Cyber Security, Business

Phishing statistics 2025 – 2026: The numbers you need to know

11th March 2026
Zensec SOC employees

Phishing attacks continue to dominate the cyber threat landscape, with phishing scams now responsible for the vast majority of cyber security breaches worldwide. For UK businesses, the risks are growing as phishing remains the entry point for data breaches, financial fraud and reputational damage.

This is a complete list of up-to-date phishing statistics for 2026.

If you are reading this because you have just experienced a ransomware incident and are unsure how to deal with ransomware data recovery, stop now and contact Zensec immediately.

On this page you’ll find hand-picked stats about phishing attack volumes, the cost and impact of phishing, AI-powered phishing, business email compromise, ransomware delivered via phishing, QR code phishing, the most targeted industries and brands, and what’s working in defence.

Every stat has been sourced from 2024 to 2025 data from leading cybersecurity research and government reporting. Let’s get into it.

Key phishing stats

These headline numbers set the scene. Phishing is not slowing down. If anything, the sheer volume of attacks and the financial losses they cause continue to climb year on year.

  1. Over 90% of cyberattacks begin with phishing, making it the leading method used by threat actors to breach networks and steal data (CISA).

  2. 3.4 billion phishing emails are sent globally every single day.

  3. In Q1 2025, over 1 million phishing attacks were observed, the largest quarterly total since late 2023.

  4. Phishing attack volumes rose steadily across 2024 and into 2025: from 877,536 in Q2 2024, to 932,923 in Q3, to 989,123 in Q4, and then over 1 million in Q1 2025.

  5. Approximately 3.8 million phishing attacks were recorded across the whole of 2025, slightly above 2024’s total.

  6. Phishing and spoofing were the most reported cybercrime category in the United States in 2024, with 193,407 complaints filed (FBI IC3 2024 Annual Report).

  7. Financial losses from phishing nearly quadrupled year on year: from $18.7 million in reported losses in 2023 to $70 million in 2024 (FBI IC3 2024 Annual Report).

  8. The average cost of a phishing-related data breach reached $4.88 million in 2025, up nearly 10% from the previous year.

  9. 75% of organisations worldwide experienced some form of phishing attack in 2020; by 2024, over 90% of businesses globally had experienced a phishing attack.

  10. It takes an average of 254 days to identify and contain a breach that begins with phishing.

How much does phishing cost businesses?

The financial damage from phishing extends well beyond the immediate losses. When you factor in breach containment, legal costs, regulatory fines, reputational damage, and operational downtime, the true cost balloons quickly. The $4.88 million average breach cost is a global figure across industries. Breaches identified after the 200-day mark cost an average of $1.2 million more than those caught earlier, which is why early detection matters so much.

For context, total reported cybercrime losses in the US reached $16.6 billion in 2024, a 33% increase from 2023 (FBI IC3 2024 Annual Report). Phishing serves as the gateway for the most expensive attack types, including business email compromise and ransomware.

Business email compromise (BEC) statistics

Business email compromise remains one of the most financially devastating outcomes of phishing. BEC doesn’t rely on malware or technical exploits. It relies on impersonation, urgency, and trust to trick employees into transferring money or sharing sensitive information.

  1. BEC was responsible for $2.77 billion in reported losses in the US in 2024, across 21,442 complaints (FBI IC3 2024 Annual Report).

  2. Since its initial inclusion in the 2015 IC3 report, total BEC losses have exceeded $17.1 billion over the past decade, an increase of over 1,025% (FBI IC3).

  3. Nearly $8.5 billion in BEC losses were reported to IC3 between 2022 and 2024 alone (FBI IC3).

  4. The average amount requested in wire transfer BEC attacks in Q4 2024 was $128,980, nearly double the Q3 average of $67,145.

  5. In Q1 2025, the average BEC wire transfer request dropped to $42,236, a 67% decrease from Q4 2024, but the total number of wire transfer BEC attacks increased by 33% compared to the previous quarter.

