logo svg
logo

April 29, 2025

Phishing Statistics 2025: Attacks, Costs, AI Scams & Trends

Global phishing volume, breach impact, AI-driven scams, and industry insights

Mohammed Khalil

Mohammed Khalil

Featured Image

Phishing has evolved in 2025 from a scattershot nuisance into a sophisticated, industrialized cyber threat. In simple terms, phishing is the practice of sending fraudulent communications, often emails, but also texts, calls, and more that impersonate trustworthy entities to trick individuals into revealing sensitive information or installing malware. It’s an old tactic but now turbocharged by automation and emerging tech. This year’s statistics reveal that phishing is bigger, faster, and stealthier than ever. Attack volumes remain near all time highs, and attackers have innovated beyond the inbox, using AI crafted lures, deepfake voices, and omnichannel scams to ensnare even savvy users.

Why do these phishing statistics matter in 2025? Because they quantify the risk and provide insight into attacker strategies. For instance, knowing that the APWG recorded over 1 million phishing attacks in Q1 2025 the highest volume since late 2023 signals that organizations cannot let their guard down, phishing is not fading away. Similarly, understanding that the average phishing originated breach costs $4.88M versus $4.44M overall highlights phishing as disproportionately costly and deserving of extra attention. The statistics also expose shifting tactics: the surge in things like QR code abuse and voice phishing tells us where defenses might be lagging. In summary, the numbers paint a clear picture: phishing in 2025 is the #1 initial attack vector for cybercrime and a linchpin for attacks ranging from ransomware to business fraud. Organizations that grasp these trends can better prioritize their security efforts from enhancing email filters and continuous penetration testing to doubling down on user training to blunt the impact of phishing campaigns.

What Are Phishing Statistics?

Educational infographic defining phishing statistics as quantitative measures of attack volume, success, and impact. It includes examples such as email volume, click-through rates, breach initiation, and financial loss. The image compares phishing statistics to “vital signs” of cybersecurity health and explains why they matter for risk prioritization and investment decisions.

Phishing statistics refer to quantitative measures of phishing attacks and their outcomes. These can include the volume of phishing emails or sites detected, the success rates e.g. how often people fall for them, the financial impact of phishing driven breaches, and the prevalence of phishing relative to other attack methods. In essence, phishing stats tell us how often these scams occur, how effective they are, and what damage they cause.

In summary, phishing statistics encapsulate the who/what/when/how of phishing attacks in numerical terms. They transform anecdotal fear phishing is bad into concrete data phishing causing X% of breaches, costing $Y million, which is crucial for informed decision making in cybersecurity.

Global Overview of Phishing Trends 2024–2025

To understand phishing’s trajectory, we can compare key metrics between 2024 and 2025. Globally, phishing activity continued to rise in frequency and impact:

Metric20242025Trend
Reported phishing attacks annual~3.8 million est.~4.2 million est.Increase new record highs each quarter.
Phishing attacks Q2 only932,923 Q2 20241,130,393 Q2 2025+21% YoY significant jump in volume.
Share of breaches starting with phishing14% 2024 approx.16% 2025Slight increase phishing now the top initial vector.
Global avg. data breach cost$4.74M 2024$4.44M 2025 6% overall breach costs dipped and AI defenses improved.
Avg. breach cost phishing origin~$4.5M 2024 est.$4.88M 2025Increased phishing breaches cost more than average.
U.S. breach cost all vectors$9.48M 2024$10.22M 2025+8% highest ever, U.S. costs keep rising.
Global BEC losses annual~$2.7B 2024~$2.8B+ 2025 proj.Rising BEC remains a multi‑billion $$ problem.
Ransomware in breaches~32% of breaches 202444% of breaches 2025Increase ransomware more common, often phishing enabled.

The total number of phishing attacks in 2025 is on pace to exceed 4 million globally, based on APWG’s quarterly reports Q1–Q3 combined. Phishing’s role as an initial access vector ticked up to 16%, reclaiming the top spot it held some years ago. Interestingly, IBM’s data shows the overall average cost of a breach actually declined slightly to $4.44M attributed to faster response times with AI, but phishing related breaches bucked that trend with costs pushing almost $4.9M on average. This indicates phishing incidents tend to be harder to contain, leading to more expensive fallout. Meanwhile, the U.S. saw breach costs cross the eight figure mark $10M+, reflecting strict regulations and legal costs. Finally, the integration of phishing with other crimes is evident in business email compromise and ransomware losses are climbing, fed by phishing access in many cases.

Overall, the global trend from 2024 to 2025 is clear: phishing volume and its consequences are escalating. Attackers sent more phishing lures than ever, and those lures more frequently led to major incidents. While some defensive gains like wider AI usage helped trim average breach costs slightly, the costs associated with phishing in particular rose, highlighting that phishing remains an acute risk that outpaces many other threats.

