Security awareness resource
Phishing Facts & Statistics
Current phishing statistics, business impact, and prevention guidance for teams that need to reduce human risk without drowning people in scare tactics.
191,561
phishing/spoofing complaints reported to FBI IC3 in 2025.
$20.87B
total reported IC3 losses across cyber-enabled crime in 2025.
1.13M
phishing attacks observed by APWG in Q2 2025.
28%
of Microsoft-observed breaches began through phishing or social engineering.
Phishing facts & statistics
Search phishing facts & stats.
Each stat includes context so it is not just a number on a page. Use the filters to compare email phishing, mobile phishing, human behavior, and financial impact.
| Source | Why it matters | Copy / Share | |||
|---|---|---|---|---|---|
| 191,561 Phishing/spoofing was the most reported IC3 crime type in 2025. | Email Phishing Stats | 2025 | FBI IC3 2025 Internet Crime Report | This volume shows how often phishing and spoofing reach real victims. For businesses, it reinforces that email and impersonation defenses need constant testing, not one-time reminders. | |
| $215.8M Reported phishing/spoofing losses reached $215.8 million in 2025. | Financial Impact Stats | 2025 | FBI IC3 2025 Internet Crime Report | Losses tied directly to phishing and spoofing are only the reported portion. The operational damage, downtime, and follow-on fraud can be much larger for affected teams. | |
| 24,768 Business Email Compromise generated 24,768 IC3 complaints in 2025. | Financial Impact Stats | 2025 | FBI IC3 2025 Internet Crime Report | BEC attacks often start with trust: a vendor, executive, or internal finance request. Training should help employees pause, verify, and report suspicious payment workflows. | |
| $3.05B Business Email Compromise losses exceeded $3.0 billion in 2025. | Financial Impact Stats | 2025 | FBI IC3 2025 Internet Crime Report | BEC is financially severe because attackers target payment authority and timing. Finance, payroll, and executive assistants should be priority audiences for scenario-based phishing tests. | |
| 22,364 IC3 recorded 22,364 AI-related complaint descriptors in 2025. | Human Risk / User Behavior Stats | 2025 | FBI IC3 2025 Internet Crime Report | AI makes scams faster to create and easier to personalize. Employees need examples of AI-assisted phishing, voice impersonation, and fake login workflows before they see them in the wild. | |
| $893.3M AI-related IC3 complaint descriptors represented $893.3 million in reported losses. | Financial Impact Stats | 2025 | FBI IC3 2025 Internet Crime Report | AI is not just a novelty in security awareness. It is already connected to measurable financial harm, which means prevention programs should address deepfakes, synthetic messages, and automated lures. | |
| 1,130,393 APWG observed 1,130,393 phishing attacks in Q2 2025. | Email Phishing Stats | 2025 | APWG Phishing Activity Trends Report Q2 2025 | A quarterly total over one million shows phishing is not seasonal noise. Teams should plan recurring simulations and refreshed content because attacker volume remains high. | |
| 853,244 APWG observed 853,244 phishing attacks in Q4 2025. | Email Phishing Stats | 2025 | APWG Phishing Activity Trends Report Q4 2025 | Even after a quarter-over-quarter dip, APWG still recorded hundreds of thousands of attacks. Defense programs should look at long-term exposure rather than one quiet month. | |
| 1,642 APWG reported that 1,642 brands were targeted by QR-code phishing in Q2 2025. | Smishing / Mobile Phishing Stats | 2025 | APWG Phishing Activity Trends Report Q2 2025 | QR phishing moves the attack from a monitored workstation to a personal mobile device. Employees should be trained to inspect the destination before scanning or entering credentials. | |
| $83,099 The average requested wire transfer in Q2 2025 BEC attacks was $83,099. | Financial Impact Stats | 2025 | APWG Phishing Activity Trends Report Q2 2025 | BEC attackers aim for high-value transfers. A single missed verification step can create a loss large enough to justify ongoing training, reporting, and payment approval controls. | |
| 28% Microsoft reported that 28% of breaches began through phishing or social engineering. | Human Risk / User Behavior Stats | 2025 | Microsoft Digital Defense Report 2025 | This keeps people at the center of breach prevention. Technical controls matter, but users still need simple ways to recognize, report, and recover from social engineering. | |
| 3x Microsoft reported AI-driven phishing is three times more effective than traditional campaigns. | Human Risk / User Behavior Stats | 2025 | Microsoft Digital Defense Report 2025 | AI removes many of the old clues employees learned to spot, such as awkward grammar. Training should focus more on context, verification, and reporting behavior. | |
