81 Phishing Attack Statistics 2026: The Ultimate Insight

TLDR;

• Phishing remains one of the most effective attack techniques in 2026 because it exploits your identity, trust, and standard business workflows.
• Global phishing-related losses are projected to exceed $25 billion annually in 2026.
• AI has transformed phishing from clumsy spam into hyper-personalized, grammatically perfect campaigns that bypass filters and boost click rates up to 54%.
• Phishing-as-a-Service (PhaaS) and kits now power >60–90% of credential thefts,
• Spear phishing dominates high-value hits (91% of successful breaches start here).
• Modern phishing has moved beyond traditional email deception, with credential harvesting, MFA fatigue, and QR-code phishing now accounting for the majority of successful incidents.

Phishing remains the most persistent headache for security teams, regardless of how many tools are deployed or how often staff are trained. Phishing email statistics suggest that nearly 1.2% of all emails sent are malicious, which in numbers translates to 3.4 billion phishing emails daily.

Behind virtually every major cyberattack that made headlines was a phishing email that someone, somewhere, clicked.

No defensive stack or tools can make an organization immune to phishing attacks or cyberattacks. All of it can be bypassed the moment phishing is weaponized and aimed at the right person at the right moment.

And with generative AI and an increasingly volatile geopolitical climate that is turning nation-states into aggressive cyber actors, the threat has never been more calculated or dangerous.

This article cuts through the noise and brings you the latest phishing attack statistics 2026, covering frequency, financial impact, and what organizations should do to fight back.

Top Phishing Attacks Statistics 2026

The sheer volume of phishing makes it the dominant form of cybercrime on the planet. The economics and numbers are brutal. In 2026, a convincing phishing campaign can be deployed within hours, and what once took days of planning. Volume is the attacker’s fallback, and it continues to work for them. 

Last year, APWG detected approximately 1,003,924 phishing attacks in Q1 and 1,130,393 in Q2( a 13% jump quarter-over-quarter). Overall, 2025 saw 3.8 million phishing attacks recorded, up slightly from 3.76 million in 2024.

1. Studies show that 2026 will see a 14x increase in AI-generated phishing attacks, including SVGs and Calendar invites.
2. Phishing is projected to account for more than 42% of all global breaches in 2026.
3. APWG and others forecast continued high volumes of phishing attacks in 2026 (potentially 5M+ attacks annually) with expansion across multiple channels (email, SMS, QR, voice, social media).
4. Phishing kits will drive >60% of incidents by end-2026
5. WEF reports 94% of cybersecurity professionals cite AI as the most significant driver of change in the threat landscape for 2026
6. 77% of leaders reported an increase in cyber-enabled fraud/phishing; it is now CEOs’ #1 concern (ahead of ransomware).
7. 81.9% of phishing victims had their email address exposed in a prior data breach

What are the Types of Phishing Attacks? 

Phishing is no longer just dodgy emails. In 2026, attackers now blend AI, personalized lures, deepfakes, and multi-channel tactics to trick individuals and organizations into revealing sensitive information. 

Understanding the different types of phishing attacks is the first step toward protecting your organization. Below are the most common attacks every organization should be aware of:

1. Spear Phishing 

Spear phishing is a highly targeted form of cyberattack in which attackers send personalized messages to a specific individual or organization.

In simple terms, it’s sending a personal message instead of blasting thousands of generic emails. Before initiating a spear-phishing campaign, threat actors usually research their LinkedIn profile, their company org chart, and their public communications. So, unfortunately, it is very effective, and even a technically sound person could fall for it.

• In 2024, spear-phishing attacks increased by 25%, and they now account for the majority of high-value breaches.
• 65% of attackers choose spear phishing as their primary attack method
• 71% of all targeted cyberattacks are conducted through spear phishing
• 88% of organizations face spear-phishing and business email compromise attempts every year.
• 91% of successful data breaches started with a spear phishing attack.

