Phishing Statistics 2026: Attack Volume, Costs, & AI Threats

Phishing is the front door to nearly every major cyberattack. It is the #1 most-reported cybercrime in America, the leading initial access vector for ransomware, and the engine behind $2.77 billion in Business Email Compromise losses in a single year. Despite decades of awareness campaigns, one in three untrained employees will still click a simulated phishing link today. What has changed dramatically is the attack itself — AI-generated phishing emails now achieve click rates four times higher than traditional ones, deepfake voice calls have stolen $25 million in a single incident, and 82.6% of phishing emails now contain some form of AI-generated content. This article compiles the most current phishing statistics from Tier 1 primary sources — FBI IC3, Verizon DBIR, IBM, APWG, KnowBe4, Proofpoint, and CrowdStrike — to give organizations the full picture heading into 2026.

Phishing Attack Volume: The Scale of the Problem in 2025

To understand why phishing remains the dominant cybersecurity threat despite decades of defenses, start with the volume. The numbers are industrial in scale — and the filters that block most attacks don’t change the fact that attackers only need one to succeed.

Phishing/spoofing was the most reported type of crime to the FBI’s IC3 in 2024, with 193,407 complaints — more than double the second-place category (extortion at 86,415) and nearly triple personal data breaches (64,882). The financial impact of these phishing complaints jumped to $70 million in 2024, a 274% increase from $18.7 million in 2023, according to Proofpoint’s analysis of the IC3 data. That said, phishing’s greatest financial damage doesn’t show up in its own loss column — it shows up in what it enables downstream: Business Email Compromise ($2.77 billion), ransomware ($12 million+ in direct reported losses), and data breaches ($1.45 billion).

The APWG’s quarterly tracking data provides the broadest measurement of unique phishing attack campaigns. The group recorded 3.8 million unique phishing attacks in 2025 — slightly above the 3.76 million tracked in 2024 — with Q2 2025 peaking at over 1.13 million attacks in a single quarter. These numbers reflect only detected and reported incidents; the APWG estimates actual volume is two to three times higher than captured data.

Google blocks approximately 100 million phishing emails daily. Microsoft screens roughly 5 billion emails per day across its platforms for threats. Despite those filters, phishing still causes an average of $4.88 million in breach costs per incident (IBM 2025) — because the attacker doesn’t need to defeat the filter most of the time. They need to get one email through to the right person, at the right moment.

Source: FBI IC3 2024 Annual Report | Proofpoint Analysis of 2024 IC3 Report

Explore CNiC’s Cybersecurity Services for Houston Businesses →

How Susceptible Are Employees? Phishing Click Rates by Industry

The reason phishing persists despite technological defenses is fundamentally human. Security systems can filter billions of emails, but the inbox that reaches a real employee is a direct line to organizational trust, credentials, and financial systems. The data on human susceptibility is sobering — and also hopeful, because it’s highly trainable.

KnowBe4’s 2025 Phishing by Industry Benchmarking Report — the largest dataset of its kind, measuring simulated phishing results across thousands of organizations — found that the global average Phish-prone Percentage (PPP) sits at 33.1%. That means roughly one in three untrained employees will interact with a phishing simulation before any security awareness training. In North America specifically, the baseline PPP is 37.1% — meaning over one in three American employees are at risk without training intervention.

The time dimension of human susceptibility is equally alarming. Verizon’s DBIR data shows the median time between a phishing email being opened and the user clicking the malicious link is just 21 seconds. If the attack requires credential entry — a login page, for example — the entire compromise takes a median of 49 seconds from open to credential theft. Security teams have less than one minute to intercept the attack once it reaches an employee’s inbox.

The human element remains involved in approximately 60% of all breaches (Verizon DBIR 2025). This figure encompasses phishing, credential misuse, social engineering, and insider actions — confirming that technology alone cannot solve the phishing problem. The attack surface is human, and the most effective countermeasure is also human: trained employees who can recognize and report suspicious contact.

Source: KnowBe4 2025 Phishing by Industry Benchmarking Report | Verizon 2025 DBIR

See How CNiC’s Managed IT Includes Security Awareness Programs →

Business Email Compromise (BEC): Phishing’s Most Expensive Variant

Business Email Compromise deserves its own section because it is where phishing converts most reliably into catastrophic financial loss. BEC doesn’t require malware, exploits, or technical skill — it exploits organizational trust and payment workflows using impersonation, and it works with devastating consistency.

BEC was the 7th most-reported crime to the FBI IC3 by complaint count in 2024, with 21,442 complaints — but it ranked 2nd by total dollar loss at nearly $2.77 billion. The contrast is stark: phishing generated over 193,000 complaints for $70 million in direct losses, while BEC generated 21,000 complaints for $2.77 billion. On a per-complaint basis, the average BEC loss is approximately $129,000 — orders of magnitude higher than a typical phishing incident’s direct loss.