| 44% Ransomware was present in 44% of breaches in the 2025 DBIR. | Financial Impact Stats | 2025 | Verizon 2025 Data Breach Investigations Report | Ransomware is often the visible business disruption after earlier access succeeds. Phishing prevention reduces one common path that leads to extortion and operational downtime. | |
| 22% Credential abuse accounted for 22% of leading initial attack vectors in the 2025 DBIR. | Human Risk / User Behavior Stats | 2025 | Verizon 2025 Data Breach Investigations Report | Phishing often becomes credential theft before it becomes a breach. Password managers, phishing-resistant MFA, and login-page awareness help limit the blast radius. | |
| 30% Third-party involvement doubled to 30% of breaches in the 2025 DBIR. | Financial Impact Stats | 2025 | Verizon 2025 Data Breach Investigations Report | Vendor and partner compromise can make phishing look familiar. Employees should verify unexpected requests even when the sender appears connected to a real business relationship. | |
| <60 sec Verizon reported the median time for users to fall for phishing emails was less than 60 seconds. | Human Risk / User Behavior Stats | 2024 | Verizon 2024 Data Breach Investigations Report | Speed is the attacker advantage. Training should make reporting quick and obvious so users do not have to slow down a busy workday to do the right thing. | |
| 68% The 2024 DBIR reported that 68% of breaches involved a human element. | Human Risk / User Behavior Stats | 2024 | Verizon 2024 Data Breach Investigations Report | Human involvement does not mean blame. It means security teams need measurable behavior, useful coaching, and clear reporting channels. | |
| 3 Phishing was the 3rd most common initial access vector, involved in 17% of data breaches | Email Phishing Stats | 2025 | Verizon Data Breach Report (DBIR) 2025 | This legacy statistic adds historical context from the previous Phishing Facts page. Use it to compare older phishing trends with current attack data and keep business risk conversations grounded. | |
| 35% Phishing emails reportedly succeeded in 35% of attempted attacks | Human Risk / User Behavior Stats | 2025 | Verizon Data Breach Report (DBIR) 2025 | This legacy statistic highlights user behavior, credentials, or social engineering exposure. It supports awareness programs that measure and coach risky moments over time. | |
| 44% Ransomware, often delivered via phishing, was present in 44% of data breaches | Email Phishing Stats | 2025 | Verizon Data Breach Report (DBIR) 2025 | This legacy statistic adds historical context from the previous Phishing Facts page. Use it to compare older phishing trends with current attack data and keep business risk conversations grounded. | |
| 27% Email was the attack vector in 27% of reported breaches | Human Risk / User Behavior Stats | 2025 | Verizon Data Breach Report (DBIR) 2025 | This legacy statistic highlights user behavior, credentials, or social engineering exposure. It supports awareness programs that measure and coach risky moments over time. | |
| more than 30% Phishing accounted for more than 30% of social engineering action varieties while pretexting held steady at 40% | Smishing / Mobile Phishing Stats | 2024 | Verizon Data Breach Report (DBIR) 2024 | This legacy statistic shows how phishing can move beyond traditional email. It helps teams discuss mobile, voice, and non-email attack paths in training. | |
| 100% Email comprised nearly 100% of the top action vectors within social engineering breaches | Human Risk / User Behavior Stats | 2024 | Verizon Data Breach Report (DBIR) 2024 | This legacy statistic highlights user behavior, credentials, or social engineering exposure. It supports awareness programs that measure and coach risky moments over time. | |
| 65% External actors account for 65% of breaches while internal actors account for 35% of breaches (up from 20% last year, but 73% of internally caused breaches were mistaken error) | Email Phishing Stats | 2024 | Verizon Data Breach Report (DBIR) 2024 | This legacy statistic adds historical context from the previous Phishing Facts page. Use it to compare older phishing trends with current attack data and keep business risk conversations grounded. | |
| 68% 68% of breaches involved mistaken human element errors | Human Risk / User Behavior Stats | 2024 | Verizon Data Breach Report (DBIR) 2024 | This legacy statistic highlights user behavior, credentials, or social engineering exposure. It supports awareness programs that measure and coach risky moments over time. | |