2. Vishing (Voice Phishing)

The phone is the new phishing vector. Vishing attacks increased by 442% between early and late 2024. In many cases, attackers now use AI voice cloning to impersonate executives or government officials(even trained professionals struggle to detect).

• 70% of working adults and IT professionals reported encountering vishing attacks.
• Vishing attacks on professionals rose 28% in 2024

3. Smishing (SMS Phishing)

With most people carrying smartphones, smishing has become a high-yield attack channel.  In this text, messages are used to trick users into clicking on malicious links or revealing sensitive information. Attackers often impersonate banks, delivery services, or legitimate app notifications to increase the likelihood of success of this phishing attack.

• Approximately 70% of all mobile phishing attacks occur through smishing.
• US smartphone users faced approximately 484,500 malicious smish attacks.
• Reported smishing attacks rose 18% in 2024.

4. QR Code Phishing (Quishing)

QR codes embed malicious URLs in images, bypassing traditional text-based email filters entirely. Quishing bypasses most traditional email security filters because the malicious link exists only in an image.

It is now one of the fastest-growing attack techniques.

• QR code phishing attacks increased 400% between 2023 and 2025 (Abnormal Security).
• Most affected sectors: energy, healthcare, and manufacturing.

5. Tool-Based & Collaboration Phishing

Modern phishing has now been expanded to collaboration platforms, as attackers use chats and collaborative applications like Microsoft Teams or Slack to deliver malicious links and files that can bypass email filters and basic security firewalls.

Attackers have increasingly embedded phishing methods in tools with weaker security scanning, making corporate messaging a growing threat surface. In 2025, attackers significantly expanded phishing to collaboration platforms such as Microsoft Teams and Slack, sending malicious links or files directly via real-time chats to steal credentials.

The AI Revolution in Phishing

If traditional phishing was a fishing net cast wide across the ocean, AI-powered phishing is a precision harpoon guided by real-time data.

And it’s now a weapon that almost anyone can wield. For decades, the telltale signs of a phishing email were poor grammar, awkward phrasing, or a suspicious sender name.

Those days are over. Generative AI now allows threat actors to produce flawless, personalized, multilingual phishing messages at an industrial scale. The result is emails that read as if they came from a colleague, a bank, or a government agency. The impact is measurable: successful phishing scams attributed to AI tools rose  400% in 2025 alone.

AI-generated mail can increase the click rate of phishing emails by up to 54%, compared to 12% for traditionally written phishing emails.

When the email reads as if it came from a real colleague, the psychological triggers that usually cause skepticism simply do not fire. A 54% click rate means more than half of all recipients engage with the attack, making AI-assisted phishing one of the most effective social engineering tools ever deployed at scale. The scary part is that AI-generated phishing results in 33.6% credential theft rate.

36.9% of polymorphic phishing attacks use invisible characters to disrupt natural language processing detection systems

Modern email security platforms increasingly use NLP to identify suspicious content, so attackers have started inserting invisible Unicode characters into their messages to break the way those models parse text, without any visible difference to the human reader.

On average, it costs $31 to address a single phishing email.

That figure may sound small in isolation, but an organization receiving hundreds of suspicious emails per day accumulates thousands of dollars in response costs before a single breach even occurs.

Multiplied across an entire workforce and a full year, puts an invisible dent on the security team’s velocity and budget.

AI cuts phishing email production time from 16 hours to 5 minutes 

IBM’s research puts a precise number on the AI advantage. What once took a skilled human attacker approximately 16 hours to produce a convincing, contextually appropriate phishing email now takes an AI system roughly 5 minutes. That 192x speed improvement fundamentally changes the economics of targeted phishing.

