning to block a large portion of mass phishing emails. They can do URL scanning (rewriting links and analyzing the target when clicked) and attachment sandboxing (detonating attachments in a safe environment). Enable these advanced features to strip out malicious payloads and warn users if they click a known bad link.

DNS authentication technologies like SPF, DKIM, and DMARC should be implemented to prevent spoofing of your organization’s domain – and to better identify spoofed incoming emails. For example, DMARC can flag emails that purport to be from your company’s domain but aren’t sent from your mail servers, helping to stop exact-domain spoof phishing. While technical filtering won’t catch every phish (especially clever spear-phishes), it can remove the noisy spammy ones and reduce the load on users’ judgment.

Multi-Factor Authentication (MFA)

Deploy MFA on all critical accounts (email, VPN, financial systems). MFA is one of the most effective mitigations against credential-stealing phishing, because even if a user’s password is compromised, the attacker cannot login without the second factor (e.g., a mobile app code or hardware token). Many breaches and BEC scams could be prevented if the stolen password alone wasn’t enough to access the account.

Note that attackers have responded with strategies to phish or bypass certain types of MFA (like sending repeated push requests until a user accepts out of annoyance, or using real-time proxy tools to capture OTP codes). Therefore, phishing-resistant MFA is advisable for high-risk roles – methods such as FIDO2 security keys or biometric authentication, which can’t be easily replayed by an attacker. Google famously eliminated virtually all successful phishing attacks on its employees by requiring security keys for authentication.

Policy and Process Measures

To counter BEC and fraud, organizations should establish strong business processes that don’t rely on a single email for fund transfers. For example, require out-of-band verification (a phone call to a known number) whenever a wire transfer request or payment instruction comes via email – especially if it’s to a new payee or the instructions are unusual. This simple policy has foiled countless BEC attempts.

Similarly, employees should be instructed that any request for credentials or sensitive data via email is suspicious – IT and banks generally won’t ask you to “verify your password” via email link. Regular internal phishing bulletins can keep staff alert to current scam trends (for instance, “We’ve seen emails claiming to be HR asking you to open an attachment – do not click, it’s fake.”).

Threat Intelligence and Takedowns

Many organizations subscribe to threat intel services that feed them information on active phishing campaigns targeting their industry or employees (like domains or URLs recently observed). This intelligence can inform email filter block lists and user alerts. Companies with brand names that are commonly spoofed (e.g., financial institutions) also work with services to monitor for phishing sites impersonating them and to expedite takedowns of those sites by contacting domain registrars or hosting providers.

While phish sites are ephemeral (often only alive for hours or days), quick takedown of sites and fraudulent phone numbers can mitigate the impact. Law enforcement internationally has been stepping up: for example, in 2023 the FBI and Interpol coordinated to bust several phishing call center operations and to seize domains used in scams. Supporting such efforts (by reporting phishing campaigns to authorities) is part of a broader mitigation.

Emerging Defenses

Given the threat of deepfakes and AI-driven phishing, organizations should prepare now. This may involve training executives and employees to be aware of the possibility of deepfake voices (“verify unusual requests even if the voice sounds like our CEO”). Technical solutions are being developed to detect deepfake audio or video, but are not foolproof yet. In the meantime, reinforcing multi-step verification for important transactions is key.

Another emerging tool is DMARC reporting and enforcement – companies that have implemented DMARC with a reject policy significantly cut down on exact-domain spoofed phishing against their customers and employees. As of 2025, more Fortune 500 firms are moving to strict DMARC, which will help globally.

Security Monitoring and Incident Response

Despite best efforts, some phishing attacks will get through and succeed. Organizations should be poised to detect and respond quickly. For example, if an employee falls for a phishing link and enters credentials, having alerting on impossible travel or concurrent logins on their account could detect the intruder using those creds. Many cloud services provide alerts for things like multiple failed logins or login from new countries – these should be tuned and monitored.

A compromised email account can lead to further phishing (the attacker may use it to phish others in the company, as happened in some breaches), so the response team must be ready to isolate accounts and endpoints at the first sign of compromise. Additionally, provide an easy mechanism for users to report suspected phishing (like a one-click “Report Phish” button in email clients) – and have your SOC or IT security team triage those reports quickly. Often, if one person reports a phish that made it past filters, the same email is in many other inboxes; a rapid response can be to issue a company-wide warning or use email system tools to retroactively remove the email from all mailboxes.

Law Enforcement and Information Sharing

Collaboration can yield macro-level benefits. The FBI’s IC3 has an Asset Recovery Team that, in 2024, was able to freeze or recover funds in about 66% of reported BEC cases when incidents were reported quickly. This highlights that early reporting of fraud to law enforcement can literally save money.

Businesses should establish contacts with law enforcement (like their local FBI field office cyber task force) before an incident, so that if a major phishing-induced fraud or breach occurs, they know whom to call and what information to provide. Participating in info-sharing groups (ISAOs/ISACs by sector) lets companies learn from each other about recent phishing tactics. For example, many ISACs share indicators of phishing emails seen targeting their sector (malicious domain names, sender addresses, etc.), which members can plug into their defenses.

Conclusion

In conclusion, phishing continues to be the tip of the spear driving many of today’s cybercrimes, from financial fraud to ransomware. The growth in cybercrime losses is directly tied to adversaries’ success in exploiting the human element. As the FBI bluntly noted, attackers aren’t winning with bleeding-edge zero-days – they’re “winning with what’s easy and effective”, i.e. tricking people.

Therefore, a renewed focus on user-centric security is needed alongside technical safeguards. Organizations and individuals must remain skeptical of unsolicited communications and verify requests through trusted channels. Through a combination of educated users, robust processes, and adaptive technology, we can begin to turn the tide against the wave of phishing and cybercrime growth. But it will require constant vigilance; as we harden one aspect, criminals will adjust their lures.

In the battle of security versus convenience, finding the right balance so that critical thinking becomes reflexive for users is perhaps the ultimate goal – because it takes only one errant click to potentially unleash a major incident.

References

[1] FBI Internet Crime Complaint Center – 2024 Internet Crime Report

[2] APWG – Phishing Activity Trends Report 2023

[3] CertifID – Breaking down the 2024 FBI IC3 Report

[4] Security InfoWatch – Online Threats & AI Manipulation Endangering Executives

[5] Reuters – MGM Resorts Breached by Social Engineering

[6] Verizon – 2023 Data Breach Investigations Report

[7] CBS News – Physical Attacks on Power Grid up 71% in 2022

[8] CISA – Common Initial Attack Vectors

[9] Proofpoint – Email Attacks Drive Record Cybercrime Losses in 2024

[10] FBI Public Service Announcement – Deepfakes and Stolen PII for Financial Fraud