| less than 60 seconds The median time for users to fall for a phishing email is less than 60 seconds | Human Risk / User Behavior Stats | 2024 | Verizon Data Breach Report (DBIR) 2024 | This legacy statistic highlights user behavior, credentials, or social engineering exposure. It supports awareness programs that measure and coach risky moments over time. | |
| 20% 20% of users reported phishing in simulation engagements, and 11% of the users who clicked the email also reported | Human Risk / User Behavior Stats | 2024 | Verizon Data Breach Report (DBIR) 2024 | This legacy statistic highlights user behavior, credentials, or social engineering exposure. It supports awareness programs that measure and coach risky moments over time. | |
| 98% Carelessness appeared in 98% of breaches, making it the most common error vector | Human Risk / User Behavior Stats | 2023 | Verizon Data Breach Report (DBIR) 2023 | This legacy statistic highlights user behavior, credentials, or social engineering exposure. It supports awareness programs that measure and coach risky moments over time. | |
| 43% Misdelivery (sending something to the wrong recipient) accounted for 43% of breach-related errors | Human Risk / User Behavior Stats | 2023 | Verizon Data Breach Report (DBIR) 2023 | This legacy statistic highlights user behavior, credentials, or social engineering exposure. It supports awareness programs that measure and coach risky moments over time. | |
| 86% 86% of breaches involved the use of stolen credentials | Human Risk / User Behavior Stats | 2023 | Verizon Data Breach Report (DBIR) 2023 | This legacy statistic highlights user behavior, credentials, or social engineering exposure. It supports awareness programs that measure and coach risky moments over time. | |
| 17% Social engineering accounted for 17% of breaches and 10% of incidents | Human Risk / User Behavior Stats | 2023 | Verizon Data Breach Report (DBIR) 2023 | This legacy statistic highlights user behavior, credentials, or social engineering exposure. It supports awareness programs that measure and coach risky moments over time. | |
| 7% 7% of data breaches resulted in a median loss of $26,000 (more than double the FBI's previous reported figure of $11,500 from 2021) | Financial Impact Stats | 2023 | Verizon Data Breach Report (DBIR) 2023 | This legacy statistic shows the financial side of phishing and social engineering. It helps teams connect prevention work to losses, fraud exposure, and executive risk conversations. | |
| 24% 24% of breaches had a ransomware component | Email Phishing Stats | 2023 | Verizon Data Breach Report (DBIR) 2023 | This legacy statistic adds historical context from the previous Phishing Facts page. Use it to compare older phishing trends with current attack data and keep business risk conversations grounded. | |
| 95% 95% of data breaches were financially driven | Financial Impact Stats | 2023 | Verizon Data Breach Report (DBIR) 2023 | This legacy statistic shows the financial side of phishing and social engineering. It helps teams connect prevention work to losses, fraud exposure, and executive risk conversations. | |
| 74% 74% of breaches involved the human element | Human Risk / User Behavior Stats | 2023 | Verizon Data Breach Report (DBIR) 2023 | This legacy statistic highlights user behavior, credentials, or social engineering exposure. It supports awareness programs that measure and coach risky moments over time. | |
| 82% 82% of breaches involved the human element | Human Risk / User Behavior Stats | 2022 | Verizon Data Breach Report (DBIR) 2022 | This legacy statistic highlights user behavior, credentials, or social engineering exposure. It supports awareness programs that measure and coach risky moments over time. | |
| 35% 35% of ransomware attacks are delivered via email | Email Phishing Stats | 2022 | Verizon Data Breach Report (DBIR) 2022 | This legacy statistic adds historical context from the previous Phishing Facts page. Use it to compare older phishing trends with current attack data and keep business risk conversations grounded. | |
| more than 60% Phishing remains one of the four main entry points to an organization, accounting for more than 60% of all social engineering attacks | Human Risk / User Behavior Stats | 2022 | Verizon Data Breach Report (DBIR) 2022 | This legacy statistic highlights user behavior, credentials, or social engineering exposure. It supports awareness programs that measure and coach risky moments over time. | |
| 14% 14% of business email compromises in the United States recovered none of their financial losses | Financial Impact Stats | 2022 | Verizon Data Breach Report (DBIR) 2022 | This legacy statistic shows the financial side of phishing and social engineering. It helps teams connect prevention work to losses, fraud exposure, and executive risk conversations. | |
