Phishing Statistics 2026
Last updated: June 11, 2026 | Next scheduled update: Q3 2026 (September) Authors: Axis Intelligence Research + Marcus Chen
Phishing remains the #1 cybercrime by complaint volume in the United States: the FBI’s Internet Crime Complaint Center logged 191,561 phishing and spoofing complaints in 2025 — more than any other crime category — while phishing losses exploded 208% year-over-year from $70 million to $215.8 million. Globally, the Anti-Phishing Working Group tracked 971,181 phishing attacks in Q1 2026 alone, a 13.8% jump from Q4 2025, with the telecom sector emerging as the new primary target after rising from 5.9% to 33% of all attacks in a single quarter.
Key Findings
- Phishing losses surged 208% in 2025, from $70 million (2024) to $215.8 million — an 11x increase from just two years prior ($18.7 million in 2023) — per direct extraction from the FBI IC3 2025 Annual Report. Complaint volume held near flat (193,407 in 2024 → 191,561 in 2025), confirming that each individual phishing attack is causing dramatically more financial damage.
- 971,181 phishing attacks were observed in Q1 2026 by the Anti-Phishing Working Group — a 13.8% rise from Q4 2025 (853,244) — with telecom brands becoming the dominant target at 33% of all attacks, up from 5.9% just two quarters earlier, per APWG Q1 2026 Phishing Activity Trends Report.
- Phishing initiated 16% of all data breaches per the Verizon 2026 DBIR, making it the #2 initial access vector by share (behind vulnerability exploitation at 31%), with an average breach cost of $4.8 million per phishing-initiated incident (IBM Cost of Data Breach Report 2025).
- Business Email Compromise (BEC), a direct phishing derivative, generated $3.046 billion in losses from just 24,768 IC3 complaints in 2025 — an average of $122,999 per complaint — making it the second-costliest cybercrime category per the FBI IC3. Wire transfers and ACH accounted for 86% of BEC fund movement.
- AI is now weaponized in phishing at scale: 803 IC3 phishing complaints referenced AI in 2025 with $10.3 million in AI-attributed phishing losses, the FBI’s first year formally tracking this category. Generative AI has reduced phishing email creation from 16 hours to approximately 5 minutes, enabling attackers to operate at unprecedented volume per IBM X-Force 2026.
The Axis Phishing Loss Acceleration Index (PLAI) — Q2 2026
Original metric published by Axis Intelligence Research. Methodology disclosed below.
No existing source captures the rate at which phishing financial damage is accelerating relative to volume. The FBI IC3 publishes both complaint counts and dollar losses annually, but never calculates the loss-per-complaint trajectory or the year-over-year loss multiplication factor. Axis fills that gap with the PLAI.
PLAI Formula: Year-over-year change in phishing losses ÷ Year-over-year change in phishing complaints = Loss Acceleration Multiplier
Q2 2026 PLAI Calculation (2023–2025 FBI IC3 data, extracted directly from primary source):
| Year | Phishing Complaints (IC3) | Phishing Losses (IC3) | Loss per Complaint | YoY Complaint Change | YoY Loss Change |
|---|---|---|---|---|---|
| 2023 | 298,878 | $18,728,550 | $62.66 | — | — |
| 2024 | 193,407 | $70,013,036 | $362.00 | -35.3% | +274% |
| 2025 | 191,561 | $215,843,126 | $1,126.90 | -0.96% | +208% |
PLAI 2024: $70M loss on -35% fewer complaints = each 2024 complaint worth 6x a 2023 complaint. PLAI 2025: $215.8M loss on flat complaints = each 2025 complaint worth 18x a 2023 complaint.
PLAI Loss Acceleration Score Q2 2026: 18.0 Meaning: The financial damage generated by each phishing complaint reported to the FBI has multiplied 18-fold in two years, entirely disconnected from complaint volume trends. This decoupling — flat volume, explosive losses — is the defining structural shift in phishing economics in 2025–2026.
