Phishing Statistics 2026
Last updated: April 12, 2026
Phishing is the most reported cybercrime on earth — and it just broke a record. The FBI’s 2025 Internet Crime Complaint Center Annual Report, published on April 6, 2026, recorded phishing and spoofing as the top crime by complaint volume, with 191,561 reports and total US cybercrime losses crossing $20 billion for the first time. Globally, the Anti-Phishing Working Group (APWG) tracked 3.8 million phishing attacks in 2025.
The numbers above are the floor, not the ceiling. They reflect only reported incidents. Most phishing victims never file a complaint.
This page aggregates the most authoritative phishing statistics available for 2026 planning — organized by attack type, cost, industry, and defense effectiveness. Every figure is attributed to its primary source.
Sources used: FBI IC3 2025 Annual Report, Verizon 2025 Data Breach Investigations Report (DBIR), IBM Cost of a Data Breach 2025, APWG Phishing Activity Trends Reports 2025, KnowBe4 Phishing Benchmarking Report 2025, CrowdStrike 2025 Global Threat Report, Hoxhunt Phishing Trends Report 2025-2026, Proofpoint State of the Phish 2025, Microsoft Digital Defense Report 2025.
Quick-Reference: Key Phishing Numbers for 2026
| Metric | Figure | Source |
|---|---|---|
| Phishing complaints to FBI (2025) | 191,561 | FBI IC3 2025 |
| Total US cybercrime losses (2025) | $20.877B | FBI IC3 2025 |
| Global phishing attacks tracked (2025) | 3.8 million | APWG 2025 |
| Share of all data breaches involving phishing | 36% | Verizon DBIR 2025 |
| Average phishing breach cost | $4.88M | IBM 2025 |
| BEC losses (2025) | $3.046B | FBI IC3 2025 |
| AI-generated phishing emails share | 82.6% | KnowBe4 2025 |
| Median time to first click on phishing link | 21 seconds | Industry benchmarks |
| Vishing growth, H1 to H2 2024 | +442% | CrowdStrike 2025 |
| Smishing growth year-over-year | +40% | Keepnet 2025 |
| Employee susceptibility at baseline | 33.1% | KnowBe4 2025 |
| Susceptibility after 12 months of training | ~4.6% | KnowBe4 2025 |
Attack Volume: The Scale of the Problem in 2026
The FBI’s 2025 IC3 Annual Report crossed a landmark: more than one million cybercrime complaints for the first time in the agency’s history, averaging nearly 3,000 reports per day. Phishing and spoofing led all categories by complaint count, with 191,561 reports — roughly 525 per day, every day of the year. That figure captures only what US victims formally reported to the FBI. It excludes direct reports to local law enforcement, corporate incident response without public disclosure, and the vast majority of phishing attempts that never get reported at all.
APWG’s telemetry, which tracks phishing attack infrastructure globally, provides broader context. The group recorded 3.8 million unique phishing attacks in 2025 — slightly above the 3.76 million tracked in 2024. The quarterly breakdown shows seasonal volatility: Q1 2025 registered 1,003,924 attacks, Q2 peaked at 1,130,393, then Q3 and Q4 declined somewhat, with Q4 closing at 853,244. The Q2 spike aligns historically with spring tax phishing campaigns and end-of-quarter financial fraud windows.
Google blocks approximately 100 million phishing emails daily — and Microsoft screens roughly 5 billion emails per day for threats. Despite those filters, phishing still causes $4.88 million average breach costs (IBM 2025), because attackers don’t need to defeat the filter most of the time. They just need to get one email through to the right person.
Phishing appears in 36% of all data breaches (Verizon DBIR 2025), and Verizon links approximately 60% of all breaches to human actions. Phishing sits at the intersection of both — it’s a technical attack that exploits human behavior, which is why it remains so durable despite decades of defensive investment.
The Financial Damage: BEC, Losses & Costs
Phishing does direct damage through credential theft and malware delivery. Its most financially devastating form is Business Email Compromise (BEC) — social engineering that manipulates employees into wiring funds, changing payroll details, or sharing sensitive documents.