Cost and Impact Breakdown

Phishing attacks carry a steep price tag for organizations not just in money stolen directly, but in the broader costs of breaches, business disruption, and recovery efforts. Here we break down some key financial and operational impact metrics for phishing related incidents:

Indicator2025 ValueTrend / ContextSource / Notes
Avg. cost of a phishing driven data breach$4.88 millionHighest among common breach vectors above the $4.44M global average. Phishing breaches tend to linger ~254 days before containment, increasing cost.IBM 2025 report comprehensive study of breach costs.
Avg. cost of a data breach global$4.44 millionSlight decrease from 2024 $4.74M. Use of AI/automation saved ~$0.3M–$0.5M per incident on average.IBM 2025 all industries, all vectors.
Avg. cost of a data breach U.S.$10.22 millionAll time high U.S. breaches cost >2× global avg. Strict regulations e.g. notification laws, fines drive costs up.IBM 2025 U.S. regional average.
Business Email Compromise Losses U.S.$2.8 billion 2024 annualRising trend BEC is the costliest cybercrime type after investment fraud. Cumulative $8.5B lost 2022–2024.FBI IC3 2024 report reported BEC fraud losses.
Average loss per BEC incident U.S.$137,000Up 83% since 2019 was ~$75k. Attackers extract more $$ per scam now, even if the volume of BEC incidents is steady.FBI IC3 data via Chargebacks911 analysis 2025.
Median ransomware payment global$115,000Decreasing down from ~$150k prior year. More victims refuse to pay 64% didn’t pay in 2024.Verizon DBIR 2025 median of paid ransoms.
% of victims paying ransom~36% pay 64% refuseVictim resolve hardening non payment up from ~50% refusing in 2022. This pressures attackers to steal data to leverage double extortion.Verizon DBIR 2025.
Cost of ransomware breach incl. response~$5.08 millionHigh impact when attackers publicly leak or extort, breach costs jump lost business, legal, etc. vs ~$4.18M if contained internally.IBM 2025 cost when the attacker announces a breach.
Incident lifecycle phishing vs others254 days phishing vs 204 days overallPhishing related breaches take the longest to detect & contain often due to stolen credentials leading to stealthy access ~50 days slower than the average breach.IBM 2025 analysis.

Phishing has an outsized financial impact. A single successful phish can lead to a multi million dollar breach. Notably, phishing often compromises valid user credentials, which attackers then use to quietly navigate systems for months thus the ~254 day incident lifecycle. The longer a breach goes undetected, the more costly it becomes breaches contained in <200 days cost ~$3.87M, whereas those >200 days cost ~$5.01M. Unfortunately, phishing breaches skew toward the latter category.

Business Email Compromise deserves special mention: unlike malware centric phishing, BEC is all about social engineering and fraudulent payments. The stats show that fewer BEC attempts are being reported and the number of FBI complaints is relatively flat, but the amount per scam has skyrocketed. This implies that BEC actors are focusing on bigger scores, for example, tricking a company into wiring six or seven figures in one go. A single BEC incident can easily cost an SMB or even mid size enterprise hundreds of thousands direct loss, which can be existential.

Ransomware, often enabled by phishing, imposes both direct costs of ransom or data leak payments and indirect costs of forensic investigation, system rebuilds, and downtime. Even though more victims are wisely choosing not to pay ransoms nearly two thirds now refuse, the overall cost of ransomware incidents remains extremely high. Whether or not a ransom is paid, companies face major expenses in recovery often exceeding the ransom demand itself.

In summary, the cost breakdown reinforces that phishing isn’t just an IT annoyance it’s a multi million dollar risk. From the boardroom perspective, investing in prevention email security, training, backups, penetration testing engagements, etc. is justified by the potential to avoid those $4–5 million cleanup bills and fraud losses.

Attack Vector & Delivery Method Distribution

While email remains the primary avenue for phishing, 2025’s threat landscape saw phishing attacks diversifying across multiple vectors. Here’s a breakdown of how phishing lures are delivered:

Vector / MethodPrevalenceImpact LevelNotes
Email Phishing classicDominant ≈70–80% of phishing campaignsHigh still the #1 vectorMost phishing attacks still arrive via email in some form. Secure Email Gateways block billions of these, yet APWG recorded ~1M+ phishing emails per quarter reaching users. Generative AI has supercharged email phishing, enabling highly convincing, personalized scam emails at scale. Almost all major breaches start with a malicious email attachment or link.
SMS Phishing SmishingSignificant ~10–15% est. and growingMedium HighPhishing via text message surged in 2025. Smishing grew ~19% globally, and in certain quarters e.g. Q3 SMS based fraud jumped ~35%. Attackers target the ubiquity of smartphones and the fact that users tend to trust text notifications. Smishing often impersonates banks to verify your account or package delivery notices. It’s effective because mobile devices may lack the robust filtering of corporate email, and users are more likely to click links on the go.
Voice Phishing VishingRapidly rising but still <5% of total phishing attempts by volumeHigh high success rate when employedVishing exploded in frequency various reports show +260% to +449% YoY increases in voice based phishing calls in 2025. Attackers are leveraging cheap AI voice cloning to leave voicemail or call in real time, impersonating executives or IT support. While still less common than email, vishing can be devastating: victims are often caught off guard on a phone call. One infamous case involved criminals deepfaking a CFO’s voice on a Zoom call to authorize a $25M transfer. Vishing is frequently combined with email e.g. an email says to call this number to resolve an issue with a TOAD attack. Because it bypasses technical controls with no malicious link to scan, vishing success rates are alarmingly high once a conversation starts.
QR Code Phishing QuishingEmerging <5% but spiking in useMedium risingQuishing involves emailing a QR code image or placing it on physical media that, when scanned, directs users to a malicious site. This tactic skyrocketed in late 2024/2025. Over a 6 month period, security researchers saw 1.7+ million unique malicious QR codes and about 2.7 million QR code phishing emails sent daily. By hiding the URL in an image the QR, attackers evade text based filters. The method also pushes users to switch devices e.g. scan with phone, sidestepping protections on their work PC. Quishing commonly impersonates things like MFA authenticator setup QR codes, parcel pickup codes, or parking meter receipts to trick users.
Social Media & IM PhishingExpanding estimated ~5–10% of phishing attempts, often overlap with email campaignsMediumPhishers increasingly exploit social media, messaging apps, and collaboration platforms. Approximately 40% of phishing campaigns now extend beyond email to platforms like WhatsApp, Slack, Teams, or LinkedIn. For example, an attacker might send an initial email, then follow up with a direct message on LinkedIn to build credibility. Hi, I emailed you the document please review ASAP. 90% of messaging app phishing occurs on WhatsApp due to its global user base and trust in end to end encryption. Social media phishing often takes the form of cloned login pages via DMs or posts You won a prize log in here. While not as automated as email, these channels bypass some corporate protections and prey on personal trust.

The lines between these vectors are blurring. Modern phishing campaigns are often multi stage and multi channel. For instance, an attacker might send an email with no link to avoid filters but instruct the target to call a number vishing or open an attached image of a QR code quishing. This trend of omnichannel phishing is one of the standout developments in 2025. The goal is to surround the target with the scam on whatever medium they use, increasing the chances someone will slip up.

Email is still king in sheer volume, it's trivial for attackers to blast out millions of emails, and despite improvements, a small percentage will always get through filters or be clicked by users. However, as companies harden email gateways, attackers responded by shifting to softer targets: personal phones, SMS, voice, and trusted cloud services. Notably, 43% of phishing campaigns in 2025 hid their malicious content on legitimate cloud platforms Google Drive, Dropbox, SharePoint, etc. to piggyback on those domains’ good reputation and evade URL blacklists. This means an email might contain a Google Drive link seemingly benign which then leads to a phishing page, a tricky evasion that requires advanced detection.

In summary, organizations need to defend a broad attack surface when it comes to phishing: not just the corporate inbox, but SMS, voice calls, cloud apps, and even physical world vectors malicious QR codes on a posted flyer. A layered security approach is needed, combining technical controls with user awareness across all these communication methods.

Industry Impact Analysis

Sector-by-sector infographic showing how phishing affected manufacturing, financial services, SaaS, healthcare, retail, and technology. It highlights ransomware risk in manufacturing, fraud in finance, credential compromise in SaaS, high damage in healthcare, consumer trust erosion in retail, and platform-scale risk in tech. Concludes that phishing is universal but impact is industry-specific.

Phishing is a universal threat, but some industries are targeted more aggressively often because of the data or money they hold, or their propensity to pay ransoms. Below we analyze how different sectors fared in 2025:

In summary, every industry is a target, but the tactics and stakes differ. Financial orgs worry about direct theft, wire fraud, manufacturing about ransomware downtime, healthcare about life and death service impact, and tech about platform abuse. Phishers often customize lures per industry e.g., a phishing email to a finance firm might impersonate the SEC or a big client, whereas one to a manufacturer might impersonate a parts supplier or even a CEO with an urgent request. Understanding these nuances helps companies tailor their defenses. All sectors, however, share one reality: the human element is common across them, meaning a well crafted phishing email can slip past technology and fool an employee anywhere, from a bank teller to an IT administrator. Hence, cross industry, the focus is increasingly on reinforcing that human layer of defense.

Regional Breakdown

World-region infographic showing how phishing tactics differ globally. North America and Europe are dominated by email and business email compromise, APAC by SMS and mobile app phishing, LATAM by WhatsApp and rapid attack growth, and MEA by government- and finance-themed phishing. The graphic notes that phishing is global but tactics are regionally adapted.

Phishing is a global problem, but its prevalence and characteristics vary by region. Here’s a snapshot of regional phishing trends and notable points in 2025:

In summary, phishing respects no borders, but regional differences in language, culture, and technology adoption create unique challenges. A successful strategy in one region e.g., heavy SMS use in APAC, WhatsApp in LATAM, email in NA/Europe will be replicated by attackers there. It’s crucial for global organizations to tailor anti phishing training and controls to local contexts. What tricks a user in one country may not fool another, and vice versa. Collaboration between international CERTs/law enforcement is also key, as many phishing rings operate across continents for example, Eastern European criminals phishing North American targets, or West African BEC groups targeting Europe. The stats clearly show every region is under phishing assault, just via different flavors.