Methodology: PLAI is calculated from FBI IC3 Annual Report data (three-year comparison table, crime type losses and counts). All source figures are extracted directly from the primary PDF. The loss-per-complaint metric (dividing aggregate losses by complaint count) is not published by the FBI; Axis calculates it. The PLAI multiplier compares loss-per-complaint across years. Updated annually when FBI IC3 Annual Report is published (typically April).
Released CC BY 4.0. Cite as: Axis Intelligence Research (2026). Phishing Loss Acceleration Index Q2 2026. axis-intelligence.com.
Table of Contents
Phishing Attack Volume — Global and U.S.
FBI IC3 — The U.S. Government Benchmark
The FBI Internet Crime Complaint Center 2025 Annual Report, obtained directly from the primary source and read in full for this research, shows 191,561 phishing and spoofing complaints filed in 2025 — making phishing the most-reported cybercrime category in the United States for the third consecutive year, ahead of extortion (89,129), investment fraud (72,984), and personal data breach (67,456).
IC3 defines “Phishing/Spoofing” as the use of unsolicited email, text messages, and telephone calls purportedly from a legitimate company requesting personal, financial, or login credentials. This is a narrower definition than many industry reports use: it excludes Business Email Compromise (tracked separately), vishing when categorized as government impersonation, and smishing that generates extortion complaints.
Three-year FBI IC3 phishing data (extracted directly from PDF, pages 25–26):
| Year | Phishing Complaints | Phishing Losses | Loss per Complaint |
|---|---|---|---|
| 2023 | 298,878 | $18,728,550 | $62.66 |
| 2024 | 193,407 | $70,013,036 | $362.00 |
| 2025 | 191,561 | $215,843,126 | $1,126.90 |
Source: FBI IC3 2025 Annual Report, pp. 25–26.
The $1,126.90 average loss per phishing complaint in 2025 is 18x the 2023 figure — the PLAI score of 18.0 quantifies this acceleration. Volume declined 35% from 2023 to 2024 (reflecting improved filtering and reporting changes) then held flat. Losses meanwhile grew 11-fold over the same two years.
APWG — The Global Phishing Volume Benchmark
The Anti-Phishing Working Group, which aggregates phishing reports from member organizations including financial institutions, cybersecurity firms, and law enforcement agencies, provides the most granular quarterly phishing volume data available from any primary source.
The APWG Q1 2026 Phishing Activity Trends Report, published May 27, 2026, recorded 971,181 phishing attacks in Q1 2026 — a 13.8% increase from Q4 2025 (853,244). For full-year 2025, APWG tracked approximately 3.8 million phishing attacks, up approximately 1% from 3.76 million in 2024.
APWG quarterly phishing volume — Q3 2024 through Q1 2026:
| Quarter | Phishing Attacks Observed | QoQ Change |
|---|---|---|
| Q3 2024 | 932,923 | — |
| Q4 2024 | 989,123 | +6.0% |
| Q1 2025 | 1,003,924 | +1.5% |
| Q2 2025 | 1,130,393 | +12.6% |
| Q3 2025 | 892,494 | -21.0% |
| Q4 2025 | 853,244 | -4.4% |
| Q1 2026 | 971,181 | +13.8% |
Source: APWG Phishing Activity Trends Reports, quarterly editions. Q1 2026 report published May 27, 2026.
Q2 2025 was the largest single quarter since Q2 2023 (1.28 million attacks). The Q3–Q4 2025 dip followed by a Q1 2026 rebound is consistent with seasonal patterns observed in prior years. The annual total of ~3.8 million represents the APWG’s unique phishing sites count — not email volumes, which are orders of magnitude higher.
Phishing Financial Losses — BEC, IC3, and Sector Costs
BEC: The Costliest Phishing Derivative
Business Email Compromise begins with phishing. Attackers compromise or spoof executive email accounts and redirect wire transfers. The FBI IC3 2025 Annual Report documents $3,046,598,558 in BEC losses from 24,768 complaints — an average of $122,999 per BEC incident. Wire transfer and ACH accounted for 86% of BEC funds movement (IC3 PDF, page 10 transaction chart).