FBI IC3 2025 BEC figures:
- BEC losses reached $3.046 billion in 2025, making it the second-costliest cybercrime category after investment fraud
- That figure represents a 10% increase from the $2.77 billion in 2024 BEC losses
- The FBI’s IC3 has tracked nearly $55.5 billion in cumulative BEC losses over the past decade
- In 2025, businesses lost more than $30 million specifically to AI-related BEC scams — likely a significant undercount because most victims don’t identify AI involvement in their complaint
The average BEC wire transfer request was $24,586 at the start of 2025. But the tail is long: a single Oregon city government lost $6 million in a BEC incident in April 2025 — a case where the FBI’s Financial Fraud Kill Chain (FFKC) intervened and recovered the funds, but only because a prior FFKC freeze on the same recipient account flagged the transaction.
BEC is not purely a large-organization problem. The AFP’s 2025 Fraud and Control Survey found that 63% of organizations experienced BEC last year, across all size categories. Vendor Email Compromise (VEC) — a BEC variant where attackers compromise a supplier’s actual email account to insert fraudulent payment instructions — rose 66% in the first half of 2024 and has continued accelerating.
Beyond BEC, phishing-enabled data breaches carry their own cost. IBM’s 2025 Cost of a Data Breach Report puts the average phishing-caused breach at $4.88 million, with a detection and containment window averaging 254 days — nearly nine months during which attackers maintain access. A $1.2 million cost difference separates breaches identified before versus after 200 days, making speed of detection one of the most financially significant variables an organization can control.
AI Phishing: The 2025–2026 Inflection Point
The statistics in this section represent the most significant structural shift in phishing since the invention of spear phishing. Generative AI has fundamentally changed what an attacker without technical skills can produce.
KnowBe4’s 2025 Phishing Benchmarking Report found that 82.6% of phishing emails in 2025 contained AI-generated content. A 2025 academic study found that AI-crafted phishing emails achieved 54% click rates, compared to 12% for human-written ones — a 4.5x improvement in attack effectiveness from a single technological shift. Credential theft rates from AI-generated phishing were 33.6%, versus 7.5% for traditional attacks.
The Hoxhunt Phishing Trends Report provides perhaps the clearest picture of AI adoption’s pace. Across a 4 million-user detection network, AI-generated attacks made up under 5% of reported phishing attempts for most of 2025. Then, over the Christmas holiday period in December, AI-generated phishing surged 14x — rising from 4% to 56% of filter-bypassing attacks in weeks. That surge has held steady into 2026.
The FBI IC3 2025 report documented AI-related complaints for the first time: 22,364 reports with $893 million in losses. The agency specifically noted this is likely a significant undercount, because most complainants don’t realize AI was used against them. AI was documented in investment fraud ($632 million), BEC ($30+ million), and romance scams ($19 million) — but the real numbers across all categories are almost certainly higher.
What AI actually does in these attacks:
- Generates grammatically perfect, contextually personalized emails using scraped data from LinkedIn, corporate websites, and breach databases
- Creates convincing voice clones from 3 seconds of audio (McAfee 2024), enabling vishing attacks that impersonate a victim’s actual colleagues or executives
- Produces deepfake video for high-stakes fraud — the largest documented case involved a $25 million wire transfer executed after a finance employee was deceived by a live deepfake video call impersonating their CFO
- Scales spear phishing — previously a labor-intensive, targeted technique — to mass campaign volumes
Traditional phishing awareness training that teaches employees to “look for bad grammar” or “check for unusual language” is increasingly inadequate. The grammatical markers that made phishing detectable have largely been eliminated.
Phishing by Channel: Email, SMS & Voice
Email remains the dominant vector, but the attack surface has expanded materially. Forty percent of phishing campaigns now extend beyond email to SMS, voice calls, social media, and collaboration tools (Slack, Microsoft Teams). Organizations running email-only defenses are missing significant portions of the active attack surface.