  6. Gift card scams were the most common BEC cash-out method in both Q4 2024 and Q1 2025, making up roughly half of all scam attempts.

  7. Google’s Gmail was the most popular free webmail provider used by BEC scammers: 81% in Q4 2024 and 73.5% in Q1 2025.

  8. Cloudflare became the most popular domain registrar used by BEC scammers in Q1 2025 at 28.6%, up from third place the previous quarter.

  9. 63% of organisations experienced BEC in 2024.

Why is BEC so expensive?

The average per-incident loss for BEC dwarfs most other cybercrime categories because the scam targets high-value financial transactions directly. A single spoofed email pretending to come from a CEO or supplier can redirect hundreds of thousands in wire transfers. Attackers don’t need sophisticated tools; they just need a convincing email and good timing.

AI-powered phishing statistics

Artificial intelligence has fundamentally changed the phishing landscape. Attackers use AI to craft more convincing messages, automate attacks at scale, and evade traditional detection systems. This is no longer an emerging trend; it is the current reality.

  1. 82.6% of phishing emails detected between September 2024 and February 2025 utilised AI, a 53.5% year-on-year increase.

  2. AI-based phishing tools now cost threat actors as little as $75 to execute.

  3. AI-generated phishing emails have a 60% higher click rate than traditionally crafted phishing emails.

  4. One study reported a 400% rise in successful phishing scams attributed to AI tools in 2025.

  5. 92% of polymorphic phishing attacks utilise AI to achieve unprecedented scale.

  6. In 2024, at least one polymorphic feature was present in 76.4% of all phishing attacks; by December 2024, that figure had risen to 74.3% of emails in a single month.

  7. AI-generated content was used to obfuscate ransomware payloads by filling scripts with benign randomly generated text to confuse security scanners.

  8. AI-designed audiovisual deepfakes are being deployed to impersonate senior executives and authorise fraudulent transactions, though these remain rare for now.

What makes AI phishing different?

Traditional phishing relied on volume: send millions of poorly written emails and hope a few people clicked. AI changes this equation entirely. Attackers can now produce grammatically flawless, personalised, and context-aware messages in seconds. Large language models have reduced the time needed to create a convincing phishing campaign from 16 hours to roughly five minutes. The old rule of thumb that bad grammar and spelling errors give phishing away no longer holds.

Ransomware and phishing statistics

Phishing and ransomware remain deeply intertwined. Phishing emails are the primary delivery mechanism for ransomware, and the tactics used to disguise these payloads are growing more sophisticated.

  1. There was a 22.6% increase in ransomware payloads delivered via phishing emails between September 2024 and February 2025, compared to the previous six months.

  2. Between November 2024 and February 2025 specifically, ransomware delivery via phishing surged by 57.5% compared to the preceding three months.

  3. HTML smuggling, the most popular technique for hiding malicious payloads from antivirus scanning, increased by 85.6% in the same period.

  4. 45% of all ransomware attacks are delivered via phishing emails.

  5. Only 28% to 32% of ransomware victims paid ransoms in 2025, down from 37% in 2024.

  6. When ransoms were paid, the average amount ranged from US$1.2 million to $1.8 million, a 10% decrease from the prior year.

  7. Ransomware complaints to the FBI increased 9% year on year in 2024, with 3,156 complaints filed (FBI IC3 2024 Annual Report).

  8. The average HTML file size in phishing emails has grown from 20.6 KB in 2021 to 735.4 KB in 2025, as attackers use larger files to trigger email latency service-level agreements and delay detection.

The shift from encryption to exfiltration

Ransomware tactics have evolved significantly. Threat actors have moved away from simply encrypting stolen data and towards exfiltrating it and threatening to publish it. A third approach, sometimes called “triple extortion,” combines data theft with DDoS attacks and direct contact with customers or regulators to increase pressure on victims. The declining ransom payment rate is positive news, but it hasn’t slowed attacks because the cost of launching them continues to drop.

