Phishing Statistics 2026: Verified Benchmarks, Trends & Costs

Executive summary: phishing statistics 2026

Phishing statistics in 2026: the human element remains central, attack volume stays high, and channels beyond email are where many programs still under-measure risk.

• 62% of breaches involve the human element (Verizon DBIR 2026, p. 12).
• ~3.8 million phishing attacks observed globally in calendar 2025 (APWG Q4 2025, p. 3–4).
• Email sim median click ~1.4% vs phone-centric ~2% (~40% gap, DBIR 2026, p. 50), from Keepnet-contributed voice/SMS simulation data.
• FBI IC3: $3.05 billion BEC losses in 2025 (FBI IC3 2025).
• 35% of organizations affected by deepfake incidents (Gartner 2025, n=302).

Keepnet contributed anonymized voice and SMS phishing simulation data to the 2026 Verizon DBIR. When we contributed voice and SMS simulation data to this year's DBIR, the pattern that stood out was simple: phone-centric scenarios failed about 40% more often than email in median click rates.

Keepnet's Extended Human Risk Management Platform (xHRM) is built around that multi-channel gap. Gartner's March 2026 market label is Secure Behavior Management (SBM) (G00853891). We pair xHRM with SBM outcomes: simulations and reporting across email, SMS, voice, and QR, not completion exports alone.

Source: Gartner, "6 Ways to Transform Your Cybersecurity Awareness Program" (G00840741, March 2026), based on the 2025 Secure Behavior Strategies Survey (n=65).

Phishing emails remain a major initial-access path, but 2026 reference data show the story is broader than inbox volume.

This guide curates verified phishing statistics from DBIR 2026, APWG 2025, FBI IC3 2025, UK DCBS 2025/26, and labeled Microsoft telemetry, plus Keepnet simulation research where labeled. Each section pairs stats with operator implications, not copy-paste vendor tables.

Phishing reference stats by source year (headline numbers)

What this means for security leaders

Stat pages fail when every percentage looks equally current. Lead board decks with DBIR 2026 and APWG 2025 rows; label IC3 as FBI IC3 2025 for US loss and complaint baselines. Pair volume statistics with reporting rate and time-to-report from your own simulations.

2026 threat operations (CrowdStrike Global Threat Report)

The Verizon DBIR measures breach patterns; CrowdStrike Counter Adversary Operations telemetry measures how fast interactive and AI-assisted intrusions in the 2026 GTR reporting period. Use both: DBIR for board breach mix, CrowdStrike for response-window and lure-trend context.

CrowdStrike 2026 GTR: operations stats for program owners

The honest read

Credential abuse and living-off-the-land activity do not always show up as a phishing click. When 82% of detections are malware-free, report-rate and identity anomalies matter as much as simulated link clicks.

Deepfake statistics sync (Gartner G00847786, May 2026)

Use separate survey labels when you cite deepfake rates. G00847786 (2026 CISO role-based survey, n=297) reports 41% audio-call and 35% video-call deepfake plus social-engineering incidents. Gartner's public 2025 AI Risk survey (n=302) reported 62% of organizations with any deepfake incident in 12 months. Do not merge those into one headline number.

Deepfake stats by Gartner survey (for copywriters)

Deepfake hub: deepfake statistics and trends.

Sources

• CrowdStrike, 2026 Global Threat Report (Year of the Evasive Adversary), p. cited in body.
• Gartner G00847786: Cybersecurity Threat: Deepfake Identity Impersonation (Akif Khan, 28 May 2026).

Phishing statistics at a glance (2026)

Use this table for board-ready headline numbers. Each row maps to a primary source in the Sources section at the end of this page.

Phishing statistics at a glance (2026)

The honest read

Most SERP pages list percentages without saying which year or dataset they come from. Security leaders lose credibility when 2024 vendor stats sit beside 2026 DBIR figures without labels.

What I'd do this quarter

Standardize on DBIR 2026 and APWG 2025 full-year volume for headline decks. Label IC3 and UK DCBS as latest published annual surveys. See our 2026 Verizon DBIR summary for breach-pattern context.

Phishing breach statistics

The Verizon 2026 DBIR attributes 62% of breaches to the human element, up from 60% in the 2025 edition. Phishing accounts for 16% of initial access in the breach sample; pretexting (voice, chat, callback) adds another 6%. Social engineering as a breach pattern appears in 16% of cases. Ransomware appears somewhere in 48% of breach chains (DBIR 2026).

Read identity-related initial access as a family: phishing (16%) + stolen credentials (13%) + pretexting (6%) totals 35%, comparable to vulnerability exploitation at 31%. Do not cite phishing alone as the top vector without noting that unpatched vulnerabilities lead initial access in the same dataset.

