All Blogs

Quick Summary: Is phishing a big security challenge? Does phishing cause most data breaches? Get answers to these questions and more with this article that offers plenty of phishing statistics and facts. You can understand the present scenario of phishing with the useful statistics and facts in this article to make the right decisions for securing your digital landscape.
Phishing attacks have become a serious security challenge for individuals and organizations alike. They are dubious and victims can easily fall prey to them. They are a big challenge for the security and privacy of individuals and organizations.
It is important to understand the scope and impact of this attack vector to prevent potential financial losses and implement effective security measures. Hence, in this article, we have provided a lot of facts and figures about phishing that will give useful insights into this threat vector.
Minimize your attack surface with an advanced AI-powered pentesting tool. Try for Free
Table of Contents
- What Exactly is a Phishing Attack?
- What is the Current State of Phishing Attacks in 2026?
- Top Phishing Attack Statistics
- Phishing Attack Stats and Facts with Notable Incidents
- Industry Sectors Most Impacted by Phishing Attacks
- Tips to Prevent Phishing Attacks
- To Wrap Up
What Exactly is a Phishing Attack?
Phishing is a kind of social engineering attack in which an attacker tries to trick a victim user into performing a specific action to gain some benefits. This attack aims to elicit sensitive information from the victim by making them believe that they are entering data on a legitimate platform.
Let’s understand with an example. Suppose a user receives an email that looks like from a legitimate company with an action-oriented heading. The user opens the email and clicks on the link provided in it. After this, the user enters the information asked in the provided link.
It results in compromised information because the email was a scam, and the user unknowingly shared their information with a bad actor. This is how a phishing attack happens.
What is the Current State of Phishing Attacks in 2026?
More than 3.4 billion phishing emails are sent every single day, roughly 39,000 every second, making phishing the most pervasive form of cybercrime. It shows the state of phishing attacks that have reached a level of critical menace today. In fact, phishing causes more data breaches than any other type of social engineering attack, accounting for 57% of data breaches as per Verizon’s Data Breach Investigation Report 2025.
Phishing remains the single most common social engineering action behind breaches. According to the Verizon 2026 Data Breach Investigations Report, the human element was involved in 62% of all breaches, and phishing was the initial access vector in 16% of breaches. IBM likewise names phishing the #1 initial attack vector, responsible for 16% of all data breaches studied.
It becomes an even more dangerous threat vector as attackers are impersonating reputed brands to dupe victims into opening and clicking such emails. Microsoft was the most impersonated brand across 2024, appearing in a large share of brand-spoofing phishing campaigns. Through 2025 the rankings shifted quarter to quarter, Walmart became the most impersonated brand in Q3 2025, supplanting delivery giant DHL, with Microsoft, Google, Adobe, and DHL remaining perennial favorites.
Associating the name of a reputed brand with a malicious email increases the likelihood of opening the mail as victims believe it is from a trusted source. As victims open the email, they fall prey to a scam, resulting in compromised data, malware installation, or other security risks.
Phishing is among the top initial attack vectors for most data breaches as shown in the following image from IBM’s Cost of Data Breach report.

Top Phishing Attack Statistics
- Almost 57% of organizations worldwide face phishing attacks every week.
- The global average cost of a data breach fell to $4.44 million in 2025, the first decline in five years, while the U.S. average climbed to a record $10.22 million.
- APWG recorded 3.8 million phishing attacks across 2025 (up slightly from 3.76 million in 2024), including more than 1 million in Q1 and a peak of 1.13 million in Q2, the largest quarter since 2023.
- Nearly 3.4 billion phishing emails are shared daily, which is 1.2% of all emails.
- 55% of phishing websites impersonate a brand to steal sensitive information.
- Phishing remains the top-reported cybercrime to the FBI, with 193,407 phishing/spoofing complaints filed in 2024, more than double the next most-reported crime
- 96% of organizations that were victims of phishing attacks were negatively impacted.
- Phishing-related breaches cost organizations an average of $4.8 million, roughly on par with the overall global average, proof that "simple" phishing is just as damaging as more sophisticated attacks.
- In the US, phishing attacks were behind 36% of all data breaches.
- Nearly 83% of organizations face phishing attacks every year.
- Mobile-centric phishing (smishing and vishing) now succeeds about 40% more often than email phishing in simulation data, as attackers move from the inbox to the pocket.