QR code phishing (quishing) statistics

QR code phishing, sometimes called “quishing,” has exploded as a delivery method. Attackers embed malicious QR codes in emails, and because the malicious URL is encoded in an image rather than as scannable text, traditional email filters often miss them.

  1. Between October 2024 and March 2025, more than 1.7 million unique malicious QR codes were detected in email attachments.

  2. An average of 2.7 million emails containing QR codes were found daily during this same period.

  3. QR code phishing attacks increased by 400% between 2023 and 2025.

  4. Mastercard was the brand most targeted by QR code phishing, with 14,233 malicious QR codes, followed by Microsoft at 11,796.

  5. Chinese phishers have been sending floods of SMS phishing messages using .TOP domain names and upgraded phishing kits, impersonating US toll road operators like EZPass.

  6. When inserted into email bodies, 67.6% of malicious QR codes are delivered as images and 32.4% are built using unicode characters.

How to spot QR code scams

The real toll operators, banks, and government agencies almost never ask you to scan a QR code in an email or text message to make a payment. If a message pushes you to scan a code urgently, that should raise an immediate red flag. Legitimate organisations will direct you to their official website or app.

Most targeted industries and brands

Attackers focus their efforts on industries and brands where a single set of stolen credentials can unlock the most value. SaaS platforms, financial services, and payment providers consistently top the list.

  1. In Q4 2024, SaaS/Webmail was the most targeted sector at 23.3% of all phishing attacks, followed by social media at 22.5% and financial services at 11.9%.

  2. By Q1 2025, the picture shifted: SaaS/Webmail dropped to 17.6%, while payment (16.3%) and financial/banking (14.6%) sectors grew, together totalling 30.9% of all attacks.

  3. Microsoft was the most impersonated brand in Q2 2025 at 25% of all brand phishing attacks, followed by Google at 11% and Apple at 9%.

  4. The most impersonated brands in phishing emails overall include Microsoft, DocuSign, Adobe, PayPal, and LinkedIn.

  5. A 30% increase in the number of unique brands targeted was observed from Q3 to Q4 2024, suggesting scammers are expanding their target scope.

  6. Scammers are increasingly branching out to impersonate public utilities, car parking meter systems, bridge toll collection systems, and financial institutions.

Why these industries?

Financial services and SaaS platforms are targeted so heavily because the credentials they protect have outsized value. A single compromised Microsoft 365 or Google Workspace account can give an attacker access to email, cloud storage, collaboration tools, and connected third-party apps. Payment platform credentials can be monetised almost immediately. The shift towards financial and payment sector targeting in early 2025 signals that attackers are prioritising credentials they can convert directly into cash.

Phishing delivered via compromised accounts and supply chains

One of the most dangerous developments in phishing is the use of compromised legitimate accounts to send attacks. When a phishing email comes from a trusted colleague or supplier, it bypasses both technical filters and human suspicion.

  1. 57.9% of phishing emails detected between September 2024 and February 2025 were sent from compromised accounts.

  2. 11.4% of all phishing attacks in the same period came from within the target organisation’s supply chain.

  3. There was a 49.9% increase in phishing emails sent from compromised accounts, and a 67.4% increase from compromised accounts on third-party platforms, compared to the previous six months.

  4. The average domain age for phishing attacks that successfully bypassed Microsoft’s native security and secure email gateways was 3,829 days (over 10 years), meaning attackers are using long-established, trusted domains.

  5. The top legitimate platforms hijacked for phishing delivery include google.com, sharepoint.com, dropbox.com, youtube.com, docusign.com, tiktok.com, and kahoot.com.

  6. Cyber incidents involving key supply chain players continued throughout 2025, with attacks targeting SaaS providers, cloud platforms, and code repositories.