What this means for security leaders

Boards still ask whether phishing is the number-one entry point. The honest answer from DBIR 2026 is that exploitation and identity attacks both matter; programs that fund only email gateways miss pretexting and credential abuse.

Where teams get this wrong

Report breach statistics by initial-access type, not a single phishing percentage. Pair DBIR figures with your own simulation medians and incident tickets tagged by vector.

Phishing attack volume and trends (2026)

The Anti-Phishing Working Group recorded approximately 3.8 million phishing attacks in APWG's latest full-year dataset, up about 1% from 3.76 million in 2024 (APWG Q4 2025, p. 3–4). Quarterly counts were: Q1 1,003,924; Q2 1,130,393 (+13% vs Q1); Q3 892,494; Q4 853,244. Q2 2025 was the largest quarter since Q2 2023.

Do not merge APWG unique-site counts with vendor email-block totals. Microsoft Defender detected roughly 8.3 billion email phishing threats in Q1 2026 alone. That is blocked email volume, not comparable to APWG's ~3.8 million unique phishing sites in the latest full-year count.

Microsoft also reported QR-code phishing detections rising from 7.6 million in January 2026 to 18.7 million in March 2026 (+146%), and roughly 10.7 million BEC attacks in Q1 2026 (Microsoft Email Threat Landscape Q1 2026).

Why programs stall

Volume headlines create panic; trend lines create budget. A flat +1% APWG year alongside rising QR and smishing signals means channel mix shifted, not that email disappeared.

What to fix this quarter

Track volume by channel in your own telemetry. Cite APWG for global site trends and Microsoft only with the Defender telemetry label. Review quarterly APWG releases at apwg.org/trendreports.

Phishing is no longer just email

Email remains the default training image, but DBIR 2026 simulation medians show phone-centric scenarios fail more often: ~2% median click on phone vectors versus ~1.4% on email, about 40% higher. Pretexting accounts for 6% of initial access. Smishing volumes grew an estimated 30–40% quarter-over-quarter (APWG Q4 2025, Crane Authentication contributor).

Keepnet simulation evidence in the 2026 DBIR

Keepnet contributed anonymized voice and SMS phishing simulation campaign data to the 2026 Verizon DBIR (October 2024–October 2025 sample; contributors list, p. 118). The published medians (email ~1.4% vs phone-centric ~2%) are independent Tier A reference numbers any program can cite. Read the full breakdown on our 2026 Verizon DBIR summary (written by Ozan Ucar, Founder and CEO of Keepnet).

If you only simulate email, you grade the easier test. Completion rate is a comforting metric; it is not a security outcome.

Phishing statistics by attack type (evidence summary)

Email phishing statistics

Phishing as asynchronous messaging accounts for 16% of initial access (DBIR 2026). Median successful click in email simulations: ~1.4%. For pattern examples, see common phishing email examples.

Vishing statistics

Pretexting (synchronous voice, chat, or callback) is 6% of initial access in DBIR 2026. Phone-centric simulation medians near ~2% click. Learn attack mechanics in what is vishing and run vishing simulations alongside email.

Keepnet proprietary context (label: 2024 report): the 2024 Voice Phishing Response Report found 70% of organizations exposed to simulated vishing and 6.5% of employees disclosed sensitive information in voice simulations. Use alongside DBIR medians, not as a substitute for breach-rate statistics. Deeper voice statistics: vishing statistics 2026.

Smishing statistics

APWG Q4 2025 cites smishing volume growth of 30–40% quarter-over-quarter (Matthew Harris, Crane Authentication). Pair with DBIR phone sim medians when comparing SMS lure failure rates. Use a smishing simulator if your program still tests email only.

See also smishing statistics 2026.

QR code phishing (quishing) statistics

Microsoft Defender QR detections rose 146% from January to March 2026 (7.6M → 18.7M). APWG Q4 2025 noted QR phishing volume −9% QoQ but Walmart represented 61% of targeted QR brands in that quarter.

Business Email Compromise (BEC) statistics

FBI IC3 reported $3.05 billion in BEC losses from 24,768 complaints (FBI IC3 2025). APWG Q4 2025 observed wire-transfer BEC attacks up 136% quarter-over-quarter; gift cards represented 59% of BEC cash-out methods in that quarter.

Deepfake phishing statistics

Gartner's 2025 AI Risk Management Survey (n=302) found 35% of organizations experienced a deepfake incident, while only 10% of security leaders prioritize deepfake recognition training (G00840741, n=65). See deepfake statistics and trends for a dedicated stat pack.

The uncomfortable truth

Gartner reports 73% of security leaders prioritize phishing reporting metrics (n=65), yet phone and deepfake channels outperform email in both DBIR sim medians and incident narratives. Email-only programs optimize the wrong channel.