Phishing volume has grown 1,265% since ChatGPT launched

The November 2022 public release of ChatGPT represents a clear before-and-after line in phishing volume data. In the roughly three years since that release, phishing email volume has grown 1,265%. This figure reflects how gen AI is used by threat actors and how phishing is democratized

82.6% of phishing emails are created by AI

In November 2025, only 4% of phishing emails showed meaningful indicators of AI involvement. By December 2025, that figure had jumped to 56%. By early 2026, the security researchers placed the AI-assisted share at 82.6%

Some Recent Phishing Attack Statistics 

Phishing nowadays has evolved from a generic email scam to a cyberattack that looks exactly like your workflow, like your Amazon homepage, your Google security alert, or any finance team’s invoice request. Attackers have now shifted from sending random spam to fully automated campaigns designed to steal credentials and protected data.

55% of the phishing sites mimic real brands to steal data

Reports suggest that 55% of phishing sites impersonate popular brands to harvest credentials and financial data. This remained consistent throughout 2024-2025, indicating that attackers don’t need new tricks but are perfecting existing ones in new ways.

68% of phishing emails are new scams

Out of 100 million phishing emails blocked by Google every day, 68% belonged to previously unseen campaigns that had never been catalogued in any threat intelligence database.

Phishing accounts for 16% of all breaches

Following a major breach in 2025, phishing was identified as a contributing factor in 16% of all breaches, with generative AI cited as a major driver of the rise. IBM places phishing among the top three initial attack vectors by both usage among threat actors and cost.

Phishing-initiated cyberattacks go undetected for 254 days

This extended dwell time is a direct result of how phishing works: stolen credentials give legitimate access, meaning there is no malware or activity to trigger an alert. Organizations without proper access control can be easily compromised by phishing attacks.

Global phishing-related losses are projected to exceed 25 billion annually

With BEC and credential theft scaling rapidly, phishing-driven financial losses are expected to surpass $25 billion per year in 2026.

60% of security breaches involve the human element

Verizon DBIR 2025 confirms that human-related errors or social engineering, including phishing, contribute to 60% of breaches.

What Percentage of Cyberattacks Involve Phishing?

Phishing does not sit alongside other cyberattack methods as a peer. It sits above them as an enabler. Over 90% of cyberattacks globally begin with phishing as an initial vector, according to CISA.

Amount of Money that Organisations have Lost due to Scams and Frauds

According to the IBM Security Cost of a Data Breach Report, phishing has been ranking among the most expensive breach entry points, accounting for roughly 15–17% of breach causes and averaging nearly $5 million per incident worldwide.

In 2024 alone, Business Email Compromise(BEC) attacks caused around $2.7-$2.9 billion in reported losses across more than 21,000 incidents, and this made BEC one of the most financially damaging cybercrime categories reported to the FBI’s ICE.

Trends in Phishing Scams 2025–2026

Phishing has evolved into a fully industrialized scam, now widely offered as Phishing-as-a-Service (PhaaS). This commoditization dramatically increases the danger by lowering the skill barrier, enabling even novice criminals to carry out advanced phishing attacks.

Over the past decade, phishing has seen numerous dangerous trends emerge, but here are some of the most threatening ones shaping 2025–2026:

1. Phishing as a commodity in Ransomware Groups

Perhaps the most significant structural development in the 2025 threat landscape was the full commoditization of phishing-based initial access. The rise of Initial Access Brokers (IABs), criminal specialists who compromise networks via phishing and then sell that access to ransomware groups, means that ransomware operators no longer need to conduct phishing themselves. They simply purchase a foothold.

Q1 2025 saw 2,314 ransomware victims listed on data leak sites( a 213% increase over Q1 2024).

• Phishing and social engineering accounted for 46–67% of ransomware initial access events in 2025
• Ransomware was present in 44% of all data breaches analyzed in Verizon’s 2025 DBIR 
• Cl0p, RansomHub, and Akira were the three most active ransomware strains in 2025 by victim count, all of which used phishing as a primary initial access method.
• IABs increasingly advertise access obtained through phishing campaigns on dark web marketplaces, with prices ranging from hundreds to tens of thousands of dollars, depending on the target industry and privilege level.

2. Multi-Channel Attacks

Today, attackers coordinate campaigns across email, SMS, voice calls, WhatsApp, LinkedIn, and Microsoft Teams.