Email Phishing
Email phishing generates approximately 3.4 billion phishing messages daily. In 2025, URLs were used four times more often than malicious attachments in email-based attacks (Proofpoint), a reversal that reflects how widely endpoint security has improved at blocking malicious files. Attackers adapted by linking to cloud-hosted credential-harvesting pages instead.
A notable technical trend: the average HTML file size in phishing emails grew from 20.6 KB in 2021 to 735.4 KB in 2025. Larger files trigger email system latency and service-level agreement windows, delaying security analysis. In 2024, there was a 47% increase in phishing emails successfully evading Microsoft’s native security and secure email gateways.
Adversary-in-the-middle (AiTM) phishing — where attackers proxy sessions to steal authentication cookies and bypass MFA — surged 146% in 2024. The technique bypasses multi-factor authentication entirely without ever obtaining the user’s password, which is one reason MFA alone is no longer sufficient as a credential protection strategy.
Tycoon 2FA, a phishing-as-a-service platform, generated roughly 62% of Microsoft-blocked phishing traffic in mid-2025, producing over 30 million malicious emails in a single month.
The top three words in phishing email subject lines remain “Urgent,” “Review,” and “Sign” — reflecting a consistent social engineering playbook that exploits deadline pressure and authority.
Smishing (SMS Phishing)
Smishing now accounts for 35% of all phishing attacks (SentinelOne 2026) and grew 40% year-over-year (Keepnet 2025). APWG recorded 30–40% quarter-over-quarter growth in SMS-based fraud detections in Q4 2025. At least 55% of suspected smishing messages contain malicious URLs (Proofpoint).
SMS is an effective delivery mechanism for several structural reasons: users are conditioned to receive legitimate alerts, promotions, and delivery notifications by text; SMS lacks the equivalent of enterprise email security gateways; and personal mobile devices typically have weaker security controls than corporate endpoints. Verizon’s 2025 DBIR found that 19% of all breaches originate from smishing or vishing.
The most common smishing lures impersonate package delivery notifications (UPS, FedEx), toll payment systems, banking alerts, and government communications. The FTC has published consumer guidance on identifying and reporting smishing attempts through ReportFraud.ftc.gov.
Vishing (Voice Phishing)
Vishing surged 442% from H1 to H2 2024 (CrowdStrike 2025), making it the fastest-growing phishing vector by a wide margin. Callback phishing — a variant where the email contains a phone number rather than a link, directing victims to call an attacker-controlled line — increased 500% in Q4 2025 alone (VIPRE Security Group). Forty-three percent of BEC attacks now contain a callback phishing element (LevelBlue).
The mechanism is simple: phone numbers don’t trigger email security filters. The attack reaches inboxes because there’s nothing technically malicious in the message. The social engineering happens by voice, where AI voice cloning makes the impersonation of known individuals straightforward and convincing.
The most commonly impersonated themes in callback phishing campaigns (Hoxhunt data, Oct 2025–Jan 2026): financial service impersonation (PayPal, Venmo, Bank of America) with fake charge threats, and invoice fraud impersonating vendors and suppliers.
Social Media & Collaboration Platform Phishing
APWG’s Q4 2025 data identified social media as one of the two most-targeted sectors at 20.3% of attacks (tied with SaaS/Webmail). Social media phishing uses platform DMs, friend request spoofing, and fake support account impersonation to steal credentials or redirect users to fraudulent forms.
Collaboration platforms — Slack, Microsoft Teams, and similar tools — have become an increasingly productive phishing surface as organizations have moved more business communication there. Phishing via Teams messages impersonating IT support or Microsoft itself has become a documented, active attack pattern.
Which Industries Are Most Targeted
Phishing is industry-agnostic in delivery but target-specific in value. KnowBe4’s 2025 Phishing Benchmarking data gives the clearest picture of susceptibility by sector:
Healthcare & Pharmaceuticals: The highest baseline Phish-prone Percentage (PPP) at 41.9% — meaning roughly 4 in 10 employees would click a simulated phishing link without training. Healthcare organizations also pay the highest breach cost of any industry, averaging $7.42 million per incident (IBM 2025).