| 95% 95% of Business Email Compromise losses were between $250 and $984,855 | Financial Impact Stats | 2021 | Verizon Data Breach Report (DBIR) 2021 | This legacy statistic shows the financial side of phishing and social engineering. It helps teams connect prevention work to losses, fraud exposure, and executive risk conversations. | |
| 85% 85% of breaches involved the human element | Human Risk / User Behavior Stats | 2021 | Verizon Data Breach Report (DBIR) 2021 | This legacy statistic highlights user behavior, credentials, or social engineering exposure. It supports awareness programs that measure and coach risky moments over time. | |
| 35% 35% of breaches in North America involved social engineering | Human Risk / User Behavior Stats | 2021 | Verizon Data Breach Report (DBIR) 2021 | This legacy statistic highlights user behavior, credentials, or social engineering exposure. It supports awareness programs that measure and coach risky moments over time. | |
| 70% 70% of breaches in Asia Pacific involved social engineering | Human Risk / User Behavior Stats | 2021 | Verizon Data Breach Report (DBIR) 2021 | This legacy statistic highlights user behavior, credentials, or social engineering exposure. It supports awareness programs that measure and coach risky moments over time. | |
| over 69% Social Engineering was responsible for over 69% of breaches within the Public Administration sector | Human Risk / User Behavior Stats | 2021 | Verizon Data Breach Report (DBIR) 2021 | This legacy statistic highlights user behavior, credentials, or social engineering exposure. It supports awareness programs that measure and coach risky moments over time. | |
| Almost 100% Almost 100% of social attacks in the Public Administration sector involved phishing | Human Risk / User Behavior Stats | 2021 | Verizon Data Breach Report (DBIR) 2021 | This legacy statistic highlights user behavior, credentials, or social engineering exposure. It supports awareness programs that measure and coach risky moments over time. | |
| 86% Social Engineering accounts for 86% of the breaches within the Mining, Quarrying, Oil & Gas Extraction, and Utilities industries | Human Risk / User Behavior Stats | 2021 | Verizon Data Breach Report (DBIR) 2021 | This legacy statistic highlights user behavior, credentials, or social engineering exposure. It supports awareness programs that measure and coach risky moments over time. | |
| over 75% Within the manufacturing industry, over 75% of social engineering attacks involved phishing | Human Risk / User Behavior Stats | 2021 | Verizon Data Breach Report (DBIR) 2021 | This legacy statistic highlights user behavior, credentials, or social engineering exposure. It supports awareness programs that measure and coach risky moments over time. | |
| 67% 67% of breaches can be attributed to human risk: credential threat, errors, and social attacks | Human Risk / User Behavior Stats | 2020 | Verizon Data Breach Report (DBIR) 2020 | This legacy statistic highlights user behavior, credentials, or social engineering exposure. It supports awareness programs that measure and coach risky moments over time. | |
| 46% 46% of organizations received malware via email | Email Phishing Stats | 2020 | Verizon Data Breach Report (DBIR) 2020 | This legacy statistic adds historical context from the previous Phishing Facts page. Use it to compare older phishing trends with current attack data and keep business risk conversations grounded. | |
| 96% 96% of social attacks arrive via email | Human Risk / User Behavior Stats | 2020 | Verizon Data Breach Report (DBIR) 2020 | This legacy statistic highlights user behavior, credentials, or social engineering exposure. It supports awareness programs that measure and coach risky moments over time. | |
| 86% 86% of breaches were financially motivated | Financial Impact Stats | 2020 | Verizon Data Breach Report (DBIR) 2020 | This legacy statistic shows the financial side of phishing and social engineering. It helps teams connect prevention work to losses, fraud exposure, and executive risk conversations. | |
| 28% 28% of breaches involved small businesses | Email Phishing Stats | 2020 | Verizon Data Breach Report (DBIR) 2020 | This legacy statistic adds historical context from the previous Phishing Facts page. Use it to compare older phishing trends with current attack data and keep business risk conversations grounded. | |
| 27% 27% of malware incidents involved ransomware | Email Phishing Stats | 2021 | Verizon Data Breach Report (DBIR) 2021 | This legacy statistic adds historical context from the previous Phishing Facts page. Use it to compare older phishing trends with current attack data and keep business risk conversations grounded. | |