A victim might receive a phishing email followed by a spoofed phone call ‘confirming’ it. This multi-channel pressure is far more effective than any single-channel approach and far harder to defend against.

• Phishing features in 57% of all social engineering incidents (2025)
• LinkedIn phishing messages account for 47% of all social media phishing attempts
• Microsoft Teams was identified as a growing vector for credential harvesting in 2024–2025

3. AiTM (Adversary-in-the-Middle) Attacks Bypassing MFA

Multi-factor authentication was once considered the silver bullet against phishing-based credential theft. AiTM frameworks like EvilGinx2 and Modlishka now automate real-time session hijacking and allow attackers to bypass MFA by intercepting authentication tokens as the victim logs in.

• Microsoft reported over 10,000 AiTM attacks per month targeting its users in 2024
• 89% of security professionals still believe MFA provides complete protection — a dangerous misconception

4. Supply Chain Phishing

Rather than attacking a well-defended organization directly, attackers now target its vendors, suppliers, and partners.

A 2025 KnowBe4 phishing trends report found that 11.4% of phishing incidents occur within the supply chain, compromising a trusted third party to gain backdoor access to a high-value primary target.

• 11.4% of phishing attacks occur through the supply chain (KnowBe4, 2025)
• 65% of large companies cite third-party and supply chain vulnerabilities as their top resilience challenge (WEF, 2026)

Industries Commonly Targeted and Their Impact

Phishing has targeted many industries over the past couple of years, and attackers focus on these sectors to steal credentials, which can later be sold on the dark web or online for a good amount, or simply exploited.

1. Financial Services

No sector is more valuable to a phisher than the financial services sector. Banking login pages remain phishing’s number one target. Stolen financial credentials are immediately monetizable, and attackers know it.

• Financial services account for 23.5% of all phishing attacks worldwide (APWG, 2024–2025)
• BEC attacks targeting wire transfers and payroll diversion continue to rise.
• Financial services and SaaS platforms account for 60% of phishing attacks.
• Between October 2013 and December 2023, BEC attacks caused $55 billion in global losses.

2. Healthcare

One of the prime targets of phishing scams, the threats faced by healthcare have significantly increased after the pandemic. A single electronic health record can contain enough personal information for identity theft, insurance fraud, prescription fraud, and more. Attackers know this, and they know healthcare organizations are often resource-constrained on cybersecurity.

• 90% of healthcare institutions have experienced at least one security breach in recent years
• Healthcare ranks among the top sectors targeted by QR code phishing attacks
• 30% of major data breaches in healthcare occur in large hospitals, exposing patient health information
• Phishing-related cyberattacks on healthcare increased 75% in 2021, and the trend has continued upward.
• The average healthcare data breach cost reached $7.42 million in 2025 
• 88% of healthcare workers opened phishing emails in 2024 

3. Technology

It’s a common assumption that tech companies surrounded by engineers and security professionals are well-protected.

In reality, resource allocation varies wildly, and employees in tech firms are often overloaded, making them more susceptible to urgent-seeming requests.

• SaaS and webmail platforms (Microsoft 365, Google Workspace) account for 19.4% of phishing targets (APWG)
• Microsoft alone reported over 10,000 adversary-in-the-middle (AiTM) attacks per month targeting its users in 2024
• The volume of phishing emails targeting Microsoft 365 device code authentication grew significantly through 2025

4. Small and Medium Enterprises (SMEs)

Rather than targeting big, well-established, and known companies prone to having high-end security facilities, scammers nowadays find small and medium-sized enterprises to be much easier targets.

This is mainly because such companies will have comparatively fewer security measures in place to thwart such attacks effectively, thereby making themselves appetizing targets. Such upcoming companies may not have their cybersecurity roles filled or might not have the resources to fully implement effective security measures.  

• Only 14% of SMEs have a cybersecurity plan in place.
• Small businesses account for 43% of all cyberattacks annually.
• Global cybercrime costs are projected to reach $10.5 trillion annually by 2025
• The average SME loses $25,000 per successful cyberattack.

