Jump to Content
Identity and Security

New research reveals who’s targeted by email attacks

February 9, 2021
Neil Kumaran

Group Product Manager, Gmail Security & Trust

Kurt Thomas

Research Scientist, Security & Anti-Abuse Research

Our new study examines over a billion phishing and malware emails and their anonymized targets to better understand what factors influence risk of these attacks.

Contact Google Workspace Sales Team

Learn more about how Google Workspace can give your teams a better way to connect, create, and collaborate.


Every day, we stop more than 100 million harmful emails from reaching Gmail users. Last year, during the peak of the pandemic crisis we saw 18 million daily malware and phishing emails related to COVID-19. This is in addition to more than 240 million COVID-related daily spam messages. Our ML models evolve to understand and filter new threats, and we continue to block more than 99.9% of spam, phishing, and malware from reaching our users.

We wanted to explore what factors influence being targeted by email phishing and malware and whether higher-risk users are adopting the strongest protections we have to offer. To do this, we teamed up with researchers at Stanford University to study over a billion phishing and malware emails and their anonymized targets. We recently presented our study at the Internet Measurement Conference (IMC), and it’s now available here.

We found that multiple factors correlate with higher risk: where you live, what devices you use, and whether your information appeared in previous third-party data breaches. 

Phishing and malware evolves faster than you think

We aggregated and analyzed all of the phishing and malware campaigns that Gmail automatically blocked over a five-month period to identify patterns. 

  • We found that users in the United States were the most popular targets (42% of attacks), followed by the United Kingdom (10% of attacks), and Japan (5% of attacks). 

  • Most attackers don’t localize their efforts, using the same English email template for users in multiple countries. 

  • There is, however, some evidence of regional attackers: 78% of the attacks targeting users in Japan occured in Japanese, while 66% of attacks targeting Brazilian users occured in Portuguese.

We also noticed some patterns among attackers and botnets that distribute phishing and malware emails:

  • They rely on fast-churning campaigns. A similar email based on a template is sent to 100–1,000 targets on average. 

  • The campaigns are brief and bursty, lasting just one to three days on average.

  • In a single week, these small-scale campaigns accounted for over 100 million phishing and malware emails in aggregate, targeting Gmail users around the globe.

While the users that attackers target change from week to week, in aggregate these patterns remain largely stable over time.

Factors that correlate with heightened risk

Beyond how attackers operate phishing and malware campaigns, we also analyzed what factors put a user at higher risk of attack. In order to avoid singling out any individual user or their personal data, we used an anonymization technique called “k-anonymity” to ensure any risk trends that we identified applied to a broad group of similar users. We modeled the likelihood of receiving any phishing or malware emails in a given week as a function of geographic location, demographics, security posture, device access, and prior security incidents (such as having personal data revealed by a third-party data breach).

Here is what our model found:

  • Having your email or other personal details exposed in a third-party data breach increased the odds of being targeted by phishing or malware by 5X. 

  • Where you live also affects risk. In Australia, users faced 2X the odds of attack compared to the United States, despite the United States being the most popular target by volume (not per capita). 

  • With respect to demographics, the odds of experiencing an attack was 1.64X higher for 55- to 64-year-olds, compared to 18- to 24-year-olds.

  • Mobile-only users experienced lower odds of attack: 0.80X compared to multi-device users. This may stem from socioeconomic factors related to device ownership and attackers targeting wealthier groups.

These correlations help us understand that risk is not evenly spread across geographic and demographic boundaries. 

How to stay safer

Gmail’s phishing and malware protections are automatically turned on by default. Here’s our top recommendations for what you can do today to stay safer.

For individual users:

  • Complete a Security Checkup for personalized and actionable security advice.
  • If appropriate, consider enrolling in Google's Advanced Protection program, which provides Google's strongest security to users at increased risk of targeted online attacks. 
  • Enable Enhanced Safe Browsing Protection in Google Chrome to substantially increase your defenses against dangerous websites and downloads on the web.
  • Browse these additional tips to manage your online security and choose the right level of protection for yourself.

For Workspace admins:

  • Take a look at our advanced phishing and malware protection.These are turned on by default across all Google Workspace licenses, and you can further customize them according to the unique needs of your organization.

At Google we are committed to keeping you safe and investing in protections that help keep our digital world secure. Get the latest insights by joining us for Google Cloud Security Talks on March 3rd.

Posted in