The three-year BEC trend shows resilience despite law enforcement pressure:
| Year | BEC Complaints | BEC Losses | Avg. Loss per Complaint |
|---|---|---|---|
| 2023 | 21,489 | $2,946,830,270 | $137,131 |
| 2024 | 21,442 | $2,770,151,146 | $129,186 |
| 2025 | 24,768 | $3,046,598,558 | $122,999 |
Source: FBI IC3 2025 Annual Report, three-year comparison table, pp. 25–26.
The APWG Q4 2025 report, via Fortra, documented a 136% increase in BEC wire transfer attempts in Q4 2025 compared to Q3, with the average wire transfer request rising to $50,297. BEC group “Scripted Sparrow” — the most prolific BEC actor identified globally — was sending up to 6 million targeted emails per month.
Phishing as Data Breach Initial Vector — IBM 2025
The IBM 2025 Cost of a Data Breach Report found phishing was the most common initial attack vector in data breaches, responsible for 16% of all studied incidents. The average cost of a phishing-initiated breach reached $4.80 million — above the global average of $4.44 million.
A phishing-initiated breach takes an average of 254 days to identify and contain — 13 days above the global average of 241 days — reflecting the difficulty of detecting credential misuse after a successful phishing compromise.
| Phishing Metric | Value | Source |
|---|---|---|
| Share of breaches initiated by phishing | 16% | IBM Cost of Data Breach 2025 |
| Average breach cost — phishing-initiated | $4.80 million | IBM Cost of Data Breach 2025 |
| Average breach lifecycle — phishing-initiated | 254 days | IBM / industry estimates |
| BEC losses (IC3 2025) | $3.046 billion | FBI IC3 2025 Annual Report |
| Average BEC loss per complaint | $122,999 | FBI IC3 2025 Annual Report |
| IC3 phishing losses (2025) | $215.8 million | FBI IC3 2025 Annual Report |
| IC3 phishing loss growth YoY | +208% | FBI IC3 2025 Annual Report |
AI-Driven Phishing Losses — First Official FBI Tracking
The FBI IC3 2025 report dedicated its first-ever AI-specific section (pages 39–43) to document 22,364 AI-related complaints with $893 million in AI-associated losses across all crime types. For phishing specifically, the IC3 recorded 803 phishing complaints with a reported AI nexus, with $10,283,732 in AI-attributed phishing losses.
IBM X-Force 2026 independently confirms the AI acceleration: generative AI has reduced the time to craft a convincing phishing email from 16 hours to approximately 5 minutes, enabling attackers to operate at roughly 200x prior productivity. This explains the PLAI loss acceleration — volume didn’t need to increase because each attack became more targeted, more convincing, and more financially damaging per incident.
Phishing by Sector — APWG Quarterly Breakdown
The Telecom Surge: From 5.9% to 33% in Two Quarters
The APWG Q1 2026 Report, published May 27, 2026, documents one of the most striking sector shifts in APWG’s tracking history. The telecom sector rose from 5.9% of all phishing attacks in Q3 2025 to 33% in Q1 2026 — an increase of more than 27 percentage points in two quarters.
Crane Authentication’s Matthew Harris (APWG contributing member) attributed the surge to telecom carriers’ bundling of consumer ISP services with email hosting, creating “multiple pivots” for attackers who successfully compromise accounts. URL phishing frequency in the telecom sector rose 75% between Q4 2025 and Q1 2026. The APWG describes this as “never-before-phished organizations” now being targeted — indicating that established telecom brands previously considered low-priority attack targets are being systematically exploited for the first time.
APWG Sector Rotation — Full Quarterly Picture
The APWG sector data shows significant rotation across quarters — a pattern that matters for defenders setting training priorities. Industry analyses that use a single annual sector figure miss this dynamics entirely:
| Sector | Q1 2025 | Q2 2025 | Q3 2025 | Q4 2025 | Q1 2026 |
|---|---|---|---|---|---|
| Telecom | Low | Low | 5.9% | Low | 33.0% |
| Financial Institutions | 17.6% | 18.3% | Low (#3) | 9.3% | N/A |
| SaaS / Webmail | 17.6% (tied) | 18.2% | 21.2% (#1) | 20.3% | Targeted |
| Social Media | Moderate | Low | 14.6% (#2) | 20.3% | Elevated |
| eCommerce / Retail | Low | 14.8% | Low | 8.7% | Low |
| Payment Services | Low | 12.1% | Low | Low | Low |
Sources: APWG Phishing Activity Trends Reports, Q1 2025 through Q1 2026. Full report series at apwg.org/trendreports.
