50 Phishing Statistics for 2026: Attack Costs, Trends & Prevention

Phishing remains the most common and most costly initial attack vector in cybersecurity. In 2025, 3.8 million phishing attacks were recorded globally, the average phishing-caused breach cost $4.88 million, and business email compromise (BEC) losses exceeded $2.77 billion in the US alone. AI-generated phishing content has made attacks harder to detect — 82.6% of phishing emails now contain AI-generated text. This page compiles 50 verified phishing statistics for 2026, covering attack volumes, financial impact, BEC trends, AI-driven threats, and the human factors that keep phishing effective.

Phishing Attack Volume and Frequency

Metric	Value	Source
Global phishing attacks (2025)	3.8 million	APWG
Phishing as initial attack vector (% of breaches)	36%	Verizon DBIR 2025
Increase in phishing URLs detected (2024 vs 2023)	28%	Bolster Research
Phishing emails sent daily (estimated)	3.4 billion	Barracuda Networks
Increase in BEC emails (2025 vs 2024)	15%	Abnormal Security
% of all cyber incidents that are BEC attacks	73%	Arctic Wolf
Spear phishing attacks per organization per month	14.2 (avg)	Barracuda
Phishing attacks targeting mobile devices	Up 42% YoY	Lookout

The 73% figure from Arctic Wolf is striking — nearly three-quarters of all cyber incidents investigated by their SOC involved some form of business email compromise. For a deeper look at the inbox threat landscape, see our 52 email security statistics for 2026. This isn't just credential phishing; it includes vendor impersonation, invoice fraud, payroll diversion, and executive impersonation attacks.

Financial Impact of Phishing

Phishing is cheap to execute and enormously expensive for victims. The economics heavily favor attackers — as the broader cybersecurity statistics confirm, phishing remains the most common initial attack vector across all industries.

Financial Metric	Value	Source
Average cost of a phishing breach	$4.88 million	IBM Cost of a Data Breach 2025
Phishing insider incident cost (per incident)	$804,997	Ponemon Institute 2025
Phishing insider incident cost increase vs 2023	+14%	Ponemon Institute
BEC losses reported to FBI (2024)	$2.77 billion	FBI IC3 2024
Total cybercrime losses reported to FBI (2024)	$16.6 billion	FBI IC3 2024
Average BEC attack cost per incident	$125,000+	FBI IC3
Median wire transfer loss in BEC (2024)	$50,000	FBI IC3
Cost per phishing email (to attacker)	$0.01–$0.05	Agari
ROI for attackers on phishing campaigns	4,000%+	Proofpoint

The attacker economics are brutal: a phishing kit costs $50-$200 on dark web marketplaces, bulk email sending costs fractions of a penny per message, and a single successful BEC attack can net $125,000+. Phishing is also the primary entry point for ransomware attacks, which add an average of $5.13 million to the damage. That's why phishing volume keeps climbing despite billions spent on defenses — the ROI for attackers is simply too high.

AI-Generated Phishing and Deepfake Threats

AI has fundamentally changed the phishing landscape. Grammar mistakes and awkward phrasing — the traditional red flags — have been eliminated by large language models.

AI Phishing Metric	Value
Phishing emails containing AI-generated content	82.6%
Increase in AI-crafted phishing since ChatGPT launch	1,265%
Click rate on AI-generated phishing vs human-written	54% higher
Organizations that have experienced deepfake-assisted BEC	25%
Voice phishing (vishing) attacks using AI voice cloning	Up 340% since 2023
Time to create a convincing phishing page with AI tools	Under 5 minutes

The 82.6% figure means the vast majority of phishing emails in circulation right now were written or refined by AI. These messages are grammatically perfect, contextually relevant, and increasingly personalized using data scraped from LinkedIn, company websites, and previous breaches. Traditional email security that relies on known bad signatures and URL reputation struggles against AI-generated content that's unique every time.

Human Error and Click Rates

Technology alone cannot solve phishing because the attack targets human psychology, not software vulnerabilities.

Human Factor	Value
Data breaches involving human error	88%
Employees who clicked phishing links in simulations	17.8%
Employees who then entered credentials	10.4%
Time for first click on phishing email (median)	21 seconds
Time from click to credential submission (median)	28 seconds
Employees who reported the phishing email	11.5%
Cloud breaches from lack of MFA	17%
Most impersonated brand in phishing (2025)	Microsoft (32%)
Second most impersonated brand	Google (17%)
Phishing emails with urgency language ("account suspended," "action required")	68%

The 21-second median time to first click is the most alarming number on this page. It means employees are clicking phishing links faster than it takes to read and evaluate the email. This is reflexive behavior — see an email from "Microsoft" about a password expiration, click the link, enter credentials. The entire compromise takes under a minute.

Phishing by Industry

Certain industries are targeted disproportionately based on the value of the data they hold and their typical security posture.

Industry	% of Phishing Attacks	Average Breach Cost
Financial Services	23.2%	$6.08M
Healthcare	14.7%	$9.77M
Technology	12.8%	$5.45M
Government	10.1%	$4.33M
Education	8.4%	$3.65M
Manufacturing	7.6%	$5.56M

Phishing Prevention Effectiveness

Not all defenses are equally effective. The data is clear on what works and what doesn't.

Defense Measure	Effectiveness / Impact
MFA enforcement	Blocks 99.9% of automated credential attacks
Security awareness training (ongoing)	Reduces click rates by 60% over 12 months
DMARC enforcement (p=reject)	Prevents 95% of domain spoofing
AI-based email security (behavioral analysis)	Catches 92% of novel phishing vs 68% for signature-based
URL sandboxing and real-time link scanning	Blocks 85% of malicious URLs at click time
Organizations with all three (MFA + training + advanced email security)	80% fewer successful phishing incidents

The combination that actually works is MFA + security awareness training + advanced email security. Any one of these alone is insufficient. MFA blocks credential reuse but doesn't stop MFA fatigue attacks or adversary-in-the-middle (AiTM) phishing. Training reduces click rates but can't reach zero. Email security catches most attacks but not all. Together, they create defense in depth.

For organizations that need help implementing these controls, our security and compliance services include DMARC configuration, MFA enforcement across Microsoft 365 and Google Workspace, and email security gateway deployment. Our SOC services provide 24/7 monitoring for phishing-related indicators of compromise, including credential theft detection and unauthorized mailbox rule creation.

Key Takeaways

• 3.8 million phishing attacks were recorded globally in 2025, with 3.4 billion phishing emails sent daily.
• $4.88 million is the average cost of a phishing-caused breach — making it the most expensive initial attack vector after insider threats.
• BEC losses reached $2.77 billion in reported FBI complaints, and the actual number is likely 3-5x higher due to underreporting.
• 82.6% of phishing emails now contain AI-generated content, making traditional detection methods less effective.
• 88% of breaches involve human error — technology alone cannot solve phishing. Layer MFA, training, and advanced email security together.
• 21 seconds — that's how fast the median employee clicks a phishing link. Speed kills when it comes to social engineering.

Sources: APWG Phishing Activity Trends Report 2025, Verizon Data Breach Investigations Report 2025, IBM Cost of a Data Breach Report 2025, FBI Internet Crime Complaint Center (IC3) 2024 Annual Report, Ponemon Institute Cost of Insider Threats 2025, Abnormal Security BEC Trends Report 2025, Arctic Wolf Security Operations Report 2025, Barracuda Email Threat Landscape 2025, Lookout Mobile Threat Report 2025, KnowBe4 Phishing Benchmarking Report 2025, Proofpoint State of the Phish 2025.