Major Incidents and Phishing Campaigns of 2025

Infographic summarizing notable phishing campaigns in 2025, including an AI deepfake business email compromise scam, large-scale domain farming, phone-based phishing attacks, phishing-enabled ransomware, MFA bypass kits, and supply-chain phishing. Key takeaway: phishing is multi-channel, trust-based, and often the starting point for larger attacks.

In 2025, rather than a single mega breach defining the year, it was a series of persistent campaigns and novel tactics that characterized the phishing threat landscape. Here we highlight some notable patterns and incidents:

In essence, 2025’s major phishing incidents were less about singular headline breaches and more about the evolution of techniques and the accumulation of many medium breaches that were incredibly costly. The through line is phishing as the common denominator whether it’s ransomware, financial fraud, or espionage, phishing often sets the stage. The year taught us that phishing is no longer just a Nigerian prince asking for help, it could be an AI crafted CEO’s voice on the phone, a QR code on a parking ticket, or a seemingly benign email from a colleague’s real account. The incidents and campaigns this year hammered home the need for holistic vigilance.

Emerging Trends in Phishing

Trend analysis infographic showing generative AI as a force multiplier, omnichannel phishing campaigns, phishing-as-a-service automation, credential and session theft, and highly targeted spear-phishing. It emphasizes that phishing is shifting from malware delivery to identity compromise and strategic social engineering.

As we look to the future, several emerging trends from 2025 indicate where phishing is headed in 2026 and beyond:

In summary, we can expect phishing to become more believable, more pervasive, and more adaptive. The lines between phishing and other forms of cyberattack will blur further. Is it phishing or fraud? Phishing or hacking? It often starts with phishing and turns into all of the above. Organizations will need to invest in smarter defenses like behavioral AI that notices anomalies in user actions and stronger user training to keep up with these trends. The stats and developments from 2025 are a clear forewarning of the shape of phishing in the near future.

What These Statistics Mean

Infographic titled “Phishing as a Strategic Business Risk (2025): Executive Insights.” It presents phishing as the primary catalyst for breaches and ransomware, driven by human error and attacker industrialization. Key points include attackers scaling operations like businesses, traditional defenses being bypassed, rising financial costs of inaction, and brand impersonation targeting user trust. The graphic emphasizes phishing as an enterprise-wide business risk requiring integrated technology, training, identity controls, and verification culture.

Digesting all these statistics, one might ask: So what? What do these numbers tell us beyond phishing is bad? Here’s the deeper meaning and strategic insight behind the stats:

  1. Phishing is the Primary Catalyst of Cyberattacks: The fact that phishing is the leading initial attack vector 16% of breaches and involved in the majority of major incidents means that if you stop phishing, you stop a huge chunk of cyber threats before they start. In practical terms, phishing is the trigger for ransomware, BEC, data breaches, etc. The stats link phishing to 54% of ransomware cases and a large share of BEC scams. This means organizations should prioritize anti phishing measures as a form of preventative medicine against multiple categories of attacks. It’s the highest leverage defense. If you can shrink that 16% of breaches to, say, 5%, you knock out a lot of downstream incidents.
  2. The Human Firewall is Under Siege: With 68% of breaches involving human error or social engineering, the human element is clearly still a major vulnerability. The average employee’s likelihood to click a phishing link often ~30% in tests combined with the speed of seconds shows that technical controls alone aren’t enough and humans, unlike software, can’t be patched easily. However, the flip side of the stats is hopeful: organizations that invested in training saw up to an 86% reduction in phishing risk over a year and much higher report rates. In essence, people can be transformed from liabilities into assets with proper awareness and practice. The meaning here is that security strategies must devote serious effort to user education and engagement, not just fancy AI filters. Every employee should be considered part of the security team once properly trained.
  3. Attackers are Investing in Scale and Sophistication: The numbers around malicious domains 1.5 million+ domains used for phishing, 38% rise, bulk registrations 37% via bulk services, and the explosion of new vectors QR, voice, etc. all paint a picture of adversaries who are innovating and scaling up like a business would. They have more infrastructure, more automation PhaaS, AI, and more techniques to evade detection. This indicates that phishing is not a bunch of isolated amateurs, it's often organized cybercrime and even nation state backed operations. For defenders, this means we’re up against agile, well resourced opponents. We need to respond with equal agility: sharing threat intel, deploying modern defense tools, and thinking like attackers to anticipate their moves for example, conducting regular web application security testing to see how a phish could pivot within your environment. The statistics basically validate that phishing is a professional enterprise now, so treat it as such in risk assessments.
  4. Traditional Defenses Are Being Challenged: If 9% of AI generated phishing emails still bypass filters, or if many users are scanning QR codes that email scanners can’t analyze, it shows the limits of our existing security stack. Organizations that relied on email gateways and antivirus alone are missing whole swathes of the attack surface texts, social media, personal email, etc.. The rise in multi-channel attacks means security can’t operate in silos e.g., the team that handles email security must coordinate with the team handling mobile device management and the one handling voice/VOIP systems. The stats about MFA bypass and such also suggest that even our advanced protections like 2FA are being worked around. This doesn’t mean those defenses are useless, it means layers and context are critical. We should not throw out MFA because phishers bypass some of it, instead, we must augment it with phishing resistant methods and user training about not approving unexpected prompts. The broad implication is a need for a more holistic, integrated security posture, one that monitors and protects identities, devices, and communications comprehensively often referred to as a unified threat management approach or XDR.
  5. The Cost of Inaction is Climbing: With breach costs reaching record highs and BEC losses in the billions, the statistics essentially make a business case: security investments now are cheaper than breach losses later. For example, compare $4.88M average breach cost to, say, the cost of implementing a top notch security awareness program and phishing resistant MFA the latter is a fraction of that amount. Similarly, losing $2.8B to BEC in a year vs. investing perhaps a few million across industries in better email validation like DMARC enforcement and transaction verification controls the ROI is clear. The upward trend in ransom demands that were attempted at $83k to $ variant growth suggests attackers will keep trying to increase their payouts. Organizations that don’t improve their defenses will be seen as soft targets and could be hit repeatedly indeed some companies suffer multiple phishing breaches. The meaning behind the money is simple: security is no longer just an IT issue, it’s a business continuity and financial risk issue. Boards and executives should take these stats as evidence to support funding and strategic shifts like moving to a Zero Trust model, segmenting networks to mitigate phishing impact, etc..
  6. User Trust is Being Exploited in New Ways: The trends around brand impersonation Microsoft, DHL, etc. and new channels tell us that attackers continuously pinpoint where users’ implicit trust lies. Users trust their company’s voicemail? Attackers clone a voice. Users trust a brand’s logo and look? Attackers copy it to a tee in a phishing site. Trust in QR codes or MFA apps? Attackers abuse that. Essentially, phishing stats highlight trust and human nature at the core. Knowing this, organizations should foster a culture of healthy skepticism. The old advice of checking for spelling errors is outdated now it's to verify requests through a second factor or channel. The human psychology aspect is key: stats on rapid click times seconds to click vs minutes to report show people act on impulse, training needs to instill that pause and think reflex. Also, given how convincingly phishers can impersonate internal communications, companies might need to implement more technical validation like code words for high level requests, or signed emails for critical communications so employees can distinguish real from fake. The meaning here is that building resilience against deception is an organizational priority, not just a technical tweak.

In sum, these statistics underscore that phishing is not a static or solved problem, it's evolving and expanding, touching all areas of an organization. They emphasize the need for a multi faceted defense strategy: technological better filtering, authentication, network segmentation, human training, simulations, hiring skilled responders, and procedural policies for verification, incident response drills. The numbers also validate many best practices: those who did X like to use AI or training fared better than those who didn’t. So we should heed those lessons. Big picture: Phishing stats are a barometer of cyber risk right now, the pressure is high and rising, indicating storms ahead if we don’t reinforce our defenses.

Best Practices Informed by the Data

Infographic outlining seven best practices for reducing phishing risk in 2025, including advanced email security, phishing-resistant MFA, continuous security awareness training, stricter verification for high-risk transactions, phishing incident response readiness, attack surface visibility, and user-focused anti-phishing tools. Emphasizes layered defenses combining technology, identity controls, and human awareness.

Given what the 2025 phishing statistics are telling us, organizations should adapt their security controls and practices accordingly. Here are some data driven best practices to mitigate phishing risk:

  1. Implement Advanced Email Security & Filtering: Basic spam filters are not enough when facing millions of phishing emails, many crafted by AI. Consider next gen Secure Email Gateways SEGs or cloud email security add ons that use machine learning to analyze not just known bad links, but email content and context. Many solutions now do natural language processing to detect phishing intent e.g., an email asking for a payment or credentials when it usually wouldn’t. The goal is to catch more of those 9% of sneaky emails that currently slip past filters. Additionally, use DMARC, DKIM, and SPF email authentication to reduce spoofed emails using your domain, this helps prevent attackers from impersonating your organization in phishing attempts. Regularly tune and update filter policies based on what’s trending for example, if QR code phish is rising, enable any filter features that can detect images of QR codes or use computer vision to analyze them.
  2. Adopt Phishing Resistant Multi Factor Authentication: Given the prevalence of credential phishing and the fact that many kits bypass basic MFA, move toward phishing resistant MFA methods. This includes using FIDO2 security keys or hardware tokens that cannot be phished via a fake site they are bound to the real domain. If hardware keys for all employees isn’t feasible, at least enforce app based authenticators over SMS codes SMS being easier to phish or intercept. Educate users: if they get an unexpected MFA prompt on their phone, do not accept it, it could be an attacker trying your password. Some organizations implement number matching to push MFA users to type a number shown on the login device into their phone which can thwart automated prompt bombing. Stats show 15% of phishing attacks tried some form of MFA bypass, to counter that, Zero Trust principles should be applied: don't assume a logged in session is legit just because MFA was passed, monitor sessions for anomalies and re challenge if needed.
  3. Continuous Security Awareness Training & Phishing Simulations: The data on training efficacy is compelling up to 86% risk reduction in a year with proper programs. Therefore, invest in a robust Security Awareness Training SAT program that is ongoing, not just an annual video. Use simulated phishing exercises frequently at least monthly to test and reinforce behavior. Make the simulations varied: include emails, SMS, voice if possible to cover multiple vectors. Track metrics like click rates, report rates, and provide positive reinforcement to those who report phish. Remember the stat: trained users are 4x more likely to report phishing attempts than untrained. Build that reporting culture and it serves as an early warning system. Also, tailor training to new threats, e.g., after news of the deepfake CFO scam, run a workshop on verifying identities over video calls. Gamify the training if possible departments earn points for reporting phish, etc. to encourage engagement. The goal is to change that median click time from 21 seconds to never, and the report time from 28 minutes to a few minutes.
  4. Tighten Verification Procedures for High Risk Transactions: Business Email Compromise thrives because companies lack out of band verification for things like wire transfers, vendor bank detail changes, and large payments. Implement strict procedures: if any employee receives an email or Teams message or phone call requesting a financial transaction or sensitive data, they must verify through a second, independent channel. For example, if the CEO emails Finance to wire money, require a phone call to the CEO’s known number for confirmation and vice versa, if someone calls, require an email or some internal portal confirmation. The staggering average BEC loss of $137k could be chopped down if every attempted scam was caught by a verification step. Similarly, train staff to never accept account changes like changing a vendor’s bank account without verification. Many companies now use code phrases or shared secrets with vendors for confirming changes. Essentially, don’t rely on email alone for authorization of important actions. This mitigates both BEC and phishing induced fraud.
  5. Incident Response: Prepare for Phishing Breaches: Given the long dwell times and high costs, it’s critical to have an efficient plan for detecting and responding to phishing incidents early. This includes deploying endpoint detection and response EDR tools that can catch malware from a clicked phishing link quickly, as well as network monitoring for unusual logins e.g., an employee logging in from an IP in another country after a potential phish could indicate compromised credentials. Regularly run drills: simulate a phishing breach scenario an employee fell for a phish, now what steps do the IT and security team take? Have playbooks for containing account takeovers e.g., how to rapidly remove OAuth tokens, reset accounts, etc. since many breaches involve stolen credentials. Also, ensure you have backups and recovery plans specifically considering ransomware scenarios, since phishing so often leads there. The stat that breaches past 200 days cost $5M vs $3.8M if caught earlier is a $1.2M incentive to improve your detection speed. Utilize the fact that median report time is 28 minutes: try to encourage immediate reporting and have your security operations center treat every phishing report with urgency, it could be the tip of an iceberg. Over time, measure and aim to reduce your phishing dwell time between a phish click and remediation.
  6. Broader Attack Surface Visibility and Testing: With phishing expanding to cloud apps, personal devices, etc., it’s important to have visibility into your attack surface. This means knowing which SaaS apps your users are using shadow IT can be entry points, and monitoring for data leaks or stolen credentials services that scan dark web for your users’ emails in combo lists, for instance. Conduct penetration testing or red team exercises that specifically include phishing scenarios, this will highlight where you might lack controls e.g., testers might find they can get in via a helpdesk phishing call revealing a process gap. Consider engaging in continuous penetration testing services that regularly probe your systems and employees for susceptibility, rather than a one off test. Additionally, ensure that you’ve segmented networks and least privilege access internally so that if a phish does succeed, the damage is contained. For example, an employee in Finance getting phished shouldn’t be an instant domain admin takeover segment and limit access to reduce the blast radius.
  7. Implement User Focused Tools: Deploy some tools that empower users in the fight. One example is an email client plugin or one click button for Report Phish that forwards the email to security for analysis making it easier to report than to ignore. Another is using browser plugins that can detect fake URLs or known phishing sites and warn users some companies enforce safe browsing extensions. You could also utilize password managers to enter credentials only for the legitimate site. If a user clicks a phishing link, the password manager won’t autofill because the domain won’t match, which can prompt the user to realize something’s off. Some organizations have had success with external email banners to remind users an email came from outside the company. This doesn’t stop phishing, but it gives a visual cue that, say, an email that claims to be from the CEO but has the external banner is suspicious. Finally, consider anti phishing training for customers if relevant e.g., banks training their customers on scams because your security is also as strong as your user base in many cases.

By aligning security practices with the hard data, an organization builds a defense strategy that’s not based on hypothetical threats, but on the attacks that are actually happening every day. The statistics from 2025 essentially highlight where to focus: improve human vigilance, block the common paths email, SMS, have a plan for when prevention fails, and keep adapting. Phishing may never be fully eradicated, but its success can be drastically limited by layered, informed defenses that address both the human and technical facets of the problem.

