In 2020 and 2021, businesses across sectors shifted from an analog, in-person commerce model to digitization and expansion into the online space. Unfortunately, the shift from physical to digital has left companies with gaping holes in their security processes and made their data vulnerable to cyberattacks.

Chief among these attacks is the rise of phishing. With 95% of phishing attacks being financially motivated, cybercriminals typically masquerade as trusted entities to dupe unsuspecting victims, steal login credentials or user data, and gain access to finances.

Although phishing has always been a threat to business success, the last two years have seen an unrivaled volume and sophistication of these attacks.

Phishing Threats by the Numbers


  • Email-based phishing attacks successfully targeted 57% of businesses, and only 3% of phishing emails were reported to management.
  • Of the phishing emails that unsuspecting users clicked, 1 in 3 led to ransomware attacks, costing organizations upwards of $170,000 per attack.
  • 95% of all attacks targeting enterprise networks were caused by successful spear phishing, which uses targeted and personalized messaging from a seemingly trustworthy source.


  • 83% of organizations reported a successful email-based phishing attack in 2021, increasing 26% in just one year.
  • Government and healthcare organizations reported a 1,885% increase in ransomware attacks.
  • The healthcare industry faced a 755% increase in phishing attacks, costing an average of $1.85 million per attack.
  • Spear phishing attacks grew by 270% in 2021 alone through conversation hijacking, where hackers insert themselves into existing business conversations based on information they’ve gathered from compromised email accounts.

These growing trends show no sign of slowing down, with phishing attacks becoming more complex, harder to prevent, and a widespread issue. The 2022 IBM X-Force Intelligence Index reported that phishing was the most common way criminals accessed an organization.

Common Types of Phishing Attacks

1. File Extensions

Although file attachment phishing is nothing new, the two-decade-old trend is again at the forefront of cyberattacks. In file extension attacks, malware is stored inside ZIP and WinRAR files, Microsoft Office documents, and PDF files. When these files are downloaded and opened on the target’s computer, the malware infiltrates the system.

Hackers can then gain access to files and networks to steal unprotected company data for purposes such as corporate espionage, resale, or ransom.

Common tactics used in file extension phishing are meant to stir emotion within targets. Fake notices warning of foreclosure, tax issues, credit card fraud, et cetera create a sense of urgency for users to immediately click on an attachment and disregard safety protocols, like ensuring the credibility of a sender’s email address.

2. Spear Phishing

In 2021, 79% of organizations were targets of spear phishing, and this number is poised to rise. Spear phishing employs feigned familiarity, allowing hackers to send emails that look and sound familiar and trustworthy but request sensitive data or contain harmful malware. Often, file extension scams may work in conjunction with spear phishing.

Users can best combat these attacks by analyzing the sender’s email and contacting the legitimate sending party for confirmation before sharing private data or accessing confidential information. Typically, organizations, banks, and other handlers of sensitive data have company emails and systems of multi-factor authentication to legitimize themselves and confirm their clients.

3. Smishing

Many email services have some level of regulation and measures in place to protect against viruses on their platforms. However, text messaging is still largely unregulated and highly susceptible to dangerous malware and ransomware attacks. In March of 2022, the average U.S. mobile customer received 42 scams via text. These smishing attacks had increased by almost 30% from the month prior and an alarming 1,024% since April 2021.

Because of the lax spam filtering policies and the proliferation of spoofed numbers being taken by hackers, smishing is expected to grow exponentially in the latter half of 2022. Savvy “smishers” can take advantage of access to personal details and even fake multi-factor authentication to gain the trust of unsuspecting users.

Of all mobile-based phishing, smishing is now the most popular, making up 17.3% of phishing attacks in the world.

Navigating & Protecting Against Phishing Attacks

Though file extensions, spear phishing, and smishing are among the most popular tactics in phishing right now, they are not the only ones to worry about. Social attacks, vishing, bulk phishing, business email compromise attacks, and other threats all pose increasing risks to the safety of organizational data.

At this point, a phishing attack is a certainty for any organization, not a hypothetical scenario. To weather the inevitable storm, leaders and decision-makers must work to prevent attacks where possible and mitigate loss when a breach does occur.


Communicating effectively within an organization is critical to preventing phishing attacks. Establishing policies on how organizations can report suspicious emails or texts helps employees to limit ambiguity in addressing a potential threat. Not everyone in an organization is a cybersecurity expert, but teaching employees how to recognize threats like spear-phishing emails limits risk.

Furthermore, establishing a method to report concerns if a malicious link is pressed enables organizations to respond quickly and address risks associated with malware, ransomware, and other threats to organizational safety.

Strong Passwords and MFA

Strong passwords and the enablement of multi-factor authentication allow organizations to create safeguards around vulnerable data. All passwords within organizations should be at least 15 characters long, unique, and not repeated for more than one platform.

To enable multi-factor authentication, also called two-factor authentication, organizations must require their employees to choose unique passwords and connect a secondary email, phone number, or other authentication method to verify their identity before data is accessed. As reported by Microsoft, MFA can prevent over 99% of account compromise attacks.

Self-Protecting Data

Although enabling multi-factor authentication and teaching employees are essential steps to help prevent a possible data breach, they are of no value once a breach has already occurred. That’s why it’s essential to partner these measures with self-governing data, which protects against the inevitable.

Traditionally, organizational data has been hidden behind firewalls and is left vulnerable in the incidence of a breach. However, Sertainty has redefined how information is protected to ensure data privacy even where firewalls fail. Using cutting-edge protocols and embedding intelligence directly into datasets, Sertainty’s proprietary processes enable data to govern, track, and defend itself. So, even if systems are compromised, data remains secure.

At Sertainty, we know that data is the most valuable asset to your organization’s continued success. Our industry-leading Data Privacy Platform has pioneered what it means for data to be intelligent and actionable, helping companies move forward with a crystallized and sustainable approach to their cybersecurity needs.

Phishing and other cyber threats are on the rise, but instead of worrying about looming dangers your network may face, we enable our partners to safely and confidently embrace the potential of a new online-oriented world. Data breaches may be inevitable, but with Sertainty, privacy loss doesn’t have to be.