Critical observation: Financial institutions led phishing targeting for most of 2024 and into 2025, but by Q4 2025, their share had fallen to 9.3% as social media and SaaS/webmail rose to 20.3% each. The Q1 2026 telecom spike to 33% represents the largest single-sector concentration in this data since Q4 2023. Defenders who anchor training on prior-year sector data will be systematically miscalibrated.
Vishing, Smishing, and Multi-Channel Phishing
Mobile Is Now the Highest-Risk Channel
The Verizon 2026 Data Breach Investigations Report documents that mobile-centric phishing (voice and SMS) produces click rates 40% higher than traditional email phishing. The DBIR 2026 tracks pretexting (synchronous voice and chat phishing) as a newly separated category, accounting for 6% of all initial breach access vectors — separate from email phishing’s 16%.
Combined, identity-based social engineering (phishing 16% + pretexting 6% + credential abuse 13%) accounts for 35% of all breach initial access — effectively matching vulnerability exploitation (31%) when measured as a category family rather than individual vectors.
The APWG Q3 2025 report notes SMS-based fraud detections increased nearly 35% in that quarter relative to Q2. The APWG Q4 2025 annual review found “vishing/smishing volumes continued to rise” even as some email phishing metrics dipped.
QR Code Phishing — Scale Confirmed by Primary Data
The APWG Q3 2025 report includes data from Mimecast tracking QR code-based phishing: 716,306 unique malicious QR codes detected in Q3 2025 alone, up 13% from 635,672 in Q2 2025. Over the 12-month period from Q2 2024 through Q3 2025, Mimecast detected more than 3 million unique malicious QR codes.
QR code phishing bypasses traditional email filtering because the QR code itself does not contain a malicious URL readable by email scanners — only when decoded does it resolve to a phishing page. The FBI IC3 issued a Public Service Announcement in July 2025: “Unsolicited Packages Containing QR Codes Used to Initiate Fraud Schemes,” documenting physical mail campaigns containing QR codes that route recipients to phishing pages.
Microsoft Defender telemetry (cited by APWG contributors) shows QR phishing detections rising from 7.6 million in January 2026 to 18.7 million in March 2026 — a 146% increase in a single quarter.
Phishing by Demographic — Age Group Data from FBI IC3
The FBI IC3 2025 Annual Report provides complete age-group phishing data (pages 32–33 and the Elder Fraud section, pages 44–50), giving Axis the ability to publish a demographic breakdown no competitor article uses from primary data.
Phishing Complaints and Losses by Age Group (FBI IC3 2025)
| Age Group | Phishing Complaints | Phishing Losses | Loss per Complaint |
|---|---|---|---|
| Under 20 | 2,380 | $360,429 | $151 |
| 20–29 | 19,765 | $7,954,797 | $402 |
| 30–39 | 27,433 | $32,669,619 | $1,190 |
| 40–49 | 27,800 | $33,063,856 | $1,189 |
| 50–59 | 26,782 | $30,918,367 | $1,154 |
| 60+ | 48,064 | $77,020,936 | $1,602 |
Source: FBI IC3 2025 Annual Report, pp. 32–33 and p. 46 (60+ crime types).
Americans aged 60 and older filed 48,064 phishing complaints — the most of any age group — and suffered $77 million in phishing losses at an average of $1,602 per complaint, the highest of any age group. This is consistent with the broader IC3 elder fraud finding that Americans 60+ reported $7.748 billion in total cybercrime losses in 2025.
Adults aged 30–49 show the second-highest per-complaint loss ($1,189–$1,190) at near-parity — suggesting AI-assisted phishing is effectively calibrating its financial extraction across working-age adults while being slightly more effective against older demographics.