Practical next step

Expand simulations to vishing, smishing, QR, and executive verification workflows. Align metrics to the channel mix APWG and Microsoft telemetry show rising, not only inbox click rate.

AI and deepfake phishing statistics

Microsoft's Digital Defense Report 2025 (Incident Response / Defender Experts dataset) found AI-automated phishing attempts achieved a 54% click-through rate versus 12% for standard attempts, a 4.5× multiplier. Label this as Microsoft IR telemetry, not a global census.

Gartner's 2025 survey (n=302) reports 84% of security leaders observe more advanced phishing attacks, and 35% of organizations were affected by deepfake incidents. DBIR 2026 also notes 67% of organizations had non-corporate GenAI tools on corporate devices (shadow AI signal).

ENISA Threat Landscape 2025 (EU, Jul 2024–Jun 2025) attributes roughly 60% of initial access to phishing including vishing and malspam, and states AI-supported phishing accounted for more than 80% of social-engineering activity in the ENISA reporting window (report narrative).

The honest read

GenAI lowered the cost of credible lures. Programs still scoring spelling errors miss AI-drafted executive urgency and synthetic voice on callback flows.

What I'd do this quarter

Add GenAI-aware templates to phishing simulations. Require out-of-band verification for any payment or credential change triggered by voice or video, especially after deepfake cases like Arup (~$25.6M, HK Police briefing 2024).

Phishing statistics in the United States

The FBI Internet Crime Complaint Center (IC3) 2025 annual report recorded $20.9 billion in total reported losses, 1,008,597 complaints, and an average loss of $20,699 per complaint (26% higher losses than 2024). Phishing and spoofing was the most reported crime type with 191,561 complaints and $215.8 million in reported losses (IC3 2025).

Business Email Compromise losses reached $3.05 billion (24,768 complaints). Cyber-enabled fraud accounted for roughly 85% of total losses. IC3's Recovery Asset Team froze $955,060 in one 2024 real-estate BEC case when reporting was fast enough.

What this means for security leaders

US buyers search for IC3 and BEC numbers separately from global APWG volume. Label IC3 rows with the source report (FBI IC3 2025) and do not mix US complaint counts with APWG global site volume.

Where teams get this wrong

Use IC3 for US loss and complaint baselines; use APWG for global attack-site volume. Train finance and AP teams on wire-fraud playbooks; cite IC3 recovery cases to justify reporting-speed KPIs.

Phishing statistics in the United Kingdom

UK Department for Science, Innovation and Technology Cyber Security Breaches Survey 2025/26 found 43% of businesses experienced a breach or attack in the last 12 months. Phishing was the attack type for 38% of businesses; among those affected, 69% said phishing was their most disruptive attack. Phishing-only attacks (no other type) hit 51% of affected businesses, up from 45% in the prior wave.

NCSC Annual Review 2025 reports the takedown service removed 1.2 million+ phishing campaigns, disrupted 26,000+ HMG-targeted campaigns, and resolved 79% of HMG phishing within 24 hours.

Why programs stall

UK boards respond to DCBS and NCSC, not FBI IC3. Mixing US complaint counts into a UK section erodes trust with EU buyers.

What to fix this quarter

Lead UK executive summaries with DCBS 38% phishing prevalence and 69% disruption stat. Reference NCSC takedown scale for national context; pair with ICO misdirected-email incident trends for human-error programs.

Phishing statistics by industry

APWG sector shares shift by quarter. Always cite the quarter. Q2 2025 (OpSec/Crane): financial institutions 18.3%, SaaS/webmail 18.2%, eCommerce/retail 14.8%, payment 12.1%, social media 11.3%.

Q4 2025 (Crane Authentication): social media 20.3%, SaaS/webmail 20.3%, telecom 18.7%, financial institutions 9.3%, eCommerce/retail 8.7%. Do not invent banking- or healthcare-specific percentages without a primary sector table.

The uncomfortable truth

Industry sections in competitor pages often paste stale 2023 APWG shares. Sector rotation between Q2 and Q4 APWG 2025 quarters shows social and telecom spikes that finance-only playbooks miss.

Practical next step

Role-based simulations for finance/AP (BEC), SaaS admins (credential harvest), and telecom help desks (callback). Refresh sector tables each APWG quarter.

Real-world phishing cases (2024–2026)

Arup deepfake CFO (Hong Kong, January 2024): HK$200M (~$25.6M USD) lost via multi-person video conference with AI deepfake executives after a spear-phishing email. HK Police briefing (Feb 2024); Financial Times identified the firm May 2024. Lesson: executive verification and second-channel approval before wires.

