9 Shocking Phishing Statistics That Show Why Cyber Threats Are Getting Worse
Phishing attacks account for over 36% of all data breaches globally. In 2024, more than 3.4 billion phishing emails were sent daily. Organizations lose an average of $4.91 million per breach caused by phishing. Email remains the top attack vector, used in over 90% of all cyberattacks worldwide.
Phishing Statistics: What the Numbers Actually Tell You (and How to Stay Safe)
There is a moment most cybersecurity professionals quietly remember — the first time they realized a phishing email had actually fooled them. A few years ago, during a routine inbox check, an email arrived that looked exactly like a message from a cloud storage provider. The branding was flawless, the language was urgent but professional, and the link text appeared legitimate. What gave it away, almost too late, was a single extra character buried in the URL. That experience was a sobering reminder that phishing has evolved far beyond the clumsy, misspelled scam emails of the early internet era.
Today, phishing is one of the most sophisticated, scalable, and financially devastating forms of cybercrime on the planet. The statistics behind it are not just numbers — they are a window into how attackers think, who they target, and how alarmingly effective their methods have become. Whether you are an individual user, a small business owner, or a security professional at a Fortune 500 company, understanding current phishing statistics is one of the most important things you can do to protect yourself.
This guide breaks down the most important phishing data available today, explains what it means in practical terms, and gives you a clear roadmap for reducing your risk.
1. How Big Is the Phishing Problem? The Numbers at a Glance
To appreciate the scale of phishing, you first need to understand just how many attacks are happening at any given moment. According to recent data from Statista and the Anti-Phishing Working Group (APWG), over 3.4 billion phishing emails are sent every single day. That figure is staggering enough on its own, but it becomes even more alarming when you consider that this number has grown by more than 150% over the past three years alone.
The FBI’s Internet Crime Complaint Center (IC3) consistently ranks phishing as the number one cybercrime type by victim count in its annual reports. In 2023 alone, the IC3 received nearly 300,000 phishing-related complaints — more than any other cybercrime category. And that number represents only the attacks that were actually reported; the true volume is almost certainly several times higher, since most victims either do not realize they have been targeted or do not report the incident.
Google registers approximately 46,000 new phishing websites every single week. These are not static pages that sit on the internet for months — many of them are spun up, used for a targeted campaign, and taken down within 24 to 48 hours, making detection and takedown extremely difficult for security teams and browser-based filters.
Key takeaway: Phishing is not a niche threat or a problem that affects only large corporations. It is the single most common entry point for cybercriminals across virtually every industry and demographic.
2. Financial Cost of Phishing: What Businesses Are Losing
The financial consequences of phishing attacks are enormous and continue to escalate. IBM’s 2024 Cost of a Data Breach Report found that the average cost of a data breach globally reached $4.88 million — a figure that, for breaches initiated through phishing, can climb significantly higher once incident response, legal costs, regulatory fines, and reputational damage are factored in.
Phishing-based attacks are responsible for approximately 36% of all data breaches, according to the Verizon Data Breach Investigations Report (DBIR). When an attacker gains credentials through a phishing email, they typically have undetected access to corporate systems for an average of 197 days before discovery. Every day of that dwell time represents additional data theft, lateral movement, and potential ransomware deployment.
For small and medium-sized businesses, the situation is particularly dire. A Hiscox report found that 47% of small businesses experienced at least one cyberattack in the past year, with phishing being the most common method of entry. The average cost to a small business per phishing incident sits around $10,000 to $15,000 — enough to meaningfully disrupt or even bankrupt operations.
Business Email Compromise (BEC) — a highly evolved form of phishing in which attackers impersonate executives or trusted vendors — accounted for over $2.9 billion in reported losses in 2023 according to the FBI, making it the most financially destructive category of internet crime despite not being the most common in terms of volume.
The bottom line: Phishing is not just an IT inconvenience. It is a direct financial threat with measurable, often catastrophic costs for organizations of every size.
3. Types of Phishing Attacks: A Side-by-Side Comparison
Not all phishing attacks are created equal. Over time, cybercriminals have developed a range of specialized techniques that vary in their targeting, delivery method, and financial impact. Understanding the differences between these approaches helps both individuals and organizations calibrate the right defenses for their specific risk profile.
| Attack Type | Primary Target | Delivery Method | Success Rate | Avg. Financial Loss |
| Email Phishing | General public / employees | Mass email campaigns | ~3.4% click rate | $136 per incident (avg) |
| Spear Phishing | Specific individuals / executives | Targeted personalized email | ~19% open rate | $1.6M per breach |
| Smishing (SMS) | Mobile users | Text message with link | Rapidly increasing | $500–$5,000 (consumer) |
| Vishing (Voice) | Elderly / corporate staff | Phone call impersonation | High (hard to detect) | $1,000–$50,000+ |
| Whaling | C-suite executives | Highly crafted email/call | Very targeted | $47,000+ per incident |
| Clone Phishing | Prior email recipients | Duplicated legitimate email | Moderate | Varies widely |
Email phishing remains the most common attack type by volume, but it is far from the most dangerous on a per-incident basis. Spear phishing — in which an attacker researches a specific individual or organization before crafting a highly personalized message — is alarmingly effective, with some studies suggesting that targeted spear phishing emails have open rates approaching 70% compared to under 5% for generic mass phishing campaigns.
Smishing (SMS phishing) and vishing (voice phishing) have both seen dramatic growth following the widespread adoption of smartphones. Many users who have developed a healthy skepticism toward suspicious emails remain surprisingly trusting of text messages or phone calls, giving attackers a potent alternative channel.
Whaling — targeting the most senior executives in an organization — represents a small fraction of total phishing volume but a disproportionately large share of financial losses, simply because the targets have greater financial authority and access to more sensitive systems.
Read More: Crackstreams Alternatives: Guide to Free Sports Streaming 2026
4. Who Gets Targeted? Industry and Demographic Data
Phishing campaigns are not random. Attackers carefully select their targets based on the expected return on investment, the value of the data available, and the perceived vulnerability of the organization or individual. Looking at the statistics by industry reveals some striking patterns.
The financial services sector is consistently the most targeted industry, accounting for approximately 27% of all phishing attacks globally according to APWG data. This should surprise no one — banks, payment processors, and investment firms hold the credentials and account data that attackers can convert directly into cash. Healthcare is the second most targeted sector, driven by the extraordinary value of electronic health records on the dark web (a single health record can sell for 10 to 40 times the value of a credit card number).
The technology sector, retail, and government agencies round out the top five most targeted industries. Government-targeted phishing has grown particularly sharply in the post-pandemic era, as remote work expanded the attack surface for public-sector organizations that were not always well-equipped for the transition.
Demographically, the data shows that older adults are disproportionately victimized, with the FBI reporting that people over 60 lose more money to internet crime than any other age group. However, younger professionals — particularly those in their 20s and 30s who grew up online and may be overconfident about their ability to spot threats — are increasingly targeted by credential-harvesting campaigns aimed at their social media, cloud storage, and cryptocurrency accounts.
Employees in finance, HR, and executive assistant roles are prime targets within organizations because they have access to financial systems and sensitive personnel data. Security awareness training programs that specifically target these high-risk roles tend to show significantly better outcomes than generic company-wide programs.
5. Phishing and Ransomware: The Dangerous Connection
One of the most important trends in phishing statistics is the increasingly tight relationship between phishing attacks and ransomware deployments. Ransomware — malicious software that encrypts an organization’s data and demands payment for its release — has become one of the most destructive forms of cybercrime, and phishing is overwhelmingly the most common delivery mechanism.
According to Proofpoint’s State of the Phish report, approximately 83% of organizations experienced at least one phishing attack in the past year, and of those that were successfully compromised, a significant proportion subsequently experienced ransomware infections. The Cybersecurity and Infrastructure Security Agency (CISA) has repeatedly identified phishing emails as the primary initial access vector in major ransomware incidents affecting critical infrastructure.
The average ransomware payment demanded from businesses in 2024 exceeded $850,000, with some high-profile attacks resulting in demands in the tens of millions of dollars. When you add in the cost of downtime, data recovery, and reputational damage, the total impact of a ransomware attack triggered by a single phishing email can easily exceed $5 million for a mid-sized company.
This connection means that investments in phishing prevention are not just about stopping credential theft — they are about preventing the cascading chain of events that can follow a single successful click. Stopping phishing is, in many cases, stopping ransomware before it ever gets a foothold.
6. How Effective Are Phishing Attacks? The Human Factor
Statistics on click rates and success rates in phishing simulations paint a sometimes uncomfortable picture of how vulnerable human judgment can be, even among people who understand the risks.
Proofpoint’s research shows that across millions of simulated phishing campaigns run by organizations globally, the average failure rate — meaning the percentage of employees who click a simulated phishing link — hovers between 12% and 18% before security awareness training, and drops to around 4% to 5% after consistent training programs. That post-training figure still means that in a company of 1,000 employees, roughly 40 to 50 people would click a realistic phishing email even after training.
Urgency and authority are the two most powerful psychological levers that phishing emails exploit. Messages that appear to come from a senior executive, a government agency, or a trusted financial institution — especially when they create a sense of time pressure — consistently produce the highest click rates. Attackers have become expert students of behavioral psychology, and the statistics show that their approach works.
Mobile devices add another layer of complexity. Phishing emails opened on smartphones are opened three times more frequently than those opened on desktops, and the smaller screen real estate makes it harder to inspect URLs and sender addresses carefully. As mobile email usage continues to grow, so does this particular vulnerability.
7. Emerging Trends: AI-Powered Phishing and What Comes Next
Perhaps the most alarming development in the phishing landscape is the rapid adoption of artificial intelligence tools by cybercriminals. Generative AI has dramatically lowered the skill barrier required to craft convincing, grammatically flawless phishing emails, removing one of the most reliable indicators that security-conscious users historically used to identify suspicious messages.
Security researchers have documented AI-generated phishing emails that are nearly indistinguishable from legitimate corporate communications, including correctly formatted email chains, accurate references to real projects and personnel (scraped from public LinkedIn profiles and company websites), and personalized details that would previously have required hours of manual research per target.
Deepfake voice and video phishing — sometimes called vishing 2.0 — is an emerging frontier. Several high-profile incidents have already been documented in which attackers used AI-generated voice clones of executives to instruct finance employees to transfer funds. One such incident in Hong Kong in 2024 resulted in a loss of $25 million from a single call.
The volume of AI-assisted phishing attempts is expected to grow sharply over the coming years. Cybersecurity firm SlashNext reported a 1,265% increase in malicious phishing emails in the year following the widespread release of large language model tools in late 2022. Organizations and individuals who relied heavily on linguistic red flags to spot phishing will need to adapt their detection strategies accordingly.
8. How Organizations Are Responding: Prevention Statistics and Best Practices
The statistics around organizational preparedness for phishing are a mixed picture of progress and persistent gaps. On the positive side, security awareness training has become significantly more widespread. Proofpoint’s data indicates that organizations that run regular, simulation-based phishing training programs reduce successful phishing incidents by up to 86% over time compared to organizations with no training programs.
Multi-factor authentication (MFA) remains the single most effective technical control against phishing-based credential theft. Microsoft’s security team has reported that accounts with MFA enabled are 99.9% less likely to be compromised, even when credentials are successfully stolen via phishing. Yet adoption remains surprisingly incomplete — surveys suggest that fewer than 40% of small businesses consistently enforce MFA across all user accounts.
Email security gateways, DNS filtering, and endpoint detection tools have all improved significantly and now catch a large proportion of phishing attempts before they ever reach an inbox. However, attackers have responded by continuously refining their techniques to evade these tools, creating an ongoing arms race between defenders and attackers.
Zero-trust security architectures — which assume that no user or device is inherently trustworthy, even inside the corporate network — are gaining adoption as a structural response to the reality that some phishing attacks will always succeed. By limiting what a compromised account can access and requiring continuous verification, zero-trust frameworks significantly reduce the blast radius of a successful phishing attack.
The organizations that perform best against phishing threats tend to combine technical controls with human training and clear incident response procedures. Statistics consistently show that it is not any single measure but the layered combination of tools and culture that produces the most resilient defenses.
9. Phishing by the Numbers: Quick-Reference Statistics
The following data points represent some of the most widely cited and impactful statistics in the current phishing landscape:
- 3.4 billion phishing emails are sent globally every single day (Statista, 2024)
- 36% of all data breaches globally involve phishing as the initial attack vector (Verizon DBIR 2024)
- The average cost of a phishing-related data breach is $4.91 million (IBM Cost of Data Breach Report 2024)
- 83% of organizations reported experiencing a phishing attack in the previous 12 months (Proofpoint)
- Phishing attacks have increased by more than 150% over the past three years (APWG)
- 46,000 new phishing websites are created every week (Google Safe Browsing)
- Business Email Compromise caused $2.9 billion in reported losses in 2023 (FBI IC3)
- Organizations with regular phishing simulation training reduce click rates by up to 86% (Proofpoint)
- MFA blocks 99.9% of automated credential-based attacks (Microsoft)
- Financial services accounts for 27% of all phishing targets globally (APWG)
- Spear phishing emails have open rates up to 70% compared to under 5% for mass campaigns
- AI-powered phishing emails increased by 1,265% in the year following broad LLM availability (SlashNext)
- The average dwell time before a phishing breach is detected is 197 days (IBM)
- Employees open phishing emails on mobile devices 3x more often than on desktops
Frequently Asked Questions About Phishing Statistics
Q1: What percentage of cyberattacks start with phishing?
Multiple independent research sources consistently place the figure between 80% and 90%. The Verizon DBIR specifically attributes over 36% of confirmed data breaches to phishing, but when you include related social engineering tactics that fall under the phishing umbrella, the broader figure climbs significantly higher. Phishing is the dominant entry point for nearly every major category of cybercrime, from ransomware to corporate espionage.
Q2: How many phishing emails are sent per day?
Current estimates from Statista and other research firms place the daily volume of phishing emails at approximately 3.4 billion. It is worth noting that this figure fluctuates with major geopolitical events, tax seasons, and major platform breaches — attackers routinely opportunistically scale their campaigns around news cycles that make certain lures more credible.
Q3: What industry is most targeted by phishing?
Financial services is consistently the top targeted sector, accounting for roughly 27% of global phishing attacks. This is followed by healthcare, technology, retail, and government. However, target distribution shifts over time as attackers follow the data. Healthcare saw a sharp increase in targeting during and after the COVID-19 pandemic, for example, and cryptocurrency-related phishing has grown dramatically alongside the industry itself.
Q4: How much does a phishing attack cost a business?
The cost varies dramatically based on the type and scale of the attack. IBM’s 2024 report puts the average cost of a phishing-related data breach at $4.91 million for large enterprises. For small businesses, the per-incident cost is lower in absolute terms but often more devastating in proportion to the company’s size — with estimates ranging from $10,000 to several hundred thousand dollars depending on what systems were compromised and how long the breach went undetected.
Q5: What are the most common signs of a phishing email?
Historically, the telltale signs included poor grammar, misspelled domain names, generic greetings, and unusual urgency. While these remain valid red flags for unsophisticated attacks, AI-generated phishing has largely eliminated the language quality issue. Today, the most reliable indicators are: mismatches between the sender’s display name and the actual email domain, unexpected requests for credentials or payment, links that redirect to unfamiliar domains (always hover before clicking), and communications that pressure you to act quickly before verifying through another channel.
Q6: Does multi-factor authentication really stop phishing?
MFA is extraordinarily effective against traditional credential-harvesting phishing — Microsoft reports it blocks 99.9% of automated account compromise attempts. However, it is not a perfect defense. Attacker-in-the-middle (AiTM) phishing kits — which intercept MFA tokens in real time — are an increasingly common workaround. Phishing-resistant MFA methods such as FIDO2 hardware security keys are the gold standard, as they are immune to AiTM attacks and significantly harder for attackers to bypass.
Q7: Are individuals or businesses more at risk from phishing?
Both face significant risks, but the nature of those risks differs. Individuals are more often targeted by mass phishing campaigns aimed at stealing banking credentials, credit card numbers, or account access. Businesses face both mass campaigns and far more dangerous, highly targeted spear phishing, BEC, and whaling attacks. The financial consequences of business-targeted phishing are typically far larger in absolute dollar terms, but the personal financial and emotional impact on individual victims — particularly elderly victims — can be equally devastating on a personal scale.
Q8: What is the fastest growing type of phishing?
Smishing (SMS phishing) and AI-assisted email phishing are both seeing rapid growth. Smishing has expanded dramatically with the proliferation of smartphone use and the tendency for people to trust text messages more implicitly than emails. AI-assisted phishing is growing fastest in sophistication, with large language models being used to generate personalized, context-aware phishing content at scale — a capability that was essentially unavailable to the majority of cybercriminals just three years ago.
Q9: How long does it take to detect a phishing breach?
IBM’s research puts the average dwell time — the period between initial compromise and detection — at 197 days for phishing-related breaches. This means attackers often have access to systems for more than six months before anyone realizes something is wrong. Organizations with advanced security monitoring and threat detection tools, as well as regular security awareness training that encourages employees to report suspicious activity, tend to detect breaches significantly faster than this average.
Q10: Can phishing attacks be fully prevented?
No security control or combination of controls can guarantee 100% prevention of phishing attacks. The human element, by its nature, introduces irreducible risk. The goal of a robust phishing defense strategy is not elimination but risk reduction — making successful attacks substantially harder, detecting the ones that do succeed more quickly, and limiting the damage that results. Organizations that adopt layered defenses, including technical controls, ongoing employee training, and clear incident response procedures, are vastly better positioned than those relying on any single tool or approach.
Final Thoughts
The phishing statistics examined throughout this guide tell a clear and urgent story: this threat is growing in volume, sophistication, and financial impact, and it shows no signs of slowing down. The shift toward AI-assisted attacks represents a genuine inflection point that will require individuals and organizations to update not just their tools but their entire mental model of what a phishing attempt looks like.
At the same time, the data also carries real grounds for optimism. Security awareness training works. Multi-factor authentication works. Layered technical defenses work. The organizations and individuals that treat phishing prevention as an ongoing discipline rather than a one-time checkbox exercise are measurably, dramatically safer than those that do not.
Understanding these numbers is not an academic exercise. Every statistic in this article represents real people, real organizations, and real consequences. The best response to what the data shows is not anxiety but action — taking concrete, evidence-based steps to reduce your exposure and build the kind of resilient security culture that attackers find genuinely hard to crack.