AI-Linked Phishing — IC3 2025 First-Year Data
The FBI IC3 2025 AI section (page 41) documents 803 phishing complaints where AI involvement was reported, generating $10,283,732 in AI-attributed losses. This represents a loss-per-complaint of $12,807 for AI-assisted phishing — 11x the average for all phishing complaints ($1,127). The higher per-complaint value confirms that AI-assisted phishing selects for higher-value targets and sustains engagement longer before detection.
Government Impersonation Phishing — Fastest-Growing Category
Government impersonation is a phishing variant where attackers spoof government agency identities (IRS, SSA, Medicare, CISA) to extract money or credentials. The FBI IC3 2025 data shows this category nearly doubled in volume and cost year-over-year:
| Year | Govt. Impersonation Complaints | Losses | Avg. Loss per Complaint |
|---|---|---|---|
| 2023 | 14,190 | $394,050,518 | $27,769 |
| 2024 | 17,367 | $405,624,084 | $23,356 |
| 2025 | 32,424 | $797,943,193 | $24,610 |
Source: FBI IC3 2025 Annual Report, three-year comparison table.
The near-doubling of government impersonation complaints (17,367 → 32,424) and near-doubling of losses ($406M → $798M) is directly attributable to AI voice cloning enabling attackers to create convincing audio impersonations of government officials. The FBI issued a May 2025 Public Service Announcement: “Senior US Officials Impersonated in Malicious Messaging Campaign” and a follow-up in December 2025.
Americans aged 60+ bore the heaviest share of government impersonation losses: $413 million of the $798 million total (51.8%), per IC3 elder fraud data.
Phishing Infrastructure — Domains, Platforms, and PhaaS
BEC Domain Infrastructure (APWG Primary Data)
The APWG Q1 2025 report documents Gmail as the preferred free webmail provider for BEC scammers, accounting for 73.5% of free webmail accounts set up for BEC operations. Microsoft webmail properties were a distant second at 13.8%. NameSilo and NameCheap continued to be the domain registrars most frequently used by BEC scammers through Q1 2026, per APWG.
The IC3 2025 report separately documents LabHost, a Phishing-as-a-Service (PhaaS) platform, whose domains were published in an April 2025 joint advisory: “Phishing Domains Associated with LabHost PhaaS Platform Users” — a joint FBI/CISA alert listing hundreds of domains used for credential harvesting.
Social Media Phishing Infrastructure
The APWG Q1 2026 report, via ZeroFox data, found that on social media, 43.8% of phishing threats took the form of impersonation (falsely claiming to be a real person, brand, or organization) and 27.1% were scams (deceptive tactics to defraud users of money). Finance, retail, and federal government program brands were most heavily spoofed on social media platforms.
What Works Against Phishing — Evidence-Based Controls
The FBI IC3, IBM, and Verizon DBIR converge on a consistent set of evidence-based controls that reduce phishing exposure and damage:
DMARC enforcement directly counters the domain spoofing that enables phishing at scale. The FBI IC3’s Recovery Asset Team froze $679 million of $1.164 billion in fraudulent transactions in 2025 (58% success rate), but this depends entirely on victims filing IC3 complaints immediately. The FBI’s most effective countermeasure is timing, not technology.
Multi-factor authentication (MFA) is the FBI’s primary recommended mitigation. The IC3 2025 report explicitly lists enabling MFA “for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems” as its top ransomware and phishing mitigation. Hardware-key-based MFA (FIDO2) resists credential phishing that SMS-based MFA does not.
Verizon DBIR 2026 simulation data shows employees who received phishing awareness training within the past 30 days were 4x more likely to report phishing attempts. Email simulation median failure rate: ~1.4%. Phone-centric (vishing) simulation median failure rate: ~2.0% — a 40% relative gap that organizations running email-only training leave unaddressed.
Methodology
Data collection: This report draws exclusively on primary source data. FBI IC3 statistics were extracted directly from the PDF of the 2025 IC3 Annual Report, which was fetched and read in full. APWG statistics come from the quarterly Phishing Activity Trends Report series, with Q1 2026 data from the May 27, 2026 publication. IBM phishing cost statistics derive from the IBM 2025 Cost of a Data Breach Report. Verizon 2026 DBIR phishing vector data comes from the primary report.
