Phishing continues to be one of the most pervasive and costly cyber threats facing organizations worldwide. 

Despite advancements in detection tools, employee training, and security controls, attackers are constantly refining their methods—most recently, using AI, voice-based scams, and targeted brand impersonation to trick victims and bypass defenses.

To help organizations better understand the scale and evolving nature of this threat, we’ve compiled more than 60 statistics from leading cybersecurity reports and threat intelligence sources. These insights reveal how phishing is impacting industries, regions, and organizations, and how emerging technologies are shaping the future of these attacks.

Keep reading to discover the latest insights and trends in phishing, key takeaways for 2026 and beyond, and actionable tips for how to defend against phishing attacks. 

Key findings

Here are some of the most significant phishing attack statistics pulled from the list below:

• Nearly 1 million phishing attacks were recorded worldwide in Q4 2024—an increase of more than 100,000 from the previous quarter. 
• Phishing was the most common initial vector in data breaches from March 2024 to February 2025, accounting for 16% of incidents. 
• Phishing attacks cost organizations an average of $4.8 million per breach, making it the third costliest initial threat vector. 
• AI-generated phishing emails had a 54% click-through rate compared to just 12% for human-written messages in a recent academic study. 
• 73.8% of phishing emails analyzed in 2024 used some form of AI, rising to over 90% for those with polymorphic elements. 
• Voice phishing (vishing) attacks surged 442% between the first and second halves of 2024. 
• Microsoft was impersonated in over half (51.7%) of all phishing scams in 2024.

Phishing attack trends and impact statistics

Phishing remains a dominant threat vector across industries, with attackers constantly evolving their strategies to increase success rates. This section examines global attack volumes, shifting tactics, and the financial toll phishing continues to take on organizations.

1.  There were nearly one million (989,123) phishing attacks worldwide in Q4 2024. (Statista)

2.  While global phishing attacks have been decreasing since a peak of 1.62 million in Q1 2023, the last quarter of 2024 showed an increase of over 100,000 attacks from the previous quarter. (Statista)

3. Global phishing volume dropped 20% in 2024, but attackers are shifting strategies, focusing on high-impact campaigns targeting high-value targets in HR, finance, and payroll to maximize their success rates. (Zscaler)

4. Phishing attacks had an estimated financial impact of $3.5 billion US in 2024. (Microsoft)

5. Phishing and spoofing remained the top-reported cybercrime type in 2024, with over 193,000 complaints. (FBI Internet Crime Report)

6. In a study of 600 organizations impacted by data breaches between March 2024 and February 2025, phishing was the most common initial vector attackers used to gain access to systems at 16%. (IBM)

7. Phishing was among the top attack vectors for the third year in a row in IBM’s annual Cost of a Data Breach Report. (IBM)

8. On average, phishing attacks take 254 days to detect and contain. This is the third longest of all attack vectors, behind only supply chain attacks and malicious insiders. (IBM)

9. Phishing attacks is the third costliest initial threat vector, averaging USD 4.8 million per breach. (IBM)

10. Ransomware payloads in phishing attacks have surged, with a 22.6% increase from September 15, 2024, to February 15, 2025, compared to the previous six months. This trend is accelerating, with a 57.5% spike between November 1, 2024, and February 15, 2025, versus the prior three months. (IBM)

11. In September 2024, 322 brands worldwide were targeted by phishing attacks, the highest peak of the year. (Statista)

12. The number of brands that cyber criminals targeted with phishing attacks has decreased in 2024, with an average of 312 per month compared to 506 per month in 2023. (Statista)

13. The top 20 brands most frequently imitated in phishing scams in 2024 were:

1. Microsoft
2. Telegram
3. Google
4. Netflix
5. Facebook
6. OneDrive
7. Steam
8. DHL
9. Adobe
10. Instagram
11. Amazon
12. Zimbra
13. WhatsApp
14. ING Group
15. HSBC
16. Allegro
17. Sparkasse
18. FedEx
19. Postbank
20. SharePoint (Zscaler)

