Phishing Statistics 2026: 17 Key Numbers
On-device OCR. Secure, built for iOS.
Phishing Statistics 2026: 17 Key Numbers
Phishing was the most-reported cybercrime in the FBI's 2024 IC3 report, with 193,407 complaints filed - more than double the next most-reported category. The Anti-Phishing Working Group tracked 3.8 million attacks across 2025. Verizon's 2025 Data Breach Investigations Report found phishing was the initial access vector in 16% of confirmed breaches, while IBM's 2025 Cost of a Data Breach report pegged phishing-initiated breaches at an average cost of $4.8 million each. Together, these numbers show phishing as the most common entry point for credential theft, ransomware, and document fraud - with no sign of slowing down.
Attackers have refined phishing into a production operation. AI now cuts lure-crafting time from 16 hours to five minutes, BEC losses hit $2.77 billion in 2024 alone, and infostealer malware recaptured 53.3 billion identity records in a single year. The threat runs wider than spam filters and security awareness training can contain. Our broader cybersecurity statistics overview shows phishing as the most common first step across nearly every major breach pattern.
This post covers attack volume, financial losses, credential theft, ransomware links, AI-driven escalation, and what the data means for protecting sensitive documents. Below are the 17 statistics that define the phishing landscape in 2026.
1. Phishing topped 193,407 FBI complaints in 2024 - more than double the next category
Phishing and spoofing generated 193,407 complaints in 2024, making it the single most-reported crime category in the FBI Internet Crime Complaint Center's annual report. The volume was more than double the second-most-reported category, extortion. Total losses from those phishing reports exceeded $70 million. Across all cybercrime categories combined, the 2024 IC3 report recorded 859,532 complaints with losses exceeding $16 billion - a 33% jump from 2023. The phishing complaint count is likely a significant undercount because most victims never file a report. For organizations, the raw volume signals that phishing attempts are near-constant events, not periodic incidents. The per-minute math works out to roughly 530 phishing complaints filed every day.
Source: FBI Internet Crime Complaint Center - 2024 IC3 Annual Report
2. FBI 2025 IC3 report records $20.9 billion in cybercrime losses
The FBI's 2025 IC3 Annual Report documented 1,008,597 complaints with $20.877 billion in total losses - the first time reported cybercrime losses have crossed the $20 billion threshold, and a 26% increase from 2024. Phishing and spoofing again led all complaint categories, with 191,561 reports. Losses from phishing alone jumped from $70 million in 2024 to $215.8 million in 2025. Across the three crime categories that exploit email trust - BEC, phishing, and government impersonation - combined losses exceeded $4 billion, up 46% year-over-year. The scale confirms that phishing is not a niche threat. It is the dominant entry point that enables downstream fraud, ransomware, and credential theft that collectively cost organizations and individuals billions annually.
Source: FBI Internet Crime Complaint Center - 2025 IC3 Annual Report
3. APWG tracked 3.8 million phishing attacks across 2025
The Anti-Phishing Working Group observed 3.8 million phishing attacks throughout 2025, a slight increase from 3.76 million in 2024. The quarterly breakdown shows both the scale and the volatility: Q1 reached 1,003,924 attacks - the largest quarterly count since Q4 2023 - while Q2 climbed further to 1,130,393, a 13% jump quarter-over-quarter. Attacks against online payment and financial sectors together accounted for 30.9% of all attempts in Q1. APWG also reported that wire-transfer BEC attacks increased 33% in Q1 compared to the previous quarter. The 3.8 million annual figure translates to more than 10,000 distinct phishing attacks every day, representing a constant operational threat rather than targeted campaigns.
Source: APWG Phishing Activity Trends Report - Full Year 2025
4. Verizon DBIR: credentials drove 22% of breaches, phishing drove 16%
The 2025 Verizon Data Breach Investigations Report analyzed 22,052 security incidents and 12,195 confirmed breaches spanning 139 countries - the highest confirmed-breach count in the report's history. Stolen or compromised credentials were the leading initial access vector, present in 22% of breaches. Phishing followed at 16%, with vulnerability exploitation at 20%. Human actions - clicks on malicious links, socially engineered calls, or misdelivered data - contributed to approximately 60% of all confirmed breaches. The credential figure and phishing figure are connected: phishing is the primary method attackers use to harvest credentials at scale. Once stolen, those credentials enable intrusions that rarely look like "hacking" at all.