PLAI methodology: The Phishing Loss Acceleration Index is computed as loss-per-complaint in the measurement year divided by loss-per-complaint in the base year (2023). All inputs derive from the FBI IC3 three-year comparison table (primary PDF, pages 25–26). This calculation is not published by any competing source.
Limitations:
- FBI IC3 data reflects only crimes reported through the IC3 portal — phishing is significantly underreported; the FBI estimates fewer than 15% of cybercrime victims file reports.
- APWG figures count unique phishing sites reported to the APWG network, not total phishing emails sent. Microsoft Defender figures count email-level threats and are not comparable to APWG site-level counts.
- The AI-linked phishing figures from IC3 ($10.3M) represent only complaints where victims or investigators explicitly identified AI involvement; the true AI-assisted phishing loss is substantially higher.
- APWG sector distribution data comes from Crane Authentication’s subset of APWG data; full member-wide sector data may differ.
About This Dataset
License: CC BY 4.0 — Free to share and adapt with attribution. Citation (APA): Axis Intelligence Research. (2026, June). Phishing statistics 2026: Attack volume, financial losses, AI threats & full data. Axis Intelligence. https://www.axis-intelligence.com/phishing-statistics/ Citation (MLA): Axis Intelligence Research. “Phishing Statistics 2026: Attack Volume, Financial Losses, AI Threats & Full Data.” Axis Intelligence, 11 June 2026, www.axis-intelligence.com/phishing-statistics/. Citation (Chicago): Axis Intelligence Research. “Phishing Statistics 2026: Attack Volume, Financial Losses, AI Threats & Full Data.” Axis Intelligence, June 11, 2026. https://www.axis-intelligence.com/phishing-statistics/.
Download the dataset: [CSV download — phishing-statistics-2026.csv] (CC BY 4.0)
Internal Links
- Cybersecurity Statistics 2026 — Full cybersecurity threat landscape including breach costs, ransomware, and workforce data
- Data Breach Statistics 2026 — Breach costs by country and sector, healthcare OCR data, and the Axis BCNDR metric
- Identity Theft Statistics 2026 — Financial losses per victim, identity fraud types, and the Axis ACRI metric
- Ransomware Statistics 2026 — Ransomware economics, sector targeting, and FBI IC3 primary data
- Best Identity Theft Protection Services — Reviewed protection services for individuals and businesses
FAQ
How many phishing attacks happen per day in 2026?
Based on APWG’s Q1 2026 data (971,181 attacks in 90 days), approximately 10,791 unique phishing sites are created daily. FBI IC3 data shows phishing generates approximately 524 U.S. complaints per day in 2025 (191,561 ÷ 365). These figures measure different things: APWG counts unique phishing sites globally; IC3 counts U.S. citizen complaints. Total phishing emails sent daily are estimated at 3.4 billion globally (various vendor estimates), but this figure is not sourced from a primary government or named-organization report and should be used with caution.
What are the financial losses from phishing in 2025?
The FBI IC3 2025 Annual Report documented $215,843,126 in reported phishing losses from 191,561 complaints — an average of $1,127 per complaint and a 208% increase from 2024 ($70 million). Business Email Compromise, which begins with phishing, generated an additional $3.046 billion in losses. Combined, phishing-origin fraud (direct phishing + BEC) accounted for over $3.26 billion in FBI-documented losses in 2025.
What industry is most targeted by phishing in 2026?
As of Q1 2026, telecom has emerged as the most targeted sector per APWG data, reaching 33% of all phishing attacks — up from 5.9% just two quarters prior. Before this surge, SaaS/webmail and financial institutions each held approximately 18–21% of phishing targeting. Sector distribution rotates significantly quarter-to-quarter; the Q1 2026 telecom dominance represents a structural shift, not a one-quarter anomaly.
What is the Axis PLAI and what does it measure?
The Phishing Loss Acceleration Index (PLAI) is an original metric by Axis Intelligence Research that measures the rate at which phishing financial damage is escalating relative to complaint volume. The Q2 2026 PLAI score of 18.0 means each phishing complaint in 2025 generates 18 times the financial damage of a 2023 complaint, based on FBI IC3 primary data. The metric captures the structural shift from high-volume, low-damage phishing to lower-volume, high-damage AI-targeted attacks. Full methodology at axis-intelligence.com/phishing-statistics/.