14. Microsoft is the most commonly imitated brand for phishing campaigns, impersonated in more than half (51.7%) of phishing scams in 2024. (Zscaler)

15. The top three most exploited social media platforms to orchestrate phishing attacks are:

• Telegram (1.1M attacks)
• Facebook (692K attacks)
• Steam (507K attacks) (Zscaler)

16. In Verizon’s latest DBIR report, breaches involving humans remain responsible for the majority of the cases we reviewed. Of the nearly 11,000 human element breaches reviewed, 32% stemmed from credential abuse and 23% from social actions. There is a non-trivial overlap between social actions (where phishing or pretexting might steal a credential) and the subsequent credential abuse. (Verizon)

17. Phishing was the known initial access vector in 16% of the 2025 dataset of nearly 10,000 non-Error, non-Misuse breaches analyzed. (Verizon)

18. Phishing was the fifth most common action—ie. technique that threat actors are using—in data breaches (14%). (Verizon)

19. 42% of ransomware attacks that result in data breaches involve compromised credentials, an exploited vulnerability or the use of phishing. (Verizon)

20. Phishing remains the top technique leveraged in social engineering attacks, accounting for 57% of the more than 3,000 incidents analyzed. (Verizon)

21. Voice phishing (vishing) attacks, where adversaries call victims to amplify their activities with persuasive social engineering techniques, saw explosive growth, up 442% between the first and second half of 2024. (CrowdStrike)

22. Vishing attacks peaked in December 2024, with CrowdStrike detecting 93 vishing intrusions. For comparison’s sake, CrowdStrike detected 9 vishing intrusions in June, the last month of H1 2024. (CrowdStrike)

23. One of the most prevalent initial access techniques for ransomware attacks continues to be social engineering—specifically email phishing, SMS phishing, and voice phishing. (Microsoft)

24. In 2024, the top five phishing-as-a-service (PhaaS) platforms were:

• Caffeine
• Tycoon
• Greatness
• NakedPages, and
• Dadsec. (Microsoft)

25. In 2024, there was a 146% rise in AiTM phishing attacks, which occur when attackers trick users into clicking a link and completing MFA on the attacker’s behalf. (Microsoft)

26. A 2025 report reveals that an extensive criminal ecosystem may have compromised between 12.7 million and 115 million payment cards in the United States alone between July 2023 and October 2024 using advanced SMS, RCS, and iMessage-based social engineering with sophisticated phishing infrastructure and real-time multi-factor authentication bypass techniques. The estimated financial losses reach into the billions of dollars. (SecAlliance)

Phishing attack statistics by industry, company size, and region

Phishing campaigns are rarely one-size-fits-all. Different sectors, regions, and organization sizes experience unique attack patterns based on perceived value and security posture. This section breaks down how attackers are targeting victims and where the risks are most concentrated.

27. During the fourth quarter of 2024, over 23% of phishing attacks worldwide targeted SaaS or webmail, making it the most targeted online industry. (Statista)

28. The top five industries worldwide most targeted by phishing attacks in the Q4 2024 were:

• SaaS/webmail (23.3%)
• Social media (22.5%)
• Financial institutions (11.9%)
• E-commerce/retail (10.9%)
• Payment (7%)  (Statista)

29. Social Engineering accounts for 16% of Educational Services breaches. 77% of those social engineering breaches were due to phishing. (Verizon)

30. Phishing was the fifth most common action in data breaches in the manufacturing industry, accounting for nearly one-fifth of breaches (19%). (Verizon)

31. Phishing was one of the top actions in social data breaches in the public sector, accounting for nearly half of breaches (43%). Phishing is tied with Prompt bombing, a technique of sending a high number of authentication requests to users in the hopes they will comply to make them go away. (Verizon)

32. Social attacks—which are almost exclusively of the phishing variety—account for roughly similar percentages for SMBs (18%) and large organizations (13%). (Verizon)

33. Social actions account for one quarter of breaches in the Asia and the Pacific (APAC) region. Of those breaches:

• 40% involved Pretexting
• 34% involved Prompt bombing
• 26% involved Phishing. (Verizon)