FAQs

Various reports show that phishing is the single most common entry point for cyber attacks. In the 2025 Verizon Data Breach Investigations Report, phishing was the initial attack vector in about 16% of data breaches more than any other vector. Additionally, IBM noted that if you include related human errors and stolen credentials often obtained via phishing, the human element is involved in 68% of breaches. In practice, this means a significant portion some analysts say over half of cyber attacks have phishing as a component, especially for major incidents like ransomware or BEC.

It’s difficult to get an exact count of all phishing emails globally, but we have some indicators. The Anti Phishing Working Group APWG tracks unique phishing sites rather than every email. They observed over 1 million phishing attacks in each of Q1 and Q2 2025, which suggests an annualized rate of ~4 million distinct phishing campaigns. As for daily email volume: Google has reported blocking 100 million phishing emails per day on Gmail in the past. One specific stat from late 2024/early 2025: security filters saw an average of 2.7 million phishing emails with QR codes sent per day just those containing QR codes!. These numbers indicate that tens of millions of phishing emails are likely sent globally each day, if not more, when you include all platforms.

The success rate can be measured in different ways: percentage of people who click, or percentage of campaigns that lead to a breach. In internal phishing simulations, a common metric is the Phish Prone Percentage PPP. Across industries, baseline untrained PPP is often around 30%, meaning roughly 3 in 10 employees might click a well crafted phishing link or open a malicious attachment. With training, this can drop to under 5% in best cases. In real world attacks, Verizon’s data suggests that about 4% of people will click on any given phishing campaign on average, but certain targeted campaigns have much higher success e.g., a spear phishing could trick 50% of recipients if it’s very convincing. In terms of breaches, if phishing causes 16% of breaches, that implies that out of all phishing campaigns launched, only a small fraction succeed in causing a reportable breach because there are millions of attacks. However, phishers play a volume game even if a 1% success on a million emails can yield 10,000 victims. Specific scams like BEC have lower open rates but higher impact per success. For example, in 2024 there were ~21,000 reported BEC incidents out of presumably hundreds of thousands of BEC phishing attempts indicating maybe <10% success in getting someone to engage, but that’s enough to steal $2.8B. In short, general phishing is often a single digit percentage success per email sent, whereas highly targeted phishing can be successful with just one hit out of a hundred attempts if it lands on the right person.

Phishing has become more effective and harder to detect with AI’s help. Generative AI models allow attackers to produce flawless, customized phishing messages in seconds, where it used to take significant time and often non native English gave them away. AI can generate convincing dialogue for impersonating tech support chats, create fake but realistic images like a deepfake invoice or a synthetic ID, and even clone voices for vishing. Statistics show an over 80% adoption of AI in phishing content creation, and a massive increase 1000%+ in some measurements in phishing volume since tools like ChatGPT became available. On the flip side, defenders are also using AI to better detect phishing, for example, machine learning systems that identify phishing websites by their characteristics, or AI that scans email context. One outcome noted is that AI driven phishing emails have fewer of the old telltale signs, typos, odd phrasing, so users must rely more on context e.g., am I expecting this email? and technical checks. AI has also enabled more personalized phishing at scale, attackers can feed personal info into an AI to draft a tailored lure for each target, something only nation states used to do manually. So, the rise of AI has raised the stakes: phishing emails in 2025 look much more legitimate, and even security pros sometimes double take. We expect AI will continue to both help and hurt. Perhaps AI could one day warn users this email seems AI generated/phishy as a built-in email client feature.

Phishers love to impersonate well known brands that people trust and are likely to interact with. According to multiple threat reports in 2025, Microsoft is consistently the #1 impersonated brand in phishing globally. This includes Microsoft 365 login pages, OneDrive share links, etc., because compromising a Microsoft account is extremely valuable. Other top brands often include: DHL and shipping firms especially during holiday seasons, track your package scams, Amazon order and delivery scams, PayPal and other payment services, bank brands depending on region, e.g., Chase or Bank of America in the US, and social media platforms like Facebook and LinkedIn for credential harvesting. In one quarter of 2025, DHL was actually neck and neck with Microsoft as the most phished brand likely due to a surge in QR code delivery scams. Mastercard and Visa are common for financial phishing, and Google gets impersonated a lot as well Google Docs shares, Google Drive links asking for login. Essentially, any brand that has a login portal that millions use is a target for impersonation. Phishers also tailor brand bait by region e.g., in the UK, Royal Mail and HMRC tax are frequent phishing themes, in Australia, Telstra telco phishing is common, in Latin America, WhatsApp and MercadoLibre e-commerce are used. Always be cautious and go directly to the official site instead of clicking a link in an unsolicited message, no matter the brand logo or name on it.

