Phishing Statistics 2026
Phishing losses reported to the FBI grew 208% in a single year. BEC crossed $3 billion. Every second, more than 39,000 phishing emails are sent. And the median employee who receives one clicks within 21 seconds — faster than any automated defense can respond.
This page aggregates the verified 2025–2026 data from primary sources: FBI IC3, APWG, Verizon DBIR, IBM, CrowdStrike, Zimperium, ENISA, Microsoft, and others. Every statistic is labeled with its source and report year. Where sources conflict, we note it. Where numbers are extrapolations or estimates rather than direct measurements, we flag it.
Table of Contents
Key numbers at a glance
| Metric | Figure | Source |
|---|---|---|
| FBI-reported cybercrime losses (US, 2025) | $20.8 billion | FBI IC3 2025 |
| FBI complaints in 2025 | >1 million (first time ever) | FBI IC3 2025 |
| Email-origin fraud (BEC + phishing + impersonation) | >$4 billion | FBI IC3 2025 |
| BEC losses (US, 2025) | $3.04 billion | FBI IC3 2025 |
| Phishing/spoofing losses (US, 2025) | $215.8 million (+208% YoY) | FBI IC3 2025 |
| Phishing/spoofing complaints (US, 2024) | 193,407 | FBI IC3 2024 |
| Total APWG phishing attacks observed (2025) | 3.8 million | APWG 2025 |
| APWG phishing attacks, Q4 2025 | 853,244 | APWG Q4 2025 |
| Median time-to-click on a phishing email | 21 seconds | Verizon DBIR 2025 |
| Median time-to-report a phishing email | 28 minutes | Verizon DBIR 2025 |
| Average cost of a phishing-initiated breach | $4.8 million | IBM 2025 |
| Share of breaches involving phishing | 36% | Verizon DBIR 2025 |
| Vishing surge, H1 vs H2 2024 | +442% | CrowdStrike 2025 |
| Smishing share of all mobile phishing | 69.3% | Zimperium 2025 |
| AI-supported share of social engineering | >80% | ENISA 2025 |
| Phishing-as-a-Service monthly kit price | $120–$350 | Microsoft MDDR 2025 |
1. Email phishing: volume, losses, and click rates
Volume
The APWG Phishing Activity Trends Report tracked 3.8 million phishing attacks in 2025, up from 3.76 million in 2024 — steady growth, not an explosion. Within that annual total, the quarterly distribution shows significant spikes: Q1 2025 recorded 1,003,924 attacks (the largest quarter since late 2023), Q2 accelerated to 1,130,393 (a 13% quarter-over-quarter increase), then eased to 853,244 in Q4.
APWG counted 496 brands targeted in December 2025 alone — a record monthly figure. Attackers are spreading impersonation lures more broadly, reducing reliance on a small set of high-value brand names.
Financial losses
The FBI released the 2025 Internet Crime Report on April 6, 2026 — the first year the IC3 received more than one million complaints in a single year. Total losses reached $20.8 billion. Across the categories that exploit trust in email:
- BEC (Business Email Compromise): $3.04 billion in losses across 21,442 complaints
- Phishing and spoofing: $215.8 million — a 208% increase from $70 million in 2024
- Government impersonation: $797.9 million — nearly double 2024’s $405.6 million
- Combined email-origin fraud: over $4 billion, representing approximately 19% of all IC3-reported losses
The three-year BEC trend tells a clear story: $2.94B (2023), $2.77B (2024, a brief dip), $3.04B (2025). The 2024 decline was short-lived.
Original calculation: At $215.8 million in reported phishing losses across 2025 (8,760 hours), phishing attacks were generating approximately $24,600 in reported losses per hour in the United States alone — and IC3 data historically captures only a fraction of actual losses, as most cybercrimes go unreported.
Click rates and time-to-compromise
The Verizon 2025 Data Breach Investigations Report introduced the most alarming timing data in recent memory:
- Median time-to-click on a phishing email: 21 seconds. The victim doesn’t deliberate. The response is reflexive.
- Median time-to-report a phishing email: 28 minutes. The gap between the first click and the first alert is 27 minutes and 39 seconds.