Insurance: 39.2% baseline PPP — the second most susceptible sector.
Retail: 36.5% baseline PPP.
Financial institutions remain among the most targeted in raw volume terms, accounting for 9.3% of APWG-tracked attacks in Q4 2025, and represent high-value credential targets given direct financial system access. SaaS and webmail platforms were tied with social media at 20.3% — a reflection of how valuable cloud service credentials are to attackers, since a single Google or Microsoft 365 compromise unlocks email, documents, and cloud infrastructure simultaneously.
Government: A growing target. Government impersonation complaints to IC3 nearly doubled between 2023 and 2025, rising from 14,190 to 32,424 reports. The FBI explicitly linked AI to the increasing believability of these impersonation attacks.
The geographic concentration is significant: the United States accounted for 66% of top regional phishing targets in Q2 2025 (Rapid7), reflecting both the density of valuable targets and the reporting infrastructure that makes US data more visible.
Human Behavior: The Numbers That Define the Real Risk
The most dangerous phishing statistic is the 21-second median time to first click on a phishing link. That’s how long it takes the average employee to act on a convincing phishing email — faster than most people can read and consciously evaluate what they’ve received. This is reflexive behavior: an email appearing to come from Microsoft about a password expiration, or from a known vendor with an invoice, gets clicked before critical thinking engages.
At baseline, 33.1% of employees are susceptible to phishing (KnowBe4 2025). That number changes dramatically with training:
- Ongoing security awareness training reduces click rates by more than 40% in the first 90 days
- After 12 months of consistent training, susceptibility drops to approximately 4.6%
- Organizations with regular training see phishing reporting rates jump from around 5% to 21%
The relationship between detection speed and cost is direct: IBM found a $1.2 million cost difference between breaches identified and contained before versus after 200 days. Getting employees to report suspicious emails immediately — rather than quietly closing them — is one of the highest-leverage behavioral changes available.
81.9% of phishing victims had their email addresses leaked in previous data breaches (Zensec analysis). Attackers don’t need to guess who to target. They buy email lists from data brokers and breach marketplaces on the dark web, pre-filtered by employer, industry, and seniority. The infrastructure for mass-targeted phishing is cheap and industrialized.
Defense: What the Data Says Actually Works
The phishing statistics are not just a threat inventory — they point directly to specific defensive priorities.
MFA remains important but is no longer sufficient alone. AiTM phishing bypasses standard MFA by stealing session cookies after authentication. Phishing-resistant MFA (FIDO2/passkeys) is the current gold standard because it binds authentication cryptographically to the legitimate domain, making session theft and replay attacks structurally impossible. The FIDO Alliance’s FIDO2 standards provide the technical foundation for organizations migrating away from OTP-based MFA.
DMARC, DKIM, and SPF are table stakes. Email authentication protocols don’t stop all phishing, but they eliminate the easiest class of domain spoofing. DMARC adoption has increased, but a significant percentage of organizations still lack enforcement-level DMARC policy (p=reject or p=quarantine) that actually blocks spoofed mail rather than just monitoring it.
Training works — but timing matters. The 21-second click window means post-breach awareness campaigns are far less effective than proactive simulation programs. Organizations running quarterly or monthly simulated phishing campaigns with immediate feedback show the largest reductions in susceptibility. Security awareness training is one of the few investments where the ROI is directly measurable via click rate and reporting rate benchmarks.
Out-of-band verification for financial transactions is non-negotiable. The primary defense against BEC wire fraud is a verification call to a known, pre-established phone number — not a number in the email — before executing any wire transfer or payroll change. This single procedural control eliminates the vast majority of successful BEC attacks.
Report suspicious activity to authorities. For businesses and individuals: phishing attempts should be reported to the FTC via ReportFraud.ftc.gov, and phishing emails can be forwarded to phishing@reportphishing.antiphishing.org. If a financial transfer has been made, the FBI recommends contacting your financial institution immediately and then filing a complaint at IC3.gov.
