20 Email Security Stats that Should Motivate MSPs to Protect Their Customers

You (and your customers) might be surprised by the latest statistics concerning email security threats, spam, malware, and phishing schemes.

email security stats

Costs and Other Numbers

1. Business email compromise (BEC) scams cost organizations $676 million in 2017. (FBI’s Internet Crime Report)

2. An analyst for Firebird Analytical Solutions & Technologies estimates that the average successful BEC attack earns the cybercriminal $130,000.

3. About 20 percent of malicious domains are very new and used around 1 week after they are registered. (Cisco)

4. Nearly half of the security risk that organizations face stems from having multiple security vendors and products. (Cisco)

Malware and Spam

5. The average cost of a malware attack on a company is $2.4 million. (Accenture)

6. The average cost in time of a malware attack is 50 days. (Accenture)

7. Microsoft Office formats such as Word, PowerPoint and Excel make up the most prevalent group of malicious file extensions at 38 percent of the total. (Cisco)

8. According to Symantec’s 2018 Internet Security Threat Report (ISTR), a whopping 54.6% of all email is spam. Even more to the point, their data shows that the average user receives 16 malicious spam emails per month.

9. 92.4% of malware is delivered via email. (Verizon 2018 Data Breach Investigations Report)

10. In 2017, Proofpoint reported 3 out of 4 malspam emails delivered malware via attachments. In Q1 2018, the firm’s data showed that emails with malicious links outnumbered emails with malicious attachments 4 to 1.


11. 91% of cyberattacks begin with a spear phishing email, which is commonly used to infect organizations with ransomware. (KnowBe4)

12. In a survey of over 1,300 IT decision makers, 56% of organizations identified targeted phishing attacks as their biggest current cybersecurity threat. (CyberArk)

13. Verizon reports that users in the U.S open 30 percent of all phishing emails, with 12% of those targeted by these emails clicking on the infected links or attachments. (Verizon)

14. Spam and phishing emails come packaged up in all sorts of disguises. According to Symantec’s 2018 Internet Security Threat Report, these are the most common when it comes to distributing malware. Most common disguises:

Bill/invoice (15.9%)
Email delivery failure (15.3%)
Legal / law enforcement (13.2%)
Scanned document (11.5%)
Package delivery (3.9%)

15. Phishing lures associated with Dropbox file-sharing far outnumbered any other lure, accounting for more than a third of all tracked lures. (Proofpoint)

16. Although there were far more Dropbox lures in play, it was DocuSign lures that garnered the highest relative click rate (nearly 7%). DocuSign lures were approximately 3x more effective than Dropbox lures.


17. It’s estimated there will be a ransomware attack on businesses every 14 seconds by the end of 2019, up from every 40 seconds in 2016. This does not include attacks on individuals, which occurs even more frequently than businesses. (Cybersecurity Ventures)

18. 75% of organizations infected with ransomware were running up-to-date endpoint protection. (Sophos)

19. The industry with the highest number of attacks by ransomware is the healthcare industry. Attacks will quadruple by 2020. (CSO Online)

20. Ransomware damage costs will rise to $11.5 billion in 2019 and a business will fall victim to a ransomware attack every 14 seconds at that time. (Cybersecurity Ventures)