- 1 in 3 users who click a phishing link type credentials into the attacker’s site. The click is not the only failure point.
IBM’s 2025 Cost of a Data Breach Report, independently conducted by the Ponemon Institute across 600 organizations in 17 industries, ranked phishing as the #1 initial access vector at 16% of breaches, with an average breach cost when phishing is the initial vector of $4.8 million — $360,000 above the global average across all breach types.
Most targeted sectors: email phishing
APWG Q4 2025 sector breakdown shows a notable shift. Social media and SaaS/webmail each accounted for 20.3% of phishing lures — a tie at the top. Telecom jumped from 5.9% in Q3 2025 to 18.7% in Q4, reflecting attackers pivoting toward phone-based account recovery and SMS-linked credential flows. Financial institutions fell to 9.3% — still high, but no longer the dominant target they once were.
2. Smishing: SMS and mobile phishing
Volume and growth
Zimperium’s 2025 Global Mobile Threat Report established smishing as the dominant mobile attack channel, accounting for 69.3% of all mobile-targeted phishing (a category Zimperium terms “mishing”). Smishing incidents rose 22% year-over-year in 2025.
Separate Barclays research documented a 40% surge in SMS-originated scam reports from 2024 to 2025, with SMS scams reaching 14% of all scam claims filed with the bank.
APWG reported 30–40% quarter-over-quarter growth in SMS-based fraud detections in Q4 2025.
Why smishing outperforms email phishing
The click-through rate differential is stark. Email phishing click rates average 2–4% in organizational settings. Smishing click-through rates range from 8.9% to 14.5% in enterprise data, and up to 36% in broader consumer studies (Zimperium/Keepnet 2025). SMS messages carry more implicit trust, arrive on personal devices with weaker enterprise security controls, and render on small screens where URL inspection is difficult.
Zimperium found that 83% of phishing websites are designed specifically for mobile screens — attackers have followed the channel shift. A malicious URL that looks suspicious on a desktop browser may be invisible as a truncated string on an iPhone lock screen.
The toll scam wave
A documented campaign that illustrates the scale: In 2024, the FTC reported Americans lost $470 million to text scams overall, and the FBI’s IC3 received 59,271 complaints tied specifically to smishing messages impersonating US toll collection agencies (E-ZPass, SunPass, and others). A November 2025 lawsuit by Google, described by Reuters, alleged a single text phishing operation created nearly 200,000 fraudulent websites in 20 days, impersonating major brands including Google, USPS, and toll operators.
Smishing note: awareness gap
Only 36% of Americans can accurately define smishing (Proofpoint 2024 State of the Phish). Two-thirds of the potential victim population doesn’t know the attack type exists by name. Security awareness programs that address only email phishing are leaving this gap open.
3. Vishing: voice phishing
CrowdStrike’s 2025 Global Threat Report documented a 442% increase in voice phishing (vishing) attacks between H1 and H2 2024. H1 2025 data already exceeded the total full-year 2024 vishing volume before mid-year.
The mechanism driving this surge is AI voice cloning. McAfee research established that just 3 seconds of audio — from a publicly available video, conference recording, or voicemail — is sufficient to generate a convincing voice clone. Coordinated campaigns now combine:
- A smishing text to establish initial contact and prime the target
- A voice call impersonating a known person (manager, bank representative, IT support) to deliver the actual request
The FBI’s 2025 IC3 report specifically noted AI voice generators and AI chat tools as techniques documented in complaints — AI was used to match CEO writing style in email, then voice cloning provided phone confirmation. When both vectors are consistent, human detection fails.
Verizon DBIR 2025 reports that 19% of breaches now originate from smishing or vishing combined — making the phone a breach vector comparable in scale to traditional email.
4. Social media and QR code phishing
Social media
In APWG’s Q4 2025 data, social media accounts for 20.3% of all phishing lures — tied with SaaS/webmail for the most targeted sector. Attackers use social platforms in two ways: creating fraudulent brand pages and login flows that harvest credentials, and using platform DMs as a delivery channel that bypasses corporate email gateways entirely.
The WEF Global Cybersecurity Outlook 2025 notes that 77% of cybersecurity leaders reported an increase in cyber-enabled fraud and phishing — phishing is now the top-ranked concern for CEOs, above ransomware.