34. Similar to the APAC region, Social actions account for one quarter of breaches in the Europe, Middle East and Africa (EMEA) region. Phishing accounts for a smaller percentage of these EMEA breaches, at 19%. (Verizon)

35. Phishing in the US dropped 31.8%, by remains #1 target. (Zscaler)

36. The top 10 countries targeted by phishing attacks are:

1. United States
2. India
3. Germany
4. Canada
5. United Kingdom
6. Spain
7. France
8. Australia
9. South Africa
10. Brazil (Zscaler)

37. The top 10 countries of origin for phishing attacks are:

1. United States
2. Germany
3. United Kingdom
4. Netherlands
5. Hong Kong
6. Russia
7. China
8. Signapore
9. India
10. Australia (Zscaler)

38. Both the Netherlands and Hong Kong experienced an unprecedented surge of originating phishing attacks in 2024, increasing by 4,000% and 2,000% respectively. (Zscaler)

39. The top 5 industries targeted for phishing scams are:

• Manufacturing
• Services
• Education
• Technology & Communication
• Retail & Wholesale (Zscaler)

40. Here’s a breakdown of the industries targeted by phishing scams in 2024:

• Manufacturing (21.8%)
• Services (20.7%)
• Education (17.9%)
• Technology & Communication (9.2%)
• Retail & Wholesale (8.6%)
• Finance & Insurance (7.5%)
• Government (5.8%)
• Healthcare (4%)
• Others (4.6%) (Zscaler)

41. Manufacturing remains the most targeted industry by phishing attacks—although phishing attempts dropped 16.8% in 2024. (Zscaler)

42. Phishing campaigns targeting the Education sector exploded in 2024, with a staggering 224% increase in attacks. (Zscaler)

43. Finance and Insurance institutions saw a 78.2% reduction in phishing in 2024. (Zscaler)

44. Technology and Communication saw a 32.8% decrease in phishing attempts in 2024.  (Zscaler)

45. 54% of phishing campaigns targeting consumers impersonated online software and service brands. (Microsoft)

46. The top five sectors impersonated in phishing campaigns targeting consumers are:

• Software and services (54%)
• Financial (15%)
• Retail (12%)
• Media and Entertainment (11%)
• Freight and Logistics (5%). (Microsoft)

Phishing email statistics

Email remains the most common delivery method for phishing, but tactics are diversifying. From malicious attachments to QR code phishing, this section analyzes how phishing emails are constructed, which brands and platforms are most often impersonated, and how training impacts employee detection rates.

47. Between September 15, 2024 and February 14, 2025, there was a 17.3% increase in phishing emails compared to the previous six month period. (KnowBe4)

48. According to data from KnowBe4 Defend, 57.9% of phishing emails were sent from compromised accounts and 11.4% of those from compromised accounts were sent from within the organization's supply chain. (KnowBe4)

49. Of the phishing emails in KnowBe4’s six-month study:

• 25.9% contained an attachment
• 20% relied solely on social engineering techniques
• 54.9% contained a phishing hyperlink payload. (KnowBe4)

50. Cybercriminals either use attachments to deliver their payload or direct their victims to phishing websites. The most common attachment types were:

• 47% PDFs
• 11% ZIP
• 11% DOCX and DOCM
• 14% ODT
• 5% SVG attachments. (KnowBe4)

51. The most common type of payload is links to phishing websites, with an average of 3.9 hyperlinks per email. (KnowBe4)

52. According to an analysis of Microsoft Defender Threat Experts notifications, the top email phishing types are:

• Phishing URL/link (56%)
• QR code phishing (25%)
• Phishing attachment (19%). (Microsoft)

53. Cybercriminals use these five legitimate platforms most often to send phishing emails: 

• Docusign
• Paypal
• Microsoft
• Google Drive 
• Salesforce (KnowBe4)

54. The most impersonated brands in phishing emails are:

• Microsoft
• Docusign
• Adobe
• Paypal
• LinkedIn (KnowBe4)

55. In 2024, the majority of detected phishing e-mails (65%) targeted organizational assets. 35% were directed toward personal assets. (Statista)