5. Education

Yet another hub of personal data storage, the educational sector is a prime target for phishing and scams. From addresses to passwords and identification documents, they are all stored by nearly every educational institution. Their open network cultures and underfunded IT departments make them persistently vulnerable.

• Educational institutions experienced a 75% increase in cyberattacks in recent years.
• In terms of cybersecurity readiness, educational institutions consistently rank last across major sectors
• Phishing and malware targeting education have accelerated as remote and hybrid learning expanded attack surfaces.

What’s the Cost of a Phishing Attack?

Phishing directly affects financial assets for any organisation, and in 2025, phishing-related Business Email Compromise(BEC) attacks continued to inflict severe financial damage worldwide. The IBM Cost of a Data Breach Report 2025 found that the average phishing-related breach now costs organizations $4.88 million (nearly a 10% increase over the previous year).

• The FBI Internet Crime Complaint Center (IC3) reported over $16.6 billion in cybercrime losses through 2024 reports and sources, driven by phishing and BEC.
• $4.88 million: Average cost of a phishing-related data breach in 2025.
• $70 million: Total reported losses from phishing in the US in 2024 (nearly 4x the $18.7 million recorded in 2023 (FBI IC3)
• $55 billion: Total global losses from Business Email Compromise (BEC) between October 2013 and December 2023 (FBI IC3)
• Losses attributed to phishing attacks are projected to exceed  $25 billion annually.
• Phishing is the third costliest initial attack vector, behind only supply chain attacks and malicious insiders.
• Financial services (23.5%) and SaaS/webmail platforms (19.4%) are the two most targeted sectors, accounting for over 40% of attacks (APWG)

How To Prevent Phishing Attacks in 2026?

The good news hidden inside all this alarming data is this: organizations that actively invest in defense see dramatic results. Organizations with security awareness training reduce susceptibility to phishing attacks by over 40% in just 90 days and up to 86% within a year.

The takeaway is that organizations should treat security as an ongoing practice, not a one-time project.

1. Implement MFA( But Don’t Stop There !)

MFA remains essential, but must be combined with phishing-resistant authentication methods such as hardware security keys (FIDO2/WebAuthn) and conditional access policies.

AiTM attacks have made traditional TOTP-based MFA insufficient against sophisticated adversaries.

2. Deploy Email Security Tools

Legacy Secure Email Gateways (SEGs) are increasingly ineffective against AI-generated phishing.

Modern email security platforms use behavioral analysis, large-language-model-based content inspection, and real-time threat intelligence to detect attacks that rule-based systems miss.

91% of security managers report concern about their SEG’s effectiveness.

3. Continuous Employee Training and Simulations

Research shows that organizations with ongoing, simulation-based training programs see click rates on phishing emails drop to as low as 4.1%. While the click rate is 33.1% for untrained employees.

Training should be regular, contextual, and reinforced immediately after simulated failures.

4. Build a Culture of Verification

The most powerful anti-phishing tool is a culture where employees feel empowered to question unusual requests.

For example, A finance manager who calls back a ‘CEO’ to verify a wire transfer is not being insubordinate.

Final Thoughts   

“Only Paranoid Survives”, as the legendary fictional hacker Finch from Person of Interest told us, is highly relevant to phishing. Security teams should always be paranoid about their environment.

Now, as phishing is the primary gateway to virtually every category of major cybercrime, from ransomware to nation-state espionage. It has created a threat environment that is more sophisticated and more dangerous than at any previous point.

Yet the data also offers a clear path forward. Organizations that invest in proper threat intelligence, regular penetration testing, layered defenses, and consistent security awareness training withstand even the most advanced phishing attacks.

The organizations that will survive and thrive in this environment are not necessarily the ones with the largest security budgets. They are the ones who take the threat seriously, act decisively, and never stop learning.

The phishers certainly haven’t stopped. Neither should defenders.

FAQ