QR code phishing (“quishing”)
QR code phishing grew 400% between 2023 and 2025 (Abnormal Security). The vector works because:
- QR codes bypass standard email link scanners — a scanner evaluates URLs, not images
- They redirect to mobile-rendered phishing pages, exploiting the same trust gap as smishing
- They appear in printed materials, email attachments, and increasingly in physical locations (fake parking meters, coffee shop table cards)
Mimecast detected over 1.7 million unique malicious QR codes in a six-month measurement window, with an average of 2.7 million emails containing QR codes processed daily in their network.
5. AI-powered phishing
This is the structural shift that makes the 2025–2026 data read differently from prior years. Phishing has always scaled. AI has made it both scale further and improve qualitatively.
Key figures:
- ENISA 2025 Threat Landscape: AI-supported phishing represents more than 80% of observed social engineering activity worldwide as of early 2025.
- Microsoft MDDR 2025: AI-crafted phishing lures show markedly higher user engagement in controlled testing. Microsoft screens approximately 5 billion emails per day for threats.
- IBM 2025: 1 in 6 breaches now involves attacker-used AI; of those AI-involved breaches, 37% are attributed to phishing lures and 35% to deepfake impersonation.
- Cofense 2025: AI-powered phishing achieves one malicious email past secure email gateways every 19 seconds. 18% of malicious email is now classified as conversational AI lures — messages that read like natural human correspondence.
- HBR 2024 study: AI-generated spear phishing achieves a 54% click-through rate, matching the performance of human-crafted expert campaigns but at roughly 95% lower cost per message.
The practical consequence of the cost reduction is industrialization. LLM tools have reduced the time to craft a convincing phishing campaign from 16 hours to approximately 5 minutes. The barrier to entry has collapsed.
Phishing-as-a-Service
Microsoft’s MDDR 2025 documented the commodification of adversary-in-the-middle (AiTM) phishing kits. Operations like Tycoon 2FA, Mamba 2FA, and Evilginx are available for subscription at $120–$350/month. These kits don’t just steal passwords — they steal authenticated session tokens, bypassing multi-factor authentication entirely. Microsoft attributes 80% of MFA-bypass breaches to session-token theft via these kits.
Tycoon 2FA alone, in one month of mid-2025 measurement, generated over 30 million phishing emails — representing approximately 62% of all phishing blocked by Microsoft’s systems in that period.
6. Business Email Compromise: the most expensive phishing variant
BEC is a phishing category that requires no malware and no technical exploit — only convincing impersonation. An attacker spoofs or compromises an executive’s email account, sends a payment authorization request to finance, and wire transfer or ACH instructions move real money.
Key BEC statistics from primary sources:
- FBI IC3 2025: $3.04 billion in US BEC losses, 21,442 complaints. Average loss per complaint: $141,000.
- Three-year trend: $2.94B (2023) → $2.77B (2024) → $3.04B (2025). The 2024 dip was anomalous; 2025 set a new record.
- IBM 2025: Average total cost of a BEC attack: $4.67 million (including indirect costs, investigation, remediation).
- Verizon DBIR 2025: BEC accounts for 58% of financially motivated phishing breaches.
- Fortra/APWG Q4 2025: Wire-transfer BEC attempts surged 136% quarter-over-quarter in Q4 2025, with an average requested wire amount of $50,297. Gift cards remained the dominant cash-out method at 59% of BEC payment attempts.
The FBI’s Recovery Asset Team (RAT) froze $679 million across 3,900 BEC incidents in 2025, with a 58% success rate — but recovery requires rapid reporting. Most BEC funds move within hours and the window for clawback is narrow.