Email security and detection statistics

Despite growing investment in email security, a significant and growing number of phishing attacks are getting through traditional defences. Signature-based and reputation-based detection alone is no longer enough.

  1. In 2024, there was a 47% increase in phishing emails evading detection by Microsoft’s native security and secure email gateways.

  2. 96% of phishing attacks still arrive by email.

  3. Google blocks approximately 100 million phishing emails daily, yet many still reach inboxes.

  4. The top three words used in phishing email subject lines are “Urgent,” “Review,” and “Sign.”

  5. On average, phishing emails contained 1,058 characters (roughly 188 words) between September 2024 and February 2025.

  6. 81.9% of phishing victims had their email addresses leaked in previous data breaches.

  7. New employees typically received their first phishing email after just three weeks on the job.

  8. 36.9% of polymorphic phishing attacks use invisible characters to disrupt natural language processing detection systems.

What Percentage of Phishing Gets Through?

The exact bypass rate depends heavily on the organisation’s security stack. But the trend is clear: attackers are investing heavily in evasion techniques. Polymorphic campaigns, compromised sending accounts, legitimate platform abuse, and obfuscation methods like HTML smuggling and invisible unicode characters all work together to defeat traditional filters. Layered security, combining technical controls with employee training, remains the most effective approach.

DMARC and email authentication statistics

DMARC (Domain-based Message Authentication, Reporting and Conformance) is one of the most effective tools for preventing email spoofing, but adoption and enforcement remain inconsistent worldwide.

  1. Google and Yahoo now require DMARC for bulk email senders, contributing to a 65% reduction in unauthenticated email reaching Gmail inboxes.

  2. Banking shows relatively strong DMARC adoption globally, but insurance and legal services hover around only 52%.

  3. In Germany, 32.3% of domains still lack DMARC entirely, and 42% of government domains have no DMARC in place.

  4. In the Netherlands, government DMARC adoption is strong (only about 1% without DMARC), but transport and telecom sectors remain exposed with roughly 65% lacking DMARC.

  5. Domains that leave DMARC in monitoring-only mode (“p=none”) continue to experience brand abuse despite having SPF and DKIM in place.

Phishing trends to watch in 2026

These are the developments that will shape the phishing threat landscape over the coming year. Whether you’re running a security team, managing risk for a business, or advising clients, these are the trends worth tracking.

  1. Phishing volumes are expected to remain at or above 2025 levels, with projections suggesting over 5 million attacks annually.

  2. The global number of phishing sites reached 1,050,031 in 2025, up from 932,923 in 2024.

  3. Vishing (voice phishing), spear phishing attacks, and smishing (SMS phishing) are growing rapidly, with increased volumes reported in Q4 2024 and Q1 2025.

  4. Adversary-in-the-middle (AiTM) attacks, which bypass multi-factor authentication by intercepting session cookies in real time, surged 146% in 2024.

  5. Threat researchers predict that traditional approaches to grouping phishing emails into campaigns for detection will become impossible by 2027, due to AI-powered polymorphic behaviour.

  6. The cyber insurance market is projected to grow from $16 to $20 billion in 2025 to $30 to $50 billion by 2030, driven in part by AI risks, quantum computing threats, and supply chain vulnerabilities.

  7. The global cost of cybercrime is projected to reach $10.29 trillion in 2025 and $15.63 trillion by 2029.

  8. 33.1% of employees are susceptible to phishing and cyber attacks attacks at baseline, but organisations that implement security awareness training see a reduction of over 40% in just 90 days and up to 86% within a year.

The bottom line for 2026

Phishing is not a problem that technology alone can solve. It targets people, not systems, and it scales effortlessly through automation and AI. The organisations that fare best combine layered technical defences (email authentication, advanced threat detection, endpoint protection) with ongoing employee training and a culture of reporting suspicious activity. The data is clear: when people are trained and empowered to spot phishing, click rates plummet and reporting rates surge. That combination of human awareness and technical controls is the most reliable defence available.