56. In a survey of 7,500 end users and 1,050 IT security professionals across 15 countries worldwide, 34% of respondents reported having taken part in simulated phishing attacks. (Statista)

57. Of companies who have been a part of regular security awareness training in conjunction with phishing simulation campaigns, a median of 1.5% of employees are still clicking on links in simulated phishing attacks.  (Verizon)

58. For companies that provided recent training (within 30 days), employees reported the simulated phishing emails at a significantly higher rate (21%) than employees at companies that had not provided recent training (5%). This is a four times relative increase. (Verizon)

59. The impact of recent training in phishing simulation campaign click rate was much less prominent than report rate, with only 5% relative impact on each training. (Verizon)

AI phishing attack statistics

​​The rise of generative AI and automation is accelerating phishing’s evolution. This section explores how AI is being used to craft more convincing messages, scale polymorphic campaigns, and bypass detection systems—raising the stakes for defenders.

60. Generative AI reduces the time needed to craft a convincing phishing email from 16 hours down to only five minutes. (IBM X-Force)

61. On average, 16% of data breaches involved attackers using AI. Most of these breaches focused on human manipulation through phishing (37%). (IBM)

62. Polymorphic phishing campaigns consist of a series of almost identical emails which only differ by a small detail. 92% of polymorphic attacks utilize AI to achieve unprecedented scale.  (KnowBe4)

63. In 2024, 73.8% of all phishing emails we analyzed exhibited some use of AI; that increased to 90.9% when we inspected emails that also showed polymorphic elements. (KnowBe4)

64. In 2024, at least one polymorphic feature was present in 76.4% of all phishing attacks and in 57.49% of commodity attacks (white noise phishing). Polymorphic phishing attacks are being deployed at an unprecedented scale as AI has enabled cybercriminals to execute these campaigns more efficiently. (KnowBe4)

65. According to a study of nearly 400,000 phishing emails in 2024, the majority (95%) were created by humans. A newly emerged trend of crafting phishing e-mails using AI technology was shown in only a smaller number of detected phishing e-mails, 2,785 or approximately 5%. (Statista)

66. According to a 2024 academic study of phishing email click-through rates, LLM-generated phishing messages had a significantly higher click-through rate (54%) than likely human-written phishing messages (12%). (Harvard)

67. Another 2024 academic study found detection rates for LLM-generated phishing pages were comparable to those for human-created phishing pages. This indicates that the LLM-generated phishing attacks were just or almost as resilient as human-created phishing attacks with respect to anti-phishing detection. (University of Texas)

Top takeaways for organizations for 2026

The data from 2024–2025 underscores five key realities for organizations heading into 2026:

1. Phishing is diversifying, not declining

While overall phishing volumes dipped globally, it remained one of the most common and costly attack vectors. This indicates that attackers are shifting toward more targeted, high-impact campaigns, particularly against HR, finance, and payroll. The rise in vishing, QR code phishing, and other techniques also shows that adversaries are adapting to common defenses and moving beyond email alone.

2. AI is a force multiplier for phishing attacks

Generative AI is enabling threat actors to create more convincing, personalized phishing messages in minutes, automate large-scale polymorphic campaigns, and improve their odds of bypassing detection. The click-through rate for AI-crafted phishing emails is alarmingly high—more than four times that of human-written emails—indicating a need for defenses to keep pace with AI-powered attacks.

3. Training helps combat phishing attacks, but it’s not enough on its own

Regular training and phishing simulations improve reporting rates, but click rates remain stubbornly persistent. Organizations must combine awareness efforts with technical controls, incident response readiness, and automated detection and remediation to stay ahead.

4. Certain industries remain high-value targets for phishing attacks

Industries like manufacturing and education remain prime targets due to their high-value data, critical need for availability, and often weaker defenses. Even sectors that saw attack declines, like manufacturing and finance, can’t afford to be complacent or reactive—especially as attackers shift to exploiting the broader supply chain.