- The average cost of a phishing attack is around $4.91 million for organizations.
- 44% of people think an email to be safe if it includes familiar branding.
- Phishing is a common method for injecting malware in 45% of the cases.
- Ransomware now appears somewhere in 48% of breaches, and phishing is one of its most common delivery mechanisms.
- 1 in 6 (16%) breaches now involve attackers using AI, most often to generate phishing lures (37%) and deepfake impersonations (35%).
Phishing Attack Stats and Facts with Notable Incidents
Phishing attacks exploit human errors to cause data breaches. There are a lot of incidents that happened in recent history where phishing was used as an attack method.
2025 Scattered Spider Retail Attacks
In April–May 2025, the threat group Scattered Spider targeted major UK retailers including Marks & Spencer, Co-op, and Harrods. M&S was hit hardest: attackers used a phishing/social-engineering ploy to trick IT staff into resetting admin-level credentials at a third-party vendor, then deployed ransomware that disrupted e-commerce across more than 1,400 stores. It stands as one of the clearest recent examples of phishing as the opening move in a costly ransomware chain.
Russia/Ukraine War
Phishing has been massively used in the Russia-Ukraine war. While Russia pursued cyberattacks to steal data, release malware, and cause blackouts, Ukraine has been leveraging cyberattacks to cause massive data breaches. Many fundraising scams also robbed money and sensitive data from individuals.
- From the start of the war, the phishing emails in the Slavik language have increased 7 fold.
- Attackers impersonated legitimate domains with unnoticeable differences to make phishing attempts.
- Hacking groups tried to hack email accounts of military personnel that could allow access to valuable data.
Lapsus$ Extortion
The Lapsus$ group leveraged phishing to hack systems and steal sensitive information or valuable data from companies like Microsoft, Samsung, Nvidia, and Ubisoft.
2014 Sony Pictures Attack
Sony had to bear both financial and reputational damage when attackers exfiltrated up to 100 terabytes of data in a security breach that occurred with phishing emails sent to executives. It cost $100 million to the company.
Scan and exploit security weaknesses and critical vulnerabilities in minutes with ZeroThreat. Experience AI Pentesting
Industry Sectors Most Impacted by Phishing Attacks
Attackers are not limited to a specific industry when it comes to phishing scams. In fact, statistics of phishing attacks show that different industries are impacted by this attack vector. Since the dependence on digital technologies is increasing across industries, they have become more susceptible to cyberattacks like phishing.
As threat vectors become more sophisticated, organizations need stronger defensive mechanisms to protect their web applications, APIs, and other digital assets. Organizations must invest resources in regular web application security testing and employee training on cybersecurity best practices to ensure a stronger security posture.
These measures can protect organizations from potential cybersecurity risks, including phishing regardless of the industry they operate in. Today, Phishing has emerged as the most critical security risk for different industries. The following image shows the most targeted industries by phishing graphically.

Healthcare Sector
Healthcare has emerged as one of the prime targets of phishing scams with the growing digitization in this field. Patient information and healthcare records are one of the most valuable assets that attackers can steal to commit fraud and identity theft.
Attackers can lure employees in healthcare sectors with phishing emails and gain unauthorized access to data or compromise the security of a healthcare application.
- Healthcare has been the most expensive industry for data breaches for 14 consecutive years, with an average breach cost of $7.42 million in 2025, far above the $4.44 million global average.
- Healthcare and pharmaceuticals is the highest-risk sector for phishing susceptibility, with a baseline phish-prone rate of 41.9% among untrained employees.
- Healthcare also takes the longest to detect and contain a breach, around 279 days on average, over a month longer than the global mean.
- There is a 75% increase in different types of cyberattacks, including phishing.
Retail/eCommerce
The online retail or e-commerce sector is a lucrative target for attackers as it offers high-value data. Attackers can use malicious emails or messages to deceive users by tricking them into revealing their sensitive information such as passwords, credit card numbers, addresses, and more. Phishing attacks can cause data breaches and financial losses to businesses.
- Phishing attacks have been experienced by 38% of retailers.
- 58% of retailers report an increase in phishing attacks.
- 15% of all attacks by cybercriminals target the retail sector.