For tools that address the technical side of the credential theft and account takeover pipeline that phishing enables, see our assessments of best antivirus software, best password managers, and best VPN services — three layers of protection that directly reduce phishing-enabled attack surface. Understanding what attackers do with stolen credentials is also covered in our identity theft protection guide.
Frequently Asked Questions
How many phishing attacks happen per day in 2026?
APWG tracked 3.8 million phishing attacks globally in 2025, equivalent to roughly 10,400 per day in tracked attack infrastructure. Phishing emails are sent at a much higher volume — approximately 3.4 billion phishing and spam emails per day — though the majority are blocked before reaching inboxes. The FBI IC3 received an average of 525 phishing complaints per day from US victims in 2025.
What is the average cost of a phishing attack in 2026?
IBM’s 2025 Cost of a Data Breach Report puts the average phishing-caused breach at $4.88 million. Business Email Compromise — the financially devastating social engineering form of phishing — resulted in $3.046 billion in losses in 2025 (FBI IC3), with individual incidents often reaching hundreds of thousands to millions of dollars.
What percentage of cyberattacks start with phishing?
Phishing was the initial access vector in 16% of all data breaches in 2025 (IBM). Verizon DBIR 2025 links 36% of breaches directly to phishing. CISA cites the figure that over 90% of cyberattacks begin with some form of phishing — a broader definition that includes credential phishing, spear phishing, vishing, and smishing.
What is AI phishing and how dangerous is it?
AI phishing refers to attacks where generative AI tools write, personalize, or refine the phishing message. KnowBe4 reports 82.6% of 2025 phishing emails contained AI-generated content. Academic testing found AI-crafted phishing emails achieve 54% click rates versus 12% for human-written ones. AI voice cloning — which can replicate someone’s voice from 3 seconds of audio — enables phone-based impersonation attacks that are extremely convincing.
What is smishing?
Smishing is SMS-based phishing — fraudulent text messages designed to steal credentials, redirect victims to fake websites, or initiate phone calls with attackers. Smishing accounts for 35% of all phishing attacks and grew 40% year-over-year through 2025. Common lures include fake package delivery notices, toll payment scams, and bank alert impersonation.
What is vishing?
Vishing is voice phishing — phone calls used to impersonate trusted entities (banks, executives, government agencies) to extract sensitive information or authorize fraudulent transactions. Vishing surged 442% from H1 to H2 2024. Callback phishing emails, which contain a phone number rather than a link, grew 500% in Q4 2025.
What is Business Email Compromise (BEC)?
BEC is a targeted form of phishing where attackers impersonate executives, vendors, or colleagues to trick employees into wiring money or sharing sensitive credentials. BEC accounted for $3.046 billion in US losses in 2025, making it the second-costliest cybercrime category. BEC does not require technical sophistication — it exploits trust and process gaps rather than software vulnerabilities.
Which industries are most vulnerable to phishing?
Healthcare and pharmaceuticals have the highest employee susceptibility rate, with 41.9% of employees likely to click a phishing link at baseline (KnowBe4). Insurance (39.2%) and retail (36.5%) follow. Financial institutions, SaaS platforms, and government are the most heavily targeted by attack volume due to the high value of their credentials.
How effective is phishing training?
Security awareness training is one of the most evidence-backed phishing defenses available. KnowBe4 data shows baseline susceptibility of 33.1% drops to approximately 4.6% after 12 months of consistent training. Organizations with ongoing training programs also see phishing reporting rates increase from around 5% to 21%, accelerating detection and response.
What should I do if I receive a phishing email?
Do not click any links or download attachments. Report the email using your organization’s reporting button if available, or forward it to your IT security team. Report phishing to the FTC at ReportFraud.ftc.gov and forward suspicious emails to phishing@reportphishing.antiphishing.org. If you clicked a link and entered credentials, change your password immediately, enable MFA if not already active, and notify your IT team.
Cybersecurity analyst covering VPN, antivirus, privacy, and online threats. 8+ years in enterprise security operations. Tests every product he reviews.