Types of Phishing Attacks & Their Costs

Not all phishing is equal. From mass email campaigns to targeted CEO fraud, each attack type has different success rates, costs, and warning signs.

Email Phishing

Bulk / spray-and-pray phishing

Success Rate

3.4%

Avg Cost (successful)

$4.76M

Mass-sent fraudulent emails impersonating legitimate organisations — banks, Microsoft 365, HMRC, delivery services. Low effort, high volume. A 3.4% success rate across billions of daily emails makes it devastatingly effective.

Warning Indicators

  • Mismatched sender domains
  • Generic greetings
  • Urgent action requests
  • Suspicious links or attachments

Real-World Example

Google & Facebook were defrauded of $100M between 2013–2015 via fake invoice emails impersonating a hardware vendor.

Volume: 3.4 billion emails worldwide

Spear Phishing

Targeted / personalised phishing

Success Rate

19%–47%

Avg Cost (successful)

$4.76M

Highly personalised emails targeting specific individuals using OSINT from LinkedIn, social media, and corporate websites. Attackers impersonate known contacts, customers, or executives. Success rates are 5–14x higher than bulk phishing.

Warning Indicators

  • Uses target's name and role
  • References real colleagues or projects
  • Spoofed or similar domains
  • Requests wire transfers or credential resets

Real-World Example

RSA Security 2011: A spear phishing email to 4 employees (subject: '2011 Recruitment plan') led to a breach exposing SecurID two-factor authentication seeds.

Volume: ~65% of all targeted attacks

Whaling

CEO fraud / executive phishing

Success Rate

Up to 45%

Avg Cost (successful)

$47M+

Attacks targeting C-suite executives, board members, and finance directors. The goal is typically large wire transfers or privileged system access. Average BEC (Business Email Compromise) losses exceed $47,000 per incident — and whaling attacks average far higher.

Warning Indicators

  • Impersonates CEO or CFO
  • Requests urgent confidential transfers
  • Requests W-2 / payroll data
  • No standard security review process invoked

Real-World Example

Ubiquiti Networks lost $46.7M in 2015 when an attacker impersonated an executive and directed the finance team to make transfers to attacker-controlled accounts.

Volume: Targeted — fewer attacks, higher value

Smishing

SMS / text message phishing

Success Rate

8.9%

Avg Cost (successful)

$1.5M–$3M

Phishing delivered via SMS, impersonating delivery services, banks, government agencies, or two-factor authentication systems. Mobile users are less suspicious of texts than email. Smishing click rates are 7–10x higher than email phishing.

Warning Indicators

  • Delivery failure / package notifications
  • Bank security alerts with links
  • Fake two-factor auth codes
  • HMRC / IRS refund notifications

Real-World Example

The 2022 Twilio breach began with smishing: employees received texts claiming to be IT, directing them to a credential harvesting page. This led to breaches of Twilio, Cloudflare, and DoorDash.

Volume: Over 7.8 billion spam texts sent in the US in 2022

Vishing

Voice / phone phishing

Success Rate

Up to 37%

Avg Cost (successful)

$14K–$2M

Phone calls impersonating tech support, banks, the IRS/HMRC, or internal IT helpdesks. AI voice cloning now enables near-perfect impersonation of known individuals. Vishing is increasingly combined with spear phishing for multi-channel attacks.

Warning Indicators

  • Unsolicited calls requesting verification
  • Requests to install remote access software
  • Urgency / threat of account suspension
  • Requests for OTP codes or passwords

Real-World Example

Twitter 2020: Attackers called Twitter employees posing as internal IT support, convincing them to provide credentials to internal admin tools. This led to the hijacking of 130 high-profile accounts including Obama, Musk, and Biden.

Volume: Billions of robocalls monthly