7. Defense effectiveness
The defense statistics matter as much as the attack data. They indicate what actually works.
| Defense | Measured Effect | Source |
|---|---|---|
| Security awareness training, 12 months | Phish-prone rate: 33.1% → 4.1% (86% reduction) | KnowBe4 2025 |
| DMARC enforcement (p=reject) | Blocks email spoofing at domain level | NIST, CISA guidance |
| Phishing-resistant MFA (passkeys, FIDO2) | Defeats AiTM session-token attacks | Microsoft MDDR 2025 |
| AI-powered anti-smishing tools | 96.2% detection rate | Keepnet 2026 |
| Traditional anti-smishing tools | 25–35% detection rate | Keepnet 2025 |
| Security AI deployment (org-wide) | 80 days faster breach detection, $1.9M average savings | IBM 2025 |
| Organizations with DMARC at p=reject (US) | Only 35–44% of large organizations | Red Sift 2026 analysis |
The KnowBe4 finding deserves attention: the baseline phish-prone percentage across organizations is 33.1% — one in three employees will click on a simulated phishing message without training. After 12 months of structured awareness programs, that drops to 4.1%. The training doesn’t need to be sophisticated; it needs to happen consistently.
The DMARC gap is equally striking. The FBI documents billions of dollars in losses tied to email spoofing. CISA’s email security guidance lists DMARC enforcement as a baseline control. Yet in a 2026 analysis of nearly 2,000 domains across US organizations, Red Sift found only 35% of Northeast organizations and 40–44% of Mid-Atlantic and Southwest organizations had reached full DMARC enforcement. The majority of large US organizations remain exposed to the exact attack type driving $4 billion in IC3 losses.
8. Year-over-year trend table
| Year | APWG Phishing Volume | FBI IC3 Total Losses | FBI BEC Losses | Avg. Cost: Phishing Breach |
|---|---|---|---|---|
| 2021 | ~680,000 (Q1 peak) | $6.9 billion | $2.39 billion | ~$3.86M (IBM) |
| 2022 | ~1.35 million (Q1 peak) | $10.2 billion | $2.74 billion | $4.91M (IBM) |
| 2023 | ~3.76 million (full year) | $12.5 billion | $2.94 billion | $4.76M (IBM) |
| 2024 | ~3.76 million (full year) | $16.6 billion | $2.77 billion | $4.88M (IBM) |
| 2025 | ~3.8 million (full year) | $20.8 billion | $3.04 billion | $4.8M (IBM) |
Sources: APWG Phishing Activity Trends (quarterly reports); FBI IC3 Annual Reports 2021–2025; IBM Cost of a Data Breach Reports 2021–2025. Note: APWG data measures unique phishing attack instances in their detection network; FBI IC3 data reflects reported US complaints and losses only. Neither figure captures total global activity.
9. Where sources conflict — and why
Researchers and journalists regularly encounter contradictory phishing statistics. The most common conflicts, and their explanations:
“36% of breaches involve phishing” (Verizon) vs. “16% of breaches start with phishing” (IBM) These measure different things. Verizon’s 36% counts phishing as a factor at any point in a breach chain. IBM’s 16% counts phishing as the confirmed initial access vector. Both numbers are correct; they answer different questions.
“$2.77B in BEC losses” (IC3 2024) vs. “$6.3B in BEC losses” (Verizon DBIR citing FBI data) Different categorization methodology. The $2.77B figure reflects IC3’s narrow BEC definition. The $6.3B figure includes broader financial fraud categories that Verizon attributes to BEC in its DBIR analysis. IC3’s figure is the more conservative and directly auditable number.
“Phishing = #1 initial access vector” (IBM 2025) vs. “Vulnerability exploitation overtook phishing” (Verizon DBIR 2025) In the 2025 Verizon DBIR, exploitation of vulnerabilities rose to 20% of breach initial vectors, while phishing stood at 15-16% — making exploitation the #1 category in Verizon’s measured population. IBM’s Ponemon study of 600 organizations ranked phishing first at 16%. The difference is population composition: Verizon’s dataset skews heavily toward external-facing attack patterns in its measured industries; IBM’s study is more cross-sector.
Phishing email volume figures (39,000/second vs. 3.4 billion/day) These figures are not in conflict — they’re the same number expressed differently (3.4B ÷ 86,400 seconds ≈ 39,000/second). Both are industry estimates based on extrapolation from major gateway provider data, not direct global measurements.
Methodology and source notes
This page draws exclusively from primary sources. Secondary aggregator sites are not used as sources. The primary reports informing this page:
- FBI IC3 Annual Reports — US-only, complaint-based data. Significant undercount of actual losses since most cybercrime goes unreported. Released annually, typically April of the following year.