Source: Verizon 2025 Data Breach Investigations Report
5. IBM: phishing-initiated breaches cost an average of $4.8 million each
IBM's 2025 Cost of a Data Breach report found that phishing overtook stolen credentials as the most common initial attack vector, responsible for 16% of breaches at an average cost of $4.8 million per incident. The global average breach cost fell slightly to $4.44 million in 2025, but the US average hit $10.22 million. Breaches identified and contained within 200 days cost roughly $1.1 million less than those that lingered longer. IBM also found that phishing-initiated breaches took an average of 254 days to identify and contain - nearly nine months of exposure. For context, our data breach statistics roundup shows phishing as the costliest and slowest-to-detect breach category across multiple years of IBM reporting.
Source: IBM Cost of a Data Breach Report 2025
6. BEC attacks alone cost $2.77 billion in 2024
Business email compromise, a sophisticated form of phishing that impersonates executives or vendors to redirect payments, generated $2.77 billion in reported losses from 21,442 complaints in 2024, according to the FBI IC3 report. That averages out to roughly $129,000 per complaint. The average BEC attack costs $4.67 million when factoring in investigation and recovery, making it one of the most financially damaging phishing variants. BEC accounts for 58% of financially motivated phishing breaches. The FBI separately noted that almost $8.5 billion was lost to BEC across a recent three-year period. These attacks succeed precisely because they exploit trust in legitimate email identities rather than technical vulnerabilities, making them hard to block with standard filters.
Source: FBI Internet Crime Complaint Center - 2024 IC3 Annual Report
7. Phishing costs $17,700 per minute globally
Global financial losses from phishing attacks reached an estimated $17.4 billion in 2024, a 45% increase from the prior year, according to compiled industry research. That figure translates to approximately $17,700 lost every minute, or roughly $1.06 million per hour, due to phishing activity worldwide. The 45% year-over-year growth rate is striking because it significantly outpaces growth in attack volume, meaning attackers are becoming more effective per attempt. AI-generated lures, improved targeting, and the rapid monetization of stolen credentials through infostealer networks all contribute to the efficiency gain. For small businesses and freelancers handling invoices, contracts, or client documents, the financial stakes of a single successful phishing click are substantial.
Source: Phishing Statistics 2026 - StationX
8. 3.4 billion phishing emails are sent every day
More than 3.4 billion phishing emails flood inboxes daily, making phishing email the single largest category of malicious traffic on the internet. At a 2.7% click rate against that volume, approximately 92 million successful clicks occur every day. Proofpoint's 2024 State of the Phish report was built on telemetry from more than 2.8 trillion scanned emails across 230,000 organizations, alongside findings from 183 million simulated phishing attacks. Even with aggressive filtering and employee training, the sheer throughput ensures some messages get through. The median phishing simulation click-through rate across Verizon's 2025 DBIR data sits at about 1.5%, reflecting a behavioral floor that training alone cannot push below zero.
Source: Proofpoint 2024 State of the Phish Report
9. Employees click phishing links in 21 seconds but take 28 minutes to report them
Research into employee phishing behavior finds that the median time from receiving a phishing email to clicking a malicious link is just 21 seconds. Yet reporting that same message to security teams takes an average of nearly 28 minutes. That 27-minute gap between click and report is the window in which credential harvesting, session hijacking, or malware installation takes place. Enterprise users were three times more likely in 2024 to land on phishing pages compared to the year before, according to security researchers, despite increased training investment. The implication is that even motivated, aware employees act faster than they think - and attackers design lures specifically to exploit urgency and familiarity.
Source: Phishing Statistics - 60+ Attack Statistics (Hunto AI)
10. AI-generated phishing achieves a 54% click-through rate
Phishing lures crafted by generative AI achieve a click-through rate of approximately 54%, compared to 12% for conventionally written phishing messages. IBM's 2025 breach report found that generative AI has reduced the time required to craft a convincing phishing email from 16 hours to just five minutes, enabling attackers to scale personalized campaigns at a fraction of the previous cost. Among 2025's AI-related crime patterns tracked by the FBI, AI was most commonly used for phishing (37% of AI-assisted fraud) and deepfake impersonation (35%). APWG also documented that during December 2025, AI-generated phishing surged from 4% to 56% of filter-bypassing attacks in a matter of weeks, a 14-fold increase that shocked security teams.
Source: IBM Cost of a Data Breach Report 2025
11. Infostealer malware recaptured 53.3 billion identity records in 2024
SpyCloud's 2025 Annual Identity Exposure Report found that researchers recaptured 53.3 billion distinct identity records stolen in 2024 - a 22% increase from 2023. Infostealer malware, which silently harvests credentials, browser cookies, session tokens, and files from infected devices, was the primary collection mechanism. Roughly 1 in 2 corporate users were exposed through infostealer infections in the past year. Each infection yielded an average of 44 exposed credentials. SpyCloud also recaptured 17 billion stolen browser cookies, enabling attackers to bypass multi-factor authentication by replaying active session tokens. The credential and document theft pipeline that phishing initiates feeds directly into these infostealer networks, turning a single click into months of unauthorized access.