MGM Resorts help-desk social engineering (September 2023): ~$100M impact estimate per SEC Form 8-K; industry reporting describes vishing to IT help desk for MFA reset. Lesson: help-desk callback policy and vishing simulations for privileged roles.

IC3 real-estate BEC recovery (2024): $956,342 wire attempted; FBI Recovery Asset Team froze $955,060. Lesson: reporting speed and out-of-band verification on property transactions.

APWG Scripted Sparrow BEC wave (2024–2025): Up to 6 million targeted emails per month; Q4 2025 wire BEC attacks +136% QoQ (APWG Q4 2025, Fortra contributor). Lesson: AP and finance role-based invoice-fraud templates.

The honest read

Case studies without program lessons become clickbait. Each incident above maps to a control gap DBIR and APWG statistics already quantify.

What I'd do this quarter

After board reviews, assign one case per quarter to a simulation theme (deepfake exec, help-desk vishing, BEC wire). Link outcomes to reporting rate, not completion percentage.

What security leaders should measure instead of training completion

Gartner's 2025 Secure Behavior Strategies Survey (n=65) found 84% of organizations use training completion as a top metric, while 73% prioritize phishing reporting, yet Gartner MSE outcomes show phishing in fewer than 10% of measured breaches. Completion is easy to export; it does not prove breach reduction.

Cohort segmentation matters. Keepnet's New Hires Phishing Susceptibility Report (2026) (proprietary, 2026) found new hires 44% more likely to fall for phishing in their first 90 days, with 71% at risk in that onboarding window. Track new-hire cohorts separately from company-wide DBIR medians.

Weak metrics vs better metrics for phishing programs

Build these metrics inside a Security Behavior and Culture Program (SBCP). See cybersecurity awareness training for employees for program design basics.

What this means for security leaders

This is the SERP gap competitors rarely close in table form: they list stats, not decision metrics. Keepnet buyers need reporting rate and repeat-failure cohorts to justify budget.

Where teams get this wrong

Deprioritize completion-only dashboards in QBRs. Add phone and smishing sim baselines alongside email; track policy exception volume (only 6% of orgs do per Gartner G00840741, n=65).

2026 and beyond: phishing trends to watch

DBIR 2026: vulnerability exploitation leads initial access at 31%; combined phishing + pretexting initial access is 22%. Patch and people programs both need funding.

Microsoft MDDR 2025: ClickFix appeared in 47% of Defender Experts initial-access notifications. QR and smishing growth continues per APWG and Microsoft Q1 2026 telemetry.

Gartner planning assumptions (label as forecast): ≥50% of large enterprises will include cyber KPIs in senior employment contracts by 2026 (G00811878); 70% of enterprise meeting platforms will include deepfake detection by 2028 (G00846628).

For awareness-program direction, see top trends in cybersecurity awareness training.

Statistics show where attacks move; your platform must measure the same channels. Tiered legacy SAT contracts often gate non-email sims behind higher tiers. See KnowBe4 alternatives (2026) for modular packages, voice/SMS metrics, and pilot questions.

What this means for security leaders

Three decisions close the gap between phishing statistics and program outcomes:

• 1. Measure by channel. Email sim medians (~1.4%) understate phone risk (~2%). If your SAT stack is inbox-only, your metrics lie quietly.
• 2. Report rate over completion. 84% of orgs celebrate LMS exports; 62% of breaches still involve people. Measure reporting and repeat failures.
• 3. Executive verification before money moves. Deepfake and BEC losses (IC3 $3.05B; Arup ~$25.6M) outpace generic awareness modules.

Run multi-channel simulations with Keepnet Phishing Simulator, vishing, and smishing modules. Use the reference numbers from this page in executive readouts, with source year labels every time.

Sources

• Verizon 2026 Data Breach Investigations Report (Keepnet summary)
• APWG Phishing Activity Trends Report Q4 2025 (PDF)
• APWG Phishing Activity Trends Reports (index)
• FBI IC3 Internet Crime Report 2025 (PDF)
• UK Cyber Security Breaches Survey 2025/26
• NCSC Annual Review 2025 (PDF)
• Microsoft Digital Defense Report 2025 (PDF)
• Microsoft Email Threat Landscape Q1 2026
• ENISA Threat Landscape 2025
• CISA Phishing Guidance (Oct 2023)
• Keepnet 2024 Voice Phishing Response Report
• Keepnet New Hires Phishing Susceptibility Report (2026)
• Gartner G00840741, G00840742, G00840678, G00811878 (2025–2026 publications; n labeled in body).

Related reading

• 2026 Verizon DBIR summary
• Common phishing email examples
• Vishing statistics 2026
• Smishing statistics 2026
• KnowBe4 alternatives (2026)
• Deepfake statistics and trends
• Phishing Simulator