- APWG Phishing Activity Trends — measures unique phishing attack URLs and campaigns detected by APWG member organizations. Released quarterly, approximately 60 days after quarter-end.
- Verizon Data Breach Investigations Report — annual breach investigation dataset, typically 10,000–25,000+ incidents. Industry-specific breakdowns. Released annually, typically May.
- IBM Cost of a Data Breach — conducted by Ponemon Institute, ~600 organizations, 17 industries, 17 countries. Measures total breach costs including direct and indirect. Released annually, typically July.
- ENISA Threat Landscape — EU-focused annual threat report. Strong on European regulatory and incident data.
- Microsoft Digital Defense Report — telemetry from Microsoft’s global security infrastructure; extraordinary scale but Microsoft-ecosystem-skewed.
- CrowdStrike Global Threat Report — endpoint and cloud telemetry; strong on threat actor attribution.
- Zimperium Global Mobile Threat Report — mobile-specific data; independent of desktop email security vendors.
- KnowBe4 Phishing by Industry Benchmarking Report — simulation-based data; measures click rates within trained populations, not real-world attacks.
What this page does not include: Statistics from companies that do not publish methodology, figures that cannot be traced to a named primary report, and projections presented as current data. Predictions and forecasts are labeled as such.
Frequently asked questions
How many phishing attacks happen per day in 2026?
Based on APWG’s 2025 full-year total of 3.8 million observed phishing attacks, the daily average is approximately 10,400 unique phishing attacks per day in APWG’s detection network. This measures distinct attack instances (URLs/campaigns), not individual emails sent. Daily email phishing volume — including bulk spam campaigns — is estimated at 3.4 billion messages per day (Keepnet/VIPRE 2025), though this figure is an industry extrapolation from gateway data rather than a direct count.
What percentage of cyberattacks start with phishing?
The most-cited figure is 90%+, sourced from CISA guidance and widely repeated. The more precisely sourced figures are: phishing appears in 36% of all data breaches (Verizon DBIR 2025) and is the confirmed initial access vector in 16% of breaches (IBM 2025). The 90%+ figure refers to the broader category of social engineering as an element somewhere in the attack chain, not phishing as the sole initial vector.
What is the most targeted industry for phishing?
In APWG Q4 2025 data, social media and SaaS/webmail are tied at 20.3% of lures each, followed by telecom at 18.7% and financial institutions at 9.3%. Industry-level data from Verizon DBIR 2025 shows social engineering as a top breach pattern in finance, retail, and technology, accounting for 16–22% of initial access in those sectors.
How effective is anti-phishing training?
KnowBe4’s 2025 Phishing by Industry Benchmarking Report — the largest training-platform dataset available — measured a baseline phish-prone rate of 33.1% across untrained organizations, falling to 4.1% after 12 months of consistent training. That is an 86% reduction. The Verizon 2025 DBIR independently confirms that trained organizations have materially lower click rates on phishing simulations, though it notes a behavioral floor: the median trained employee still clicks at roughly 1.5%.
Does MFA stop phishing?
Standard MFA (TOTP codes, push notifications) does not stop modern AiTM phishing attacks. Microsoft’s 2025 Digital Defense Report attributes 80% of MFA-bypass breaches to session-token theft via adversary-in-the-middle kits like Tycoon 2FA — these kits intercept the authenticated session after the victim completes MFA, stealing the session cookie. Phishing-resistant MFA — FIDO2/passkeys, hardware security keys — does stop this attack type because the credential is cryptographically bound to the originating domain and cannot be replayed on an attacker’s site. CISA’s phishing-resistant MFA guidance details which MFA types qualify.
What should I do if I clicked a phishing link?
Immediately: disconnect from the network if possible, do not enter any credentials on the page you’re seeing, change passwords for any accounts that share credentials with what was targeted, alert your IT or security team if this is a work device, and file a report at ic3.gov (US) or reportfraud.ftc.gov. The FTC’s identity theft recovery guide at IdentityTheft.gov provides a step-by-step plan if personal information was exposed.
