Statistics
This page shows some statistics on I Got Phished. For confidentiality reasons, I Got Phished does not reveal all information. Special thanks to @malwrhunterteam for inspiring me!
Victims
The chart below shows the coverage of I Got Phishing: number of organisations who got notified by IGP about phishing victims within their constituency V.s organisations who got phished but not notified because they did not subscribe to notifications from I Got Phished (yet).
Coverage
This table shows the organisations with the highest amount of phished users (phishing victims). For confidentiality reasons, the organisations will not be named here but you get an idea about the potential impact.
# of Victims (email addresses) | Organisation (domain name) | Notified? |
---|---|---|
233 | Not disclosed | yes |
153 | Not disclosed | no |
95 | Not disclosed | no |
64 | Not disclosed | no |
49 | Not disclosed | yes |
48 | Not disclosed | no |
48 | Not disclosed | no |
37 | Not disclosed | no |
35 | Not disclosed | no |
34 | Not disclosed | yes |
33 | Not disclosed | no |
33 | Not disclosed | yes |
32 | Not disclosed | no |
29 | Not disclosed | no |
26 | Not disclosed | no |
Following two tables shows the top TLDs associated with the most of phished organisations (domain names) and phished victims (email addresses).
Top TLDs (by organisations)
Percentage | Victim Organisations | TLD |
---|---|---|
com | 9'303 | 65% |
org | 1'121 | 8% |
net | 391 | 3% |
co.uk | 378 | 3% |
com.au | 267 | 2% |
ca | 258 | 2% |
edu | 244 | 2% |
co.za | 132 | 1% |
nl | 95 | 1% |
de | 93 | 1% |
ie | 88 | 1% |
gov | 86 | 1% |
ch | 64 | <1% |
org.uk | 63 | <1% |
co.nz | 61 | <1% |
Top TLDs (by victim addresses)
Percentage | Victims (email addresses) | TLD |
---|---|---|
com | 14'137 | 67% |
org | 1'618 | 8% |
net | 547 | 3% |
edu | 515 | 2% |
co.uk | 441 | 2% |
ca | 360 | 2% |
com.au | 311 | 1% |
gov | 230 | 1% |
co.za | 210 | 1% |
nl | 145 | 1% |
ie | 122 | 1% |
de | 119 | 1% |
org.uk | 104 | <1% |
us | 82 | <1% |
it | 76 | <1% |
Passwords
This chart gives you an idea on the passwords choosen by internet users that got phished. Please keep in mind that I Got Phished does only store the password length but not the password iteself. Hence IGP can't make any statements about the complexity of passwords choosen by users.
Password Length
Comparing the password length, we can make some statements about the amount of "good" (strong) passwords and such that are weak and e.g. do not meet requirements of common best-practices.
Percentage | # of Passwords | Length | Comment |
---|---|---|---|
7% | 1'476 | <8 | Weak |
93% | 19'763 | >8 | NIST standard |
11% | 2'284 | 14-19 | Strong |
2% | 353 | >=20 | Very strong |