Finance Sector
Finance is among the top three most targeted industries by phishing. Since attackers mostly look for financial gains, the finance sector becomes a primary choice to fulfill their desires. Attackers can dupe victims by sending scam emails to get their credentials or sensitive information to commit fraud.
Social engineering tactics like phishing are increasing in popularity among attackers to target financial businesses. In fact, social engineering, system intrusion, and miscellaneous errors account for 78% of data breaches in the financial industry.
Finance Phishing Statistics:
- 9.8% of phishing attacks targeted financial institutions in Q3 of the previous year, as per Statista.
- In the case of the finance sector, social engineering, like phishing, is the major cause of data breaches, with 78% of the incidents.
- Crelank Bank’s phishing attack was the largest heist of global financial institutions, standing at $75.8 million.
- The financial services industry has the second-highest average breach cost of any sector at $5.56 million.
- Business Email Compromise (BEC), a targeted phishing variant, drove around $2.77 billion in reported U.S. losses in 2024, making it one of the costliest cybercrimes by dollar loss.
Education Sector
The next key target of phishing attacks is the education sector. Mostly, attackers attempt to gain access to high-value data such as addresses, identification documents, passwords, and more. The rising adoption of digital technologies has led to a sharp increase in cyberattacks in the education sector.
Attackers can leverage phishing scams to steal sensitive information and commit identity theft. They can also access intellectual properties that universities may have in addition to personal data.
Phishing Statistics for Education:
- In terms of protecting against phishing attacks, the education sector ranks last.
- 30% of users fall for a phishing attack in the educator sector.
- For K-12 schools, phishing was the most common source of threats, with 30% of cases in the previous year, as per Forbes article.
Make Your web apps 10x secure with modernized AI-powered DAST. Perform a Scan
Tips to Prevent Phishing Attacks
Email scams are widespread today and they target both companies and individuals. If we look at the phishing email statistics, there are more data breaches caused by them than any other social engineering tactics.
Phishing is a potentially dangerous attack vector that can result in significant business losses. Hence, you need to take the right steps to protect against this malicious threat. The following are some prevention tips that can help you mitigate the risks of phishing attacks.
Multi-Factor Authentication
Using multi-factor authentication can help minimize the risk of phishing. It adds another layer of protection to an account. Multi-factor authentication involves adding an extra step of authentication before granting access to an account. So, even if the username and passwords are provided, the potential action will only be performed when the additional authentication is performed. Multi-factor authentication can help prevent 99.9% of automated attacks.
Email Security
Spam filter or secure email gateway is the first line of defense against phishing attacks. It evaluates the outbound and inbound emails to detect junk mail, spam, or malicious attachments. These solutions can help protect against a wide range of email-borne threats effectively.
These solutions entail anti-malware engines that can detect malicious code to prevent spam. Besides, they identify and block novel malware with behavior analysis. They check email content to detect spam and block known malicious IPs.
Employee Training
Regular employee training can help reduce the chances of being a victim of a phishing scam. Train employees in secure practices to handle data and tips to identify phishing emails to eliminate the potential loopholes that could arise from the bottom line. Make your employees aware of the possible ways that phishing can take place.
To Wrap Up
As the cybersecurity landscape is changing constantly, you must be prepared to tackle the looming threats. While you can adopt robust cybersecurity measures to protect against potential threats, being aware of the dynamics of cybersecurity risks is also essential to building stronger defensive mechanisms.
The statistics on phishing attacks mentioned in this article help you understand the dynamics of this threat vector, enabling you to build a better defense strategy. Apart from strengthening your defense layers, you should also focus on threat monitoring to identify potential security loopholes.
With a vulnerability scanner like ZeroThreat, you can thoroughly analyze your web apps and APIs to discover hidden security flaws and protect your digital landscape from various attack vectors.
Frequently Asked Questions
Is it true that 91% of cyberattacks start with a phishing email?
Yes, as per Deloitte’s press release, phishing email is a stepping stone for most cyberattacks in 91% of cases, and CISA similarly estimates that more than 90% of cyberattacks begin with phishing. Phishing tricks victims into clicking a link or entering information on a webpage that looks legitimate, while they are malicious schemes designed by an attacker to divulge passwords or other sensitive information.
What are the trends in phishing in 2026?
What are the most common phishing types?
Explore ZeroThreat
Automate security testing, save time, and avoid the pitfalls of manual work with ZeroThreat.