| 22% 22% of breaches involve social attacks | Human Risk / User Behavior Stats | 2020 | Verizon Data Breach Report (DBIR) 2020 | This legacy statistic highlights user behavior, credentials, or social engineering exposure. It supports awareness programs that measure and coach risky moments over time. | |
| $1.8 billion Business E-mail Compromise (BEC) schemes resulted in an annual loss of approximately $1.8 billion for U.S. consumers and businesses | Financial Impact Stats | 2020 | 2020 FBI IC3 Report | This legacy statistic shows the financial side of phishing and social engineering. It helps teams connect prevention work to losses, fraud exposure, and executive risk conversations. | |
| over $54 million Phishing scams resulted in an annual loss of over $54 million for U.S. consumers and businesses | Financial Impact Stats | 2020 | 2020 FBI IC3 Report | This legacy statistic shows the financial side of phishing and social engineering. It helps teams connect prevention work to losses, fraud exposure, and executive risk conversations. | |
| 33% 33% of breaches included social attacks | Human Risk / User Behavior Stats | 2019 | Verizon Data Breach Investigations Report (DBIR) 2019 | This legacy statistic highlights user behavior, credentials, or social engineering exposure. It supports awareness programs that measure and coach risky moments over time. | |
| 65% 65% of attacker groups used spear phishing as the primary infection vector | Email Phishing Stats | 2019 | Symantec Internet Security Threat Report (ISTR) 2019 | This legacy statistic adds historical context from the previous Phishing Facts page. Use it to compare older phishing trends with current attack data and keep business risk conversations grounded. | |
| 29% 29% of breaches involved use of stolen credentials | Human Risk / User Behavior Stats | 2019 | Verizon Data Breach Investigations Report (DBIR) 2019 | This legacy statistic highlights user behavior, credentials, or social engineering exposure. It supports awareness programs that measure and coach risky moments over time. | |
| 48% 48% of malicious email attachments are Office files | Email Phishing Stats | 2019 | Symantec Internet Security Threat Report (ISTR) 2019 | This legacy statistic adds historical context from the previous Phishing Facts page. Use it to compare older phishing trends with current attack data and keep business risk conversations grounded. | |
| 94% 94% of malware was delivered via email | Email Phishing Stats | 2019 | Verizon Data Breach Investigations Report (DBIR) 2019 | This legacy statistic adds historical context from the previous Phishing Facts page. Use it to compare older phishing trends with current attack data and keep business risk conversations grounded. | |
| 32% 32% of breaches involve phishing | Email Phishing Stats | 2019 | Verizon Data Breach Investigations Report (DBIR) 2019 | This legacy statistic adds historical context from the previous Phishing Facts page. Use it to compare older phishing trends with current attack data and keep business risk conversations grounded. | |
| 64% 64% of organizations have experienced a phishing attack in the past year | Email Phishing Stats | 2018 | Check Point Research Security Report 2018 | This legacy statistic adds historical context from the previous Phishing Facts page. Use it to compare older phishing trends with current attack data and keep business risk conversations grounded. | |
| 22% 22% of organizations see phishing as their greatest security threat | Email Phishing Stats | 2018 | EY Global Information Security Survey 2018 | This legacy statistic adds historical context from the previous Phishing Facts page. Use it to compare older phishing trends with current attack data and keep business risk conversations grounded. | |
| 77% 77% of IT professionals feel their security teams are unprepared for today’s cybersecurity challenges | Human Risk / User Behavior Stats | 2018 | Check Point Research Security Report 2018 | This legacy statistic highlights user behavior, credentials, or social engineering exposure. It supports awareness programs that measure and coach risky moments over time. | |
| 34% 34% of organizations see careless or unaware employees as a vulnerability | Human Risk / User Behavior Stats | 2018 | EY Global Information Security Survey 2018 | This legacy statistic highlights user behavior, credentials, or social engineering exposure. It supports awareness programs that measure and coach risky moments over time. | |
| 59% 59% of phishing attacks in the Americas relate to finance | Financial Impact Stats | 2018 | Check Point Research Security Report 2018 | This legacy statistic shows the financial side of phishing and social engineering. It helps teams connect prevention work to losses, fraud exposure, and executive risk conversations. | |