BEC accounts for 58% of all financially motivated phishing breaches (Verizon DBIR 2025) and was identified as a factor in 27% of all investigated incidents (Arctic Wolf 2025). The Association for Financial Professionals found that 63% of organizations experienced a BEC attempt in 2024. BEC volume surged 54% in the first half of 2025 compared to 2023 (Abnormal Security).

Pretexting — where attackers construct a fabricated scenario to manipulate victims — now accounts for over 50% of all social engineering incidents (Verizon DBIR 2025), and it is the primary mechanism behind BEC. The most common scenarios include CEO impersonation requesting urgent wire transfers, vendor impersonation updating payment instructions, payroll diversion attacks, and real estate closing fraud. The FBI’s IC3 Recovery Asset Team achieved a 66% success rate in freezing fraudulent BEC transfers in 2024 — recovering hundreds of millions of dollars for victims who reported quickly.

Source: FBI IC3 2024 Annual Report | Nacha BEC Analysis, April 2025

Learn How AI-Enhanced Email Security Stops BEC Attacks →

AI-Powered Phishing, Vishing, and Smishing: The New Attack Landscape

The arrival of generative AI in the phishing toolkit marks a qualitative shift in the threat — not just a quantitative one. Phishing has always been a human problem; AI makes the human problem exponentially harder to solve by removing the linguistic signals that trained employees once used to identify attacks.

[IMAGE: Split-panel infographic contrasting “Traditional Phishing” vs “AI-Powered Phishing.” Left panel: generic email with obvious grammar errors, 12% click rate, hours to create. Right panel: hyper-personalized email with correct grammar and contextual details, 54% click rate, 5 minutes to create. Dark teal and charcoal palette with orange accent highlights for the AI panel. Professional data-journalism style. CNiC Solutions watermark bottom right.]

AI-Generated Email Phishing. IBM researchers demonstrated in 2024 that an AI system could construct a complete, convincing phishing campaign in 5 minutes using just 5 prompts — a task that took human security experts 16 hours. KnowBe4’s data shows that in 2024, at least one AI-polymorphic feature was present in 76.4% of all phishing attacks, making them more resistant to blocklists, secure email gateways, and native security tools. Between September 2024 and February 2025, phishing emails increased 17.3% compared to the prior six-month period, with 57.9% sent from compromised legitimate accounts — making sender-reputation-based filters ineffective.

Vishing (Voice Phishing). Vishing surged 442% from H1 to H2 2024 — the fastest growth of any phishing vector tracked by CrowdStrike. AI voice cloning can replicate a person’s voice from as little as 3 seconds of audio (McAfee 2024). The most high-profile documented case: a finance employee at engineering firm Arup transferred $25 million to fraudsters after attending a deepfake video conference call impersonating the company’s CFO and senior leadership — every face and voice was AI-generated. Callback phishing — emails directing victims to call an attacker-controlled phone number instead of clicking a link — grew 500% in Q4 2025 (VIPRE Security Group), bypassing email URL scanning entirely.

Smishing (SMS Phishing). SMS-based phishing accounts for 35% of all phishing attacks (SentinelOne 2026) and surged 40% year-over-year (Keepnet 2025). Nineteen percent of all breaches now originate from smishing or vishing combined (Verizon DBIR 2025). 83% of phishing websites are specifically designed to target mobile devices (Zimperium 2024), reflecting the shift to mobile-first attack strategies. SMS lacks the equivalent of enterprise email security gateways, and personal mobile devices typically have weaker security controls than corporate endpoints.

QR Code Phishing (“Quishing”). QR code attacks increased 400% between 2023 and 2025 (Abnormal Security). Quishing is particularly effective because the malicious URL is encoded in an image, bypassing text-based URL scanning in most email security tools. The most affected sectors are energy, healthcare, and manufacturing. Attackers distribute QR codes via email, physical flyers, and even fake parking meters and public signage.

Source: KnowBe4 2025 Phishing Threat Trends Report | CrowdStrike 2025 Global Threat Report

Protect Your Network from Phishing-Enabled Intrusions →

The Financial Impact of Phishing: Cost Per Breach and Total Losses

Phishing is not just the most common attack type — it is among the most expensive. The financial damage flows through multiple channels: direct fraud losses, breach remediation costs, regulatory penalties, and the downstream costs of the ransomware or data theft that phishing enables.

IBM’s 2025 Cost of a Data Breach Report found that phishing-caused breaches average $4.88 million per incident, with a detection and containment timeline of 254 days — nearly nine months during which attackers maintain access. Every additional day of undetected attacker access adds cost: IBM’s data shows a $1.2 million cost difference between breaches identified before versus after the 200-day mark, making early detection one of the highest-ROI investments a security team can make.