How has AI changed phishing?
AI has fundamentally changed phishing economics by reducing the cost of producing convincing, personalized attacks. IBM X-Force 2026 documents that AI has reduced phishing email creation from 16 hours to approximately 5 minutes — a 200x productivity increase for attackers. The FBI IC3 2025 report documented 803 AI-referenced phishing complaints with $10.3 million in losses, at an average of $12,807 per complaint — 11x the average for all phishing. AI voice cloning enabled government impersonation complaints to nearly double in 2025, from 17,367 to 32,424.
What is vishing and how common is it in 2026?
Vishing (voice phishing) uses phone calls — increasingly AI-synthesized — to impersonate executives, government officials, IT support, or financial institutions. The Verizon 2026 DBIR tracks “pretexting” (synchronous voice, chat, or callback phishing) as a separate initial access vector at 6% of all breaches. Mobile-centric phishing (voice + SMS) produces click rates 40% higher than email phishing per the Verizon 2026 DBIR — a finding that makes vishing the highest-yield per-attempt vector available to attackers.
What are the most common phishing email domains and platforms used?
APWG data shows that BEC scammers rely on Gmail for 73.5% of free webmail accounts used in attacks. NameSilo and NameCheap are the most frequently used domain registrars for phishing infrastructure. Phishing-as-a-Service (PhaaS) platforms like LabHost (subject of a 2025 FBI/CISA advisory) lower the technical barrier by providing ready-made phishing kits, credential capture pages, and automation. QR code phishing — bypassing email URL filters — has scaled rapidly with Mimecast detecting 716,306 unique malicious QR codes in Q3 2025 alone.
How does phishing relate to ransomware?
Phishing is the primary delivery mechanism for ransomware. The Verizon 2026 DBIR finds ransomware present in 48% of all breach chains, with social engineering (including phishing) being a key initial access enabler. The FBI IC3 separately shows government impersonation (a phishing variant) nearly doubled in 2025. IBM X-Force 2026 found that 44% of AI-assisted initial access in 2025 was phishing-related, directly enabling the ransomware ecosystem documented by the DBIR.
What demographics are most affected by phishing?
Americans aged 60 and older filed the most phishing complaints to the FBI IC3 in 2025 (48,064) and suffered the highest per-complaint losses ($1,602 average) and aggregate losses ($77 million). This is consistent with elder fraud patterns where government impersonation phishing — pretending to be IRS, SSA, or Medicare — disproportionately targets older adults. Adults aged 30–49 showed the second-highest per-complaint losses ($1,189–$1,190), suggesting AI-targeted phishing is effective across working-age demographics.
How can organizations protect against phishing in 2026?
The FBI IC3 2025 report’s primary recommendation is enabling MFA for all services, particularly webmail, VPN, and critical system accounts. DMARC enforcement prevents domain spoofing that underpins most phishing. The Verizon DBIR 2026 shows that phishing training conducted within the past 30 days makes employees 4x more likely to report suspicious emails. Critically, organizations should extend training beyond email to vishing (voice) and smishing (SMS) — the 40% higher click rate on mobile-centric phishing per the DBIR 2026 reflects a systematic gap in email-focused training programs.
Cite This Research
<blockquote style="border-left:4px solid #1a1a2e;padding:12px 20px;margin:0;font-family:sans-serif;">
<p style="font-size:1.1em;font-weight:bold;margin:0 0 8px;">
"Phishing losses grew 208% in 2025 to $215.8M while complaints held flat — each phishing complaint now causes 18x the financial damage of 2023. (Axis PLAI Score: 18.0)"
</p>
<footer style="font-size:0.85em;color:#555;">
— <a href="https://www.axis-intelligence.com/phishing-statistics/" style="color:#1a1a2e;text-decoration:underline;">
Axis Intelligence Research: Phishing Statistics 2026
</a> (CC BY 4.0)
</footer>
</blockquote>