| 70% 70% of breaches associated with a nation-state or state-affiliated actors involved phishing | Email Phishing Stats | 2018 | Verizon Data Breach Investigations Report (DBIR) 2018 | This legacy statistic adds historical context from the previous Phishing Facts page. Use it to compare older phishing trends with current attack data and keep business risk conversations grounded. | |
| 71.4% 71.4% of targeted attacks involved the use of spear-phishing emails | Email Phishing Stats | 2018 | Symantec Internet Security Threat Report 2018 | This legacy statistic adds historical context from the previous Phishing Facts page. Use it to compare older phishing trends with current attack data and keep business risk conversations grounded. | |
| 66% 66% of malware is installed via malicious email attachments | Email Phishing Stats | 2017 | Verizon Data Breach Investigations Report (DBIR) 2017 | This legacy statistic adds historical context from the previous Phishing Facts page. Use it to compare older phishing trends with current attack data and keep business risk conversations grounded. | |
| 49% 49% of non-point-of-sale malware was installed via malicious email | Email Phishing Stats | 2018 | Verizon Data Breach Investigations Report (DBIR) 2018 | This legacy statistic adds historical context from the previous Phishing Facts page. Use it to compare older phishing trends with current attack data and keep business risk conversations grounded. | |
| 43% 43% of all breaches included social tactics | Human Risk / User Behavior Stats | 2017 | Verizon Data Breach Investigations Report (DBIR) 2017 | This legacy statistic highlights user behavior, credentials, or social engineering exposure. It supports awareness programs that measure and coach risky moments over time. | |
| 93% 93% of social attacks were phishing related | Human Risk / User Behavior Stats | 2017 | Verizon Data Breach Investigations Report (DBIR) 2017 | This legacy statistic highlights user behavior, credentials, or social engineering exposure. It supports awareness programs that measure and coach risky moments over time. | |
| 64% 64% of organizations have experienced a phishing attack in the past year | Email Phishing Stats | 2018 | Check Point Research Security Report 2018 | This legacy statistic adds historical context from the previous Phishing Facts page. Use it to compare older phishing trends with current attack data and keep business risk conversations grounded. | |
| 28% 28% of phishing attacks are targeted | Email Phishing Stats | 2017 | Verizon Data Breach Investigations Report (DBIR) 2017 | This legacy statistic adds historical context from the previous Phishing Facts page. Use it to compare older phishing trends with current attack data and keep business risk conversations grounded. | |
| 21% 21% of ransomware involved social actions, such as phishing | Human Risk / User Behavior Stats | 2017 | Verizon Data Breach Investigations Report (DBIR) 2017 | This legacy statistic highlights user behavior, credentials, or social engineering exposure. It supports awareness programs that measure and coach risky moments over time. | |
| 59% Finance faced 59% of phishing attacks in the Americas | Financial Impact Stats | 2018 | NTT Security - Global Threat Intelligence Report 2018 | This legacy statistic shows the financial side of phishing and social engineering. It helps teams connect prevention work to losses, fraud exposure, and executive risk conversations. | |
| 74% 74% of cyber-espionage actions within the public sector involved phishing | Email Phishing Stats | 2018 | Verizon Data Breach Investigations Report (DBIR) 2018 | This legacy statistic adds historical context from the previous Phishing Facts page. Use it to compare older phishing trends with current attack data and keep business risk conversations grounded. | |
| 82% 82% of manufacturers have experienced a phishing attack in the past year | Email Phishing Stats | 2018 | Check Point Research Security Report 2018 | This legacy statistic adds historical context from the previous Phishing Facts page. Use it to compare older phishing trends with current attack data and keep business risk conversations grounded. | |
| 17% 17% of breaches were social attacks | Human Risk / User Behavior Stats | 2018 | Verizon Data Breach Investigations Report (DBIR) 2018 | This legacy statistic highlights user behavior, credentials, or social engineering exposure. It supports awareness programs that measure and coach risky moments over time. | |