The total 2024 FBI IC3 losses of $16.6 billion — a 33% increase over 2023 and the highest ever recorded — are predominantly enabled by phishing and social engineering as the initial attack vector. The breakdown of major loss categories in 2024:

The $70 million in direct phishing losses understates phishing’s true financial impact by orders of magnitude. When you account for BEC, tech support fraud, data breaches, and ransomware that originate with a phishing email, phishing’s total loss enablement in 2024 exceeds $4.3 billion conservatively — making it the highest-ROI initial attack investment in the criminal toolkit.

Source: FBI IC3 2024 Annual Report | IBM Cost of a Data Breach 2025

Calculate Your Organization’s Potential Breach Cost →

Phishing by Industry: Most Targeted Sectors in 2025

Phishing is universal in delivery but selective in targeting. Attackers prioritize industries where stolen credentials have the highest value, where time pressure creates decision errors, and where the workforce is least trained. The APWG’s sector targeting data and KnowBe4’s susceptibility benchmarks together show which industries face the greatest exposure.

Financial Services (23.5% of all phishing attacks). Banks, insurance companies, and fintech platforms are the single most targeted industry. Banking login pages remain phishing’s #1 impersonation target. Financial services organizations face a 65% ransomware attack rate (Sophos 2024) in addition to high phishing volume. Despite high attack exposure, financial services organizations typically have more mature security programs, and KnowBe4’s data shows they achieve strong post-training PPP reductions of 91%.

SaaS and Webmail (19.4%). Microsoft 365 and Google Workspace are primary targets because stolen credentials grant access to entire organizational ecosystems — email, files, calendars, cloud applications, and password reset pathways. A single compromised Microsoft 365 account provides an attacker with the credibility of a legitimate internal sender, making downstream BEC and lateral movement significantly easier. In 2024, phishing emails bypassing Microsoft’s native security and secure email gateways increased 47%.

Healthcare (Highest Susceptibility Rate). Healthcare and pharmaceuticals has the highest employee Phish-prone Percentage of any industry at 41.9% — meaning nearly 4 in 10 healthcare workers would click a simulated phishing link without training. The combination of high attack volume, high susceptibility, and high breach costs ($7.42 million average per IBM 2025) makes healthcare the most financially exposed sector to phishing.

Source: KnowBe4 2025 Phishing by Industry Benchmarking Report | APWG Phishing Activity Trends Report 2024–2025

Find Industry-Specific Cybersecurity Solutions from CNiC →

Phishing Defense: What Works, What Doesn’t, and the Training ROI

If susceptibility is the problem, training is the most proven solution. KnowBe4’s 2025 benchmark data provides the clearest empirical evidence yet that security awareness training works — rapidly, consistently, and across all industries and organization sizes.

The training ROI case is compelling at every scale. North American organizations start with a 37.1% baseline PPP. After 12 months of training, that drops to approximately 4.1% — an 89% reduction. Applied to IBM’s $4.88 million average phishing breach cost, an organization that reduces its susceptibility from 37% to 4% has dramatically reduced the probability of an incident that costs nearly $5 million. The training investment — typically measured in tens of thousands of dollars annually for mid-market organizations — represents extraordinary ROI against that exposure.

Beyond training, several technical controls have proven effective:

Multi-factor authentication (MFA) remains the single highest-impact technical control against credential phishing. However, adversary-in-the-middle (AiTM) attacks — which surged 146% in 2024 — can bypass standard MFA by proxying authentication sessions and stealing session cookies in real time. Phishing-resistant MFA (hardware keys, passkeys) is the next-generation requirement.

Email security layering. URLs were used four times more often than malicious attachments in 2025 email attacks (Proofpoint) — a reversal from historical patterns, driven by improved endpoint security blocking malicious files. Modern email security needs to inspect links dynamically at click time, not just at delivery. In 2024, phishing emails bypassing Microsoft’s native security increased 47%.

Reporting culture. Verizon’s DBIR data shows 20% of employees who receive a phishing simulation report it as suspicious — but of those who clicked first, 11% still reported afterward. Building a culture where employees report suspicious contacts without fear enables security teams to identify active campaigns before they cause widespread damage.

Source: KnowBe4 2025 Phishing Benchmarking Analysis

Get a Phishing Risk Assessment from CNiC’s vCIO Team →

Phishing Statistics Summary (2026 Reference Table)

Frequently Asked Questions: Phishing Statistics

David McFarlane Founder & CEO

As Founder and CEO of CNiC Solutions, David McFarlane has spent more than 15 years guiding Houston-area organizations through complex IT and cybersecurity challenges. His hands-on leadership ensures technology decisions align with business goals, risk management, and operational efficiency.

See Full Bio

IT Services Network Cabling Cloud Solutions Cybersecurity Data Backup & Recovery Managed IT Services Infrastructure Management Telecommunications Virtual CIO (vCIO) WebRTC