AntiPhishers Phishing Attack Statistics 2026: Volume by Industry
Phishing Attack Statistics 2026: Volume by Industry
Security Education: This article describes cyber threats for defensive awareness and education purposes only. Understanding how attacks work helps organizations and individuals protect themselves. Never use this information for unauthorized access or malicious purposes.
Phishing attacks continue to rise in volume, sophistication, and financial impact. The data from 2025, reported by APWG, Keepnet, and industry researchers through early 2026, provides the clearest picture of where attacks are concentrated, what methods attackers prefer, and how much damage they cause across industries.
This article presents the numbers without editorializing — the data speaks clearly enough on its own.
Attack Volume
Global Phishing Volume (APWG Data)
| Quarter | Attacks Recorded |
|---|---|
| Q1 2025 | 1,003,924 |
| Q2 2025 | 1,130,393 |
| Q3 2025 | ~890,000 |
| Q4 2025 | 853,244 |
| 2025 Total | ~3.8 million |
The 2025 total of approximately 3.8 million phishing attacks represents a slight increase over 2024. Q1 and Q2 saw the highest volumes, with Q3 and Q4 declining modestly — potentially influenced by a 43-day US government shutdown that disrupted some reporting mechanisms.
Year-Over-Year Trend
| Year | APWG Reported Attacks (Approx.) |
|---|---|
| 2020 | 0.6M |
| 2021 | 0.9M |
| 2022 | 1.3M |
| 2023 | 2.5M |
| 2024 | 3.5M |
| 2025 | 3.8M |
The trajectory shows a sixfold increase in five years. While the rate of growth slowed between 2024 and 2025, the absolute volume remains at historical highs.
Industry Targeting
Q4 2025 Sector Breakdown (APWG)
| Sector | Share of Attacks | Trend vs Q3 |
|---|---|---|
| Social Media | 20.3% | Stable |
| SaaS/Webmail | 20.3% | Stable |
| Telecom | 18.7% | Increasing |
| Financial Institutions | 9.3% | Decreasing |
| E-commerce | 8.1% | Stable |
| Logistics/Shipping | 5.2% | Seasonal |
| Healthcare | 4.1% | Increasing |
| Government | 3.8% | Stable |
| Cryptocurrency | 2.9% | Decreasing |
| Other | 7.3% | — |
Full-Year 2024-2025 Sector Analysis
| Sector | Attack Share | Why Targeted |
|---|---|---|
| Financial Services | 23.5% | Stolen credentials have immediate monetary value |
| SaaS/Webmail | 19.4% | Access to email enables account recovery attacks on other services |
| E-commerce | 14.2% | Payment data theft; fake delivery notices spike during sales |
| Social Media | 12.8% | Account takeover for spam and scam distribution |
| Logistics/Shipping | 8.1% | Fake tracking notifications, highly effective vector |
| Healthcare | 5.3% | High-value data (medical records, insurance, SSN) |
| Government | 4.2% | Credential harvesting for further access |
| Education | 3.1% | Large user populations, often under-protected |
| Other | 9.4% | Various |
Financial services and SaaS/webmail combined account for over 40% of all phishing attacks, consistent with previous years. The value-density of stolen credentials from these sectors drives the concentration.
For defense strategies tailored to these sectors, see our Phishing Protection Guide 2026.
Financial Impact
Breach Costs
| Metric | 2025 Value |
|---|---|
| Average cost of phishing-related data breach | $4.88 million |
| Year-over-year change | +10% |
| Average healthcare breach cost | $7.42 million |
| Healthcare sector rank in breach costs | 1st (14th consecutive year) |
| Average cost per stolen record | $169 |
Individual Impact
| Metric | Value |
|---|---|
| Average identity theft loss per victim | $1,343 |
| Total consumer losses to identity fraud (2024) | $27.2 billion |
| FTC identity theft reports (2024) | 1+ million |
Business Email Compromise
| Metric | Value |
|---|---|
| FBI-reported BEC losses (2023) | $2.7 billion |
| Average BEC incident cost | $125,000–$175,000 |
| BEC as percentage of cyber insurance claims | Increasing year-over-year |
Attack Methods
Channel Distribution (2025)
| Channel | Prevalence | Trend |
|---|---|---|
| 75–80% | Still dominant, but decreasing share | |
| SMS (Smishing) | 10–12% | Increasing rapidly |
| Voice (Vishing) | 5–7% | Increasing, AI-driven |
| Social Media | 4–5% | Stable |
| Collaboration Tools (Slack, Teams) | 2–3% | New and growing |
| QR Code (Quishing) | 1–2% | Emerging |
Email remains the primary channel, but its share is declining as attackers diversify into SMS, voice, and collaboration platforms. The multi-channel trend makes defense more complex because each channel requires different detection tools and user awareness.
AI-Generated Phishing
| Finding | Source |
|---|---|
| 54% click rate for AI-crafted phishing emails | 2025 academic study |
| 12% click rate for human-written phishing emails | Same study, control group |
| 400% rise in successful phishing scams attributed to AI | 2025 industry report |
| 14x surge in AI-generated phishing during year-end 2025 | APWG trend analysis |
AI-generated phishing represents the most