| 90% 90% of incidences and breaches included a phishing element | Email Phishing Stats | 2017 | Verizon Data Breach Investigations Report (DBIR) 2017 | This legacy statistic adds historical context from the previous Phishing Facts page. Use it to compare older phishing trends with current attack data and keep business risk conversations grounded. | |
| 2016, In 2016, 89% of all attacks involved financial or espionage motivations. | Financial Impact Stats | 2016 | Verizon Data Breach Investigations Report (DBIR) 2016 | This legacy statistic shows the financial side of phishing and social engineering. It helps teams connect prevention work to losses, fraud exposure, and executive risk conversations. | |
| 30% 30% of phishing messages were opened in 2016 – up from 23% in 2015. | Human Risk / User Behavior Stats | 2016 | Verizon Data Breach Investigations Report (DBIR) 2016 | This legacy statistic highlights user behavior, credentials, or social engineering exposure. It supports awareness programs that measure and coach risky moments over time. | |
| 95% 95% of breaches and 86% of security incidents fall into nine patterns. | Email Phishing Stats | 2016 | Verizon Data Breach Investigations Report (DBIR) 2016 | This legacy statistic adds historical context from the previous Phishing Facts page. Use it to compare older phishing trends with current attack data and keep business risk conversations grounded. | |
| 70% 70% of cyber attacks use a combination of phishing and hacking. | Email Phishing Stats | 2016 | Verizon Data Breach Investigations Report (DBIR) 2016 | This legacy statistic adds historical context from the previous Phishing Facts page. Use it to compare older phishing trends with current attack data and keep business risk conversations grounded. | |
| 63% 63% of confirmed data breaches involved weak, default, or stolen passwords. | Human Risk / User Behavior Stats | 2016 | Verizon Data Breach Investigations Report (DBIR) 2016 | This legacy statistic highlights user behavior, credentials, or social engineering exposure. It supports awareness programs that measure and coach risky moments over time. | |
| 3 The top 3 industries affected by security incidents are public, information, and financial services. | Financial Impact Stats | 2015 | Verizon Data Breach Investigations Report 2015 | This legacy statistic shows the financial side of phishing and social engineering. It helps teams connect prevention work to losses, fraud exposure, and executive risk conversations. | |
| 50% 50% of recipients open emails and click on phishing links within the first hour of them being sent. | Human Risk / User Behavior Stats | 2015 | Verizon Data Breach Investigations Report 2015 | This legacy statistic highlights user behavior, credentials, or social engineering exposure. It supports awareness programs that measure and coach risky moments over time. | |
| 2016 Almost half of all phishing attacks registered in 2016 were aimed at stealing a target's money. | Email Phishing Stats | 2016 | Kaspersky Lab Report 2016 | This legacy statistic adds historical context from the previous Phishing Facts page. Use it to compare older phishing trends with current attack data and keep business risk conversations grounded. | |
| Fact Phishing emails include fake notifications from banks, e-payment systems, email providers, social networks, online games, etc. | Financial Impact Stats | 2016 | Kaspersky Lab Report 2016 | This legacy statistic shows the financial side of phishing and social engineering. It helps teams connect prevention work to losses, fraud exposure, and executive risk conversations. | |
| 34.9% 34.9% of all spear-phishing email was directed at an organization in the financial industry. | Financial Impact Stats | 2016 | Symantec Internet Security Threat Report 2016 | This legacy statistic shows the financial side of phishing and social engineering. It helps teams connect prevention work to losses, fraud exposure, and executive risk conversations. | |
| 55% The number of spear-phishing campaigns targeting employees increased by 55%. | Human Risk / User Behavior Stats | 2016 | Symantec Internet Security Threat Report 2016 | This legacy statistic highlights user behavior, credentials, or social engineering exposure. It supports awareness programs that measure and coach risky moments over time. | |
| 1 The APWG announced the number of observed phishing attacks in Q1 2016 was higher than any total since 2004. | Email Phishing Stats | 2016 | Anti-Phishing Working Group (APWG) | This legacy statistic adds historical context from the previous Phishing Facts page. Use it to compare older phishing trends with current attack data and keep business risk conversations grounded. |
No matching phishing facts or statistics found. Try a broader search or choose all categories.