When done right, security awareness training is quite effective in reducing phishing risk, though it’s not a silver bullet. The numbers are telling: organizations that run regular training and phishing simulations have seen the average click rate on phishing tests drop from ~30% to under 5% over time. One industry study in 2025 found up to 86% reduction in click rates after 1 year of continuous training meaning if 100 people would have clicked before, now only 14 do a huge improvement. Trained users also become far more likely to report phishing attempts, roughly 21% of trained users report phish vs only 5% of untrained. That said, training isn’t one size fits all. Some programs are just annual PowerPoints and have limited impact, the best programs are ongoing, varied, and engaging, with leadership support. There is also the issue of the repeat clickers, typically a small percentage of employees who, despite training, keep clicking. Those may need additional one on one coaching or other measures some orgs limit their access or put them on stricter email filtering. Also, training effectiveness can decay over time if not reinforced, hence continuous testing is key. Importantly, training will educate users on new scams like QR phishing or deepfakes which technology might not fully handle yet. In summary, good security awareness training significantly lowers an organization’s likelihood of a successful phish, but it works best in tandem with technical controls. Think of it as immunization: it raises resilience but isn’t 100% immunity. You still need herd immunity from multiple layers of defense.

The cost can vary widely depending on what the phish leads to. If we’re talking about a full data breach initiated by phishing, the average cost is about $4.88 million in 2025. This includes all the things like investigation, remediation, downtime, lost business, regulatory fines, etc. That is higher than the average cost of breaches not involving phishing. If the phishing attack only results in some fraudulent wire transfers BEC scam and not a broader breach, the costs there are the actual funds lost plus perhaps recovery efforts. The FBI says the average financial loss per BEC incident is around $137,000. There have been extreme cases like a single BEC theft of $25M as in the deepfake case but those are outliers. For ransomware triggered by phishing, costs include ransom if paid plus recovery, the median ransom payment was $115k, but total incident costs average ~$5M when you factor in all consequences. Some research attempts to quantify the cost per phishing email or per employee click for instance, one study by Ponemon years ago said an average phishing email that successfully tricks a user can cost a large company around $15-20 per email in incident handling, adding up to millions yearly for big firms. But that’s a very rough estimate. In essence: a run of the mill phishing infection might cost tens of thousands IT cleanup, minor disruption, a successful BEC might cost hundreds of thousands, and a full breach or ransomware event can cost millions. Hence, the oft quoted figure: the average cost of a phishing data breach is ~$4.9M, which is a useful planning number for the worst case scenario.

Infographic titled “The Phishing Landscape of 2025: From Email Scams to AI-Driven Deception.” It explains that phishing is the leading cause of security breaches and a gateway to ransomware and business email compromise. The graphic shows phishing evolving into AI-driven, multi-channel attacks using email, SMS, collaboration tools, and voice (vishing). It highlights defensive improvements but shrinking margins for error, frames phishing as a business risk rather than just an IT issue, and outlines future threats such as deepfakes and highly targeted scams. The key takeaway emphasizes layered defenses, verification culture, and phishing-resistant authentication.

The phishing landscape of 2025 reveals a threat that is escalating in both volume and sophistication. What was once a scattershot email scam has morphed into a polymorphic, multi channel assault on organizations’ trust and defenses. The statistics we’ve examined tell a clear story: phishing is the leading cause of breaches, the launchpad for costly attacks like ransomware and BEC, and a constantly evolving menace driven now by AI and criminal collaboration.

On the defensive side, there is progress. Companies are fighting back with better training, cutting phishing success rates dramatically and new technologies, AI driven filters, etc.. Yet the margin for error is shrinking. The average time to identify a phishing breach is 254 days and the soaring costs associated with such incidents $4.88M on average underscore that every phishing email that slips through can be a powder keg.

Moving forward, organizations must treat phishing as the pervasive business risk it is. This means baking anti phishing into the culture and the architecture: from the CEO who practices phishing drills along with employees, to the IT admin who implements phishing resistant authentication and zero trust network segments, to the finance clerk who now double verifies any fund transfer requests. The future likely holds even more convincing scams, think AI avatars and real time social engineering. But the core principles of defense remain: vigilance, verification, and layered security.

2025’s data ultimately reinforces a hopeful point: phishing may be growing, but it is a threat we understand well, and many of the solutions are within reach. With the right mix of human awareness and technical safeguards, organizations can substantially tilt the odds in their favor, turning what could have been a multimillion dollar breach into a mere blip on the radar. The battle against phishing is an ongoing campaign of adaptation and resilience and armed with the insights from these statistics, we are better prepared to meet it.

About the Author

Mohammed Khalil is a Cybersecurity Architect at DeepStrike. Specializing in advanced penetration testing and offensive security operations, he holds certifications including CISSP, OSCP, and OSWE. Mohammed has led numerous red team engagements for Fortune 500 companies, focusing on cloud security, application vulnerabilities, and adversary emulation. His work involves dissecting complex attack chains and developing resilient defense strategies for clients in the finance, healthcare, and technology sectors.

background
Let's hack you before real hackers do

Stay secure with DeepStrike penetration testing services. Reach out for a quote or customized technical proposal today

Contact Us