Phishing in 2021: Another “Year Like No Other”

Author Avatar


Posted on May 18, 2022

The “2021 State of the Phish Report” (covering 2020) was headlined “A Year Like No Other” – a reference to the radical changes to phishing triggered by COVID. The first paragraph of the 2022 report claimed, “We could easily have repeated that heading to describe 2021.”

Trends from that first, awful pandemic year have continued. Many phishing attacks exploited the uncertainty around the pandemic, and the ongoing prevalence of remote work has created many opportunities for cybercrime.

In this post we’ll share a few highlights and discuss ways to avoid falling victim to these and other phishing attacks.

All Types of Phishing on the Rise

Upward trends continued for all different types of phishing, including:

  • bulk phishing
  • spear phishing – phishing that targets specific users
  • whaling – targeting “big game” such as C-suite execs
  • smishing – phishing via SMS
  • vishing – phishing using phone calls or voice messages

All types of phishing showed increases. Bulk phishing was up 12%, spear and whale phishing increased 20%, and smishing, vishing, and social media attacks were all up over 20%. Business email compromise was up 18%.

TOAD attacks (telephone-oriented attack delivery) were also up. TOAD attacks often begin with an email claiming to represent some organization such as an online retailer, COVID relief fund or computer security service. The emails contain a phone number to call. Because many people are not aware that cybercriminals have call centers, they assume that the organization is above board and legit. As a result, when an email recipient calls, they may give away sensitive information or even allow the attacker to connect to their computer for “support.” Tens of thousands of TOAD attacks have been logged every day.

Another phishing variant that’s on the rise is the USB drop. In a USB drop, the attacker either sends someone a USB drive in the mail or leaves one sitting around where a victim is likely to find it. People who find a thumb drive may plug it in, either in hopes of finding the owner and returning it or to use it for themselves – without considering that it may be malicious. Thumb drives sent in the email are usually accompanied by some cover story or incentive to encourage people to open the drive. Once the drive is inserted, it may install malicious code, allow hackers to take control of the computer, or direct the user to a phishing site where they are tricked into entering login credentials. USB drops were up 15% last year.

85% of companies surveyed experienced bulk phishing attacks, and spear phishing, BEC, and email-based ransomware attacks were each experienced by about 78% of respondents.

Success Rates for Phishing Attacks

Among the most alarming information reported was the dramatic increase in attack success rates. 80% of organizations fell victim to at least one successful email-based phishing attack, dramatically up from 46% in 2020.

68% of successfully attacked companies surveyed were infected with ransomware, and 58% of them paid up to get access to their data. That means nearly 40% of companies surveyed had paid a ransom at some point during the year. A smaller percentage of companies, 14% of those that paid a ransom, did not get access to their data despite paying the cybercriminals.

The alarmingly high percentage of companies that paid a ransom contributes to the ongoing ransomware problem. Payments reward attackers, which, of course, encourages repeat behavior.

Two primary reasons are suggested for the increase in phishing success rates.

  1. “Pandemic fatigue.” Many people felt burnt out due to pandemic-induced changes in how they work and in life/work balance. They simply may not be paying as much attention as they should.
  2. Attackers are getting more sophisticated. They make greater – and more convincing — use of trending topics, such as current COVID news. Use of COVID news declined after an initial wave, but when the Delta variant was in the headlines, use of COVID climbed right back up. Attackers are also increasingly exploiting legitimate cloud services – many users are not aware that cloud services such as Google Drive can be used to store malware.

One small bright spot is that damages per attack fell to some extent in 2021. Damage from credential compromise dropped by 8%, direct financial loss decreased by 6%, and email-driven ransomware infections were 2% lower versus the previous year. It is small consolation, however, in the face of dramatically higher success rates of attacks.

The most common results of successful phishing attacks were compromise of customer or client data (54%), followed by credential or account compromise (48%), with ransomware (46%) in a close third place.

How Knowledgeable Are Your Users?

Many companies consider “trained users” to be the first line of defense against phishing. Sadly, the survey conclusively demonstrates that it is folly to rely on users to recognize phishing and steer clear.

Only half of users were able to correctly say what “phishing” is. Just a little over one third could do the same for “ransomware.”

Almost one third of working adults – 30% – are under the impression that emails with familiar logos are safe. They do not understand (and phishing training has not made it sufficiently clear) that cybercriminals can simply copy a Google or Microsoft logo and easily misrepresent malicious emails as legitimate communications.

Over a third of respondents (35%) believe that all files stored on a cloud service such as Google Drive or Amazon Web Services are safe. This goes a long way toward explaining why attacks using legitimate services have such a high success rate.

70% of users are not aware that their organization’s security tools might let through some dangerous email. Only 36% are aware of the fact that even internal emails can be dangerous.

The lack of knowledge among users is reflected in their failure to follow good personal cybersecurity practices. Even with the great shift to work from home, most have not taken basic steps to secure their home networks, including changing default names and passwords. 70% of users reuse passwords, so that if one password is compromised, their identities may be compromised on multiple services and sites.


Phishing was a major threat in 2020, and it grew substantially worse in 2021, increasing in both the number of attacks and their rate of success.

Data confirms what we have long claimed: Users are an unreliable line of defense against phishing attacks. 42% of users said that they had taken a dangerous action in the last year, such as clicking on a malicious link, downloading malware, or exposing their personal data.

Instead of trusting users to do the right thing, it’s better to take a Zero Trust defensive approach, which assumes that every user, email and website poses a threat, unless proven safe.

Remote Browser Isolation (RBI) is one of the most important tools for Zero Trust protection against phishing. Even if a user clicks on a malicious link in a phishing email, no malware can be installed on the user device or the network. Ericom Software’s RBI includes content disarm and reconstruct (CDR) which sanitizes email attachments and downloads from websites of malicious content before they reach the user device. It also opens suspected phishing sites in read-only mode, preventing users from sharing credentials.

RBI by itself does not protect against all phishing and malware threats. That’s why Ericom Software developed ZTEdge, a comprehensive state-of-the-art Zero Trust cybersecurity platform that integrates RBI with essential security tools such as Zero Trust Network Access and Ransomware Prevention. ZTEdge was specifically designed to meet the needs of enterprises of all sizes, and is available for delivery as a service through leading managed security service providers (MSSPs).

As the new phishing data amply proves, the threat is not disappearing any time soon but is, in fact, spawning new variants that continue to draw in even sophisticated users. Its time to stop relying on user training and to opt for the Zero Trust phishing protection that the ZTEdge platform provides. Contact us now to learn more!

Share this on:

Author Avatar

About Gerry Grealish

Gerry Grealish, ZTEdge CMO, is a security industry veteran, bringing over 20 years of marketing and product experience in cybersecurity, cloud, analytics, and related technologies. Responsible for marketing and business development, Gerry previously was at Symantec, where he led the product marketing and go-to-market activities for the company’s broad Network Security portfolio. Prior to Symantec, Gerry was at Blue Coat, which he joined as part of Blue Coat’s acquisition of venture-backed Cloud Access Security Broker (CASB) innovator, Perspecsys, where he was Chief Marketing Officer.

Recent Posts

Air Gapping Your Way to Cyber Safety

Physically air gapping enterprise networks from the web is a great way to protect operations, keep data safe … and squelch productivity. Virtual air gapping is a better approach.

Motion Picture Association Updates Cybersecurity Best Practices

The MPA recently revised its content security best practices to address, among other challenges, the issue of data protection in the cloud computing age.

FTC Issues Cybersecurity Warning for QR Codes

QR codes on ads are a simple way to grab potential customers before they move on. No wonder cybercriminals are using QR codes, too.