What is phishing?
Phishing turns trust into an attack path.
Phishing is a social engineering attack that tricks people into clicking a link, opening an attachment, scanning a QR code, approving a login, or sharing credentials. It often looks like normal work: a password reset, payment request, document share, delivery notice, or executive message.
The numbers below are useful because they connect phishing to the outcomes leadership cares about: credential abuse, financial fraud, ransomware, response time, and measurable human risk.
Why it is increasing
Attackers move faster now.
- AI helps attackers write cleaner messages, localize language, and personalize lures without much effort.
- Stolen credentials and compromised inboxes make fraudulent requests appear to come from trusted people.
- Smishing, vishing, and QR-code phishing move attacks outside the traditional email inbox.
- Security tools block a lot, but employees still need a quick way to recognize and report the messages that get through.
Phishing trends
AI and mobile are changing phishing.
Modern phishing does not always look sloppy. Attackers can use AI to write believable messages, abuse legitimate services, hide links behind QR codes, and shift conversations to SMS or voice channels.
That means training needs to focus on behavior: checking context, verifying requests out of band, and reporting fast.
Business impact
Costs go beyond the first click.
One phishing email can create credential theft, unauthorized payment activity, vendor compromise, ransomware exposure, and response costs. The stat table separates direct reported losses from breach and behavior indicators so teams can tell a clearer story.
Use this data when building awareness goals, executive reporting, and budget requests for prevention.
Internal links
Useful next steps
- Measure user susceptibility with a free phishing test.
- Turn weak spots into coaching with cybersecurity training.
- Track behavior over time with human risk management.
- Clarify terms in the phishing glossary.
How to prevent phishing
Layer defenses around people.
Phishing prevention works best when people, process, and technology reinforce each other. These controls keep the page practical instead of just alarming.
Use phishing-resistant MFA
Strong authentication reduces damage when credentials are stolen and makes fake login pages less effective.
Test with realistic simulations
Simulations help teams practice safely, measure risk, and find departments that need extra coaching.
Make reporting easy
A clear report button turns employees into sensors and gives security teams faster visibility.
Verify sensitive requests
Payment changes, password resets, and vendor requests should have out-of-band verification steps.
FAQ
Common phishing statistics questions.
Short answers for leaders, security teams, and awareness program owners who need to explain why phishing remains a priority.
How common is phishing?
Phishing remains one of the most commonly reported cyber-enabled crime types. In the FBI IC3 2025 report, phishing/spoofing was the top crime type by complaint count, and APWG continued to observe hundreds of thousands of phishing attacks each quarter.
Why are phishing attacks increasing?
Phishing is inexpensive to launch, easy to personalize, and now easier to scale with AI. Attackers also reuse trusted brands, QR codes, text messages, and compromised accounts to make fraudulent requests feel routine.
What phishing statistics matter most to a business?
Focus on metrics tied to business exposure: phishing reports, credential theft, BEC losses, ransomware presence, user reporting speed, and repeat-risk groups. Those numbers help security teams decide where training and simulations should go next.
How can organizations reduce phishing risk?
Use layered defenses: phishing-resistant MFA, strong email authentication, recurring phishing simulations, short training moments, reporting buttons, and a process for verifying payment or credential requests before action is taken.
Should older phishing statistics stay on the page?
Yes, but older stats should be secondary. Keep the main table focused on recent data and let visitors load older statistics only when they want historical context.