5. Industries with stronger compliance requirements are seeing declines in phishing attacks

The manufacturing sector—long a favorite target for phishing—saw a 16.8% decline in attacks in 2024. This improvement is likely tied to the growing adoption of security frameworks like CMMC, NIST 800-171, NIS2, and TISAX, which mandate tighter controls and better incident response readiness. As more organizations across regulated industries meet these or other security requirements, phishing rates are expected to continue to drop.

How to protect against phishing attacks

Phishing is a uniquely challenging cyber threat because it targets people, not just systems. No single solution can eliminate the risk. It takes a layered defense strategy that combines user education, strong access controls, rapid incident response, and the strategic use of automation and AI. 

The following approaches, especially when combined, can help organizations stay ahead of evolving phishing tactics.

1. Strengthen employee training programs

Organizations must make phishing awareness training a regular, ongoing initiative, not just a one-time exercise. Training should cover the latest phishing tactics used by attackers, including AI-generated emails, voice-based scams, and QR code phishing. 

Simulated phishing campaigns can help employees practice spotting malicious content, and targeted training for high-risk roles like finance, HR, and executives can significantly reduce the risk of a successful attack.

2. Implement layered identity and access management

Strong identity and access management (IAM) practices reduce the likelihood of phishing attacks leading to a breach. Phishing-resistant multi-factor authentication (MFA), like passkeys, should be enforced across all accounts, particularly those with remote or external access. 

Organizations should also adopt the principle of least privilege, regularly review user permissions, and promptly disable dormant accounts to minimize exploitable entry points.

3. Establish a rapid incident response process

Speed is critical when a phishing attempt is detected. Organizations should maintain clear reporting channels so employees can quickly flag suspicious messages. 

Incident response teams need predefined playbooks for investigating, containing, and remediating threats along with up-to-date contact lists and escalation procedures to coordinate an effective response. All this information can be formalized in a cyber incident response plan.

4. Leverage automation and AI for detection and response

Given the rise of AI-driven phishing attacks, defenders must also embrace AI in cybersecurity to keep pace. For example, automated workflows can quarantine suspected phishing emails and block malicious URLs in real time. Automated continuous monitoring can also identify unusual account activity that may signal a successful compromise.

5. Align with a recognized cybersecurity framework

Cybersecurity frameworks such as the CIS Critical Security Controls®, NIST Cybersecurity Framework, and ISO/IEC 27001 offer comprehensive, measurable approaches to mitigating phishing risk, including all the best practices above. These frameworks outline controls for account management, access control, user awareness, incident handling, and much more. 

Complying with any of these widely-recognized and trusted security frameworks can help your organization close gaps in your security posture and maintain consistent security practices over time. Compliance can also enable you to meet regulatory obligations and improve customer trust, among other benefits.

Cybersecurity checklist for 2026

A single phishing email can be the first step toward a multi-million-dollar breach. The best defense is a strong, well-rounded security program that addresses phishing alongside other cyber threats.

Our Cybersecurity Checklist for 2025 (still highly relevant for 2026 and beyond) gives you a structured way to:

• Assess your organization’s current security posture.
• Identify and close gaps in your defenses.
• Strengthen policies, processes, and technical controls to withstand phishing, ransomware, and other evolving threats.

It covers best practices across identity and access management, device security, network protections, incident response, and employee awareness to help you build resilience against today’s top attack vectors.

Protect against phishing attacks with security automation and AI

Defending against phishing requires more than just awareness. It demands a coordinated, automated, and framework-driven approach. 

Secureframe’s platform helps organizations implement phishing defenses faster and more effectively by:

• Automating compliance with leading frameworks like NIST 800-53, ISO 27001, and CIS Controls.
• Continuously monitoring systems for vulnerabilities and misconfigurations that attackers could exploit.
• Using AI to streamline evidence collection, vendor assessments, and remediation, reducing the manual burden on security teams while improving overall security posture.
• Delivering built-in security awareness training to keep employees alert to evolving phishing tactics.

With Secureframe, you can close phishing-related security gaps, maintain continuous compliance, and strengthen your overall security posture—without slowing down your business.

To learn more about Secureframe’s capabilities, schedule a demo with a product expert.