Source: SpyCloud 2025 Annual Identity Exposure Report
12. Credential theft surged 160% in 2025
The volume of compromised credentials exposed in data breaches surged 160% in 2025 compared to the prior year, according to security researchers tracking dark web markets and breach dumps. In a single month, 14,000 cases of employee credential exposure were reported from data breaches alone. Verizon's DBIR found that 88% of basic web application attacks involved stolen credentials, confirming that credential theft is the downstream outcome of a large share of successful phishing campaigns. The identity-theft pipeline runs from phishing lure to credential capture to account takeover, often within hours. As our identity theft statistics overview documents, stolen credentials from phishing are the most common entry point for financial fraud, tax fraud, and account hijacking.
Source: Credential Theft Surged 160% in 2025 - IT Pro
13. Smishing click rates reach 19-36%, far above email phishing's 2-4%
SMS-based phishing (smishing) now accounts for roughly 35% of all phishing attacks and shows click-through rates between 19% and 36% - many times the 2-4% rate typical for email phishing. The FTC reported $470 million in consumer losses from text message scams in 2024, a figure five times higher than 2020's total even though the number of reports declined. Vishing (voice phishing) surged 442% from H1 to H2 2024, making it the fastest-growing phishing vector. APWG's Q3 2025 report noted SMS-based fraud increased nearly 35% quarter-over-quarter. Mobile devices are a particularly high-risk channel because employees often check personal and work messages on the same phone, and mobile browsers make it harder to inspect URLs before clicking.
Source: APWG Phishing Activity Trends Report Q3 2025
14. Phishing initiates 45% of ransomware attacks
Forty-five percent of all ransomware attacks are delivered through phishing emails, making phishing the dominant initial access method for ransomware deployments. Between November 2024 and February 2025, ransomware delivery via phishing surged 57.5% compared to the preceding three months. Verizon's 2025 DBIR found ransomware present in 44% of all confirmed breaches, up from 32% the previous year. SpyCloud separately found that nearly one-third of companies hit by ransomware had experienced a prior infostealer infection - meaning the credential theft from one phishing campaign enabled the ransomware attack that followed months later. The phishing-to-ransomware pipeline is the most costly sequence in modern cybercrime, often triggering both recovery costs and regulatory penalties simultaneously.
Source: Phishing Statistics 2025-2026 - Zensec
15. 68% of employees knowingly take risky security actions
Proofpoint's 2024 State of the Phish report, covering telemetry from 230,000 organizations and 183 million simulated phishing attacks, found that 68% of employees knowingly engage in risky behaviors such as reusing passwords, sharing credentials, or clicking links from unknown senders. Only 71% of organizations experienced at least one successful phishing attack in 2023 - down from 84% in 2022 - but the negative consequences for those hit increased sharply: a 144% increase in reported financial penalties and a 50% jump in reputational damage. The human element remains the dominant failure point not because people are careless, but because attackers design pressure, urgency, and familiarity into every lure to override deliberate decision-making.
Source: Proofpoint 2024 State of the Phish Report
16. ENISA identified phishing and BEC as top threats across 11,000+ analyzed incidents
The European Union Agency for Cybersecurity (ENISA) Threat Landscape 2024 report analyzed more than 11,000 cybersecurity incidents across its reporting period. ENISA identified phishing and business email compromise as leading social engineering threats, noting a sharp rise in BEC incidents. The report highlighted that criminals are using generative AI tools, including FraudGPT and mainstream large language models, to craft phishing emails and malicious scripts at scale, with state-sponsored groups from Russia, North Korea, Iran, and China all documented using AI to enhance phishing operations. ENISA's finding that phishing is accelerating in sophistication across both criminal and nation-state actors underlines that no sector - public or private - is outside the target set.
Source: ENISA Threat Landscape 2024
17. QR code phishing surged with 716,306 unique malicious codes in Q3 2025
QR code phishing (quishing) emerged as a fast-scaling attack vector in 2025. APWG reported that Mimecast detected 716,306 unique malicious QR codes in Q3 2025 alone, a 13% increase from 635,672 in Q2. Attackers send emails containing QR codes that direct victims to phishing pages, bypassing traditional URL-filtering tools because the malicious link is embedded in an image rather than text. APWG noted criminals are sending millions of QR-code-bearing emails daily. QR codes are particularly effective in document contexts - attackers embed them in fake invoices, delivery notices, and scanned contract pages, betting that recipients will scan the code on their phones without the same scrutiny they would apply to a suspicious link. A document scanner app that processes files on-device keeps scanned content out of third-party servers where it could be intercepted or exposed.
Source: APWG Phishing Activity Trends Report Q3 2025
What These Numbers Reveal About Phishing in 2026
The statistics paint a consistent picture: phishing has industrialized. A 3.8-million attack annual count from APWG, 3.4 billion daily phishing emails, and AI reducing lure-creation time to five minutes describe a threat operating at machine scale against human reflexes. The 21-second click window and 54% AI click rate confirm that even alert, trained employees face a structural disadvantage. Organizations spending heavily on awareness training are running faster on a treadmill that attackers accelerate with better tooling each quarter.
The downstream costs land hardest on credentials and documents. The 53.3 billion stolen identity records and the 160% surge in credential theft in 2025 trace back overwhelmingly to phishing as the initial collection mechanism. Stolen credentials then enable BEC, account takeover, and ransomware - the three highest-cost breach categories. The $2.77 billion in BEC losses in 2024 and the 45% of ransomware attacks that start with phishing emails show how one click in an inbox multiplies into sustained, expensive intrusions. Sensitive documents are both the lure and the target: attackers use fake invoices, contracts, and scanned forms to trick recipients, then harvest the credentials needed to access real files.
The escalation trajectory runs directly through AI. Phishing surging from 4% to 56% of filter-bypassing attacks in a single month at the end of 2025 signals that AI-assisted attacks are not a gradual shift but a step change. Nation-state actors documented by ENISA, criminal networks using FraudGPT, and opportunistic attackers with five-minute lure generation are all converging on the same target. The organizations and individuals who will fare better are those who reduce the value of what can be stolen - keeping sensitive files local, limiting cloud exposure, and treating credential protection as the primary control rather than the last resort.
Phishing remains the most common, most costly, and fastest-escalating initial access method in the threat landscape - and the documents attackers want most are the ones stored where third parties can reach them.
Secure Documents Stay Local
Phishing's ultimate goal is access - to credentials, to accounts, and to the sensitive documents those accounts protect. Contracts, IDs, financial records, and signed agreements are exactly the files attackers pursue once they have a foothold. Every document stored in a cloud service connected to an email account is one successful phishing click away from exposure.
Filewise keeps that equation different. It scans, processes, and stores documents entirely on your iPhone with on-device OCR. Nothing is routed through a third-party server to be indexed or accessed remotely. There is no cloud account to phish, no login to compromise, and no external storage to breach. Face ID locks sensitive files locally. For anyone handling contracts, client IDs, or financial paperwork, processing documents on-device removes a critical attack surface that cloud-connected scanners leave open.
Join the Filewise waitlist and keep your scanned documents on your device, not on a server that phishing can reach.
Filewise is launching soon - the private, on-device PDF scanner for iPhone with no ads and no subscription traps.
Join the Filewise Waitlist
Private, on-device scanning · No account required · Launching soon on iOS
Frequently Asked Questions
How many phishing attacks happen each year?
The Anti-Phishing Working Group tracked 3.8 million phishing attacks in 2025, up slightly from 3.76 million in 2024. The FBI IC3 received 193,407 phishing-related complaints in 2024 alone, making it the most-reported cybercrime category for the year. Beyond reported incidents, researchers estimate more than 3.4 billion phishing emails are sent every day.
What does a phishing attack cost a business?
IBM's 2025 Cost of a Data Breach report found that phishing-initiated breaches cost an average of $4.8 million per incident - above the global breach average of $4.44 million. Business email compromise attacks, a targeted phishing variant, averaged $4.67 million per incident and generated $2.77 billion in losses reported to the FBI in 2024 alone. Recovery timelines average 254 days from breach to containment.
What percentage of breaches start with phishing?
The 2025 Verizon DBIR found phishing was the initial access vector in 16% of confirmed data breaches, while stolen credentials - often harvested via phishing - drove 22%. Approximately 60% of all breaches involved a human action such as a malicious click or social engineering response. Phishing also initiates an estimated 45% of ransomware attacks.
Why are documents a target in phishing attacks?
Sensitive documents - contracts, IDs, tax records, financial statements - are high-value targets because they contain credentials, account numbers, and personal data useful for fraud or identity theft. Attackers also use fake document formats (invoices, delivery notices, scanned PDFs) as lures to make phishing emails look legitimate. QR codes embedded in fake scanned documents were among the fastest-growing attack vectors in 2025, with 716,306 unique malicious codes detected in Q3 alone.
🔒 Secure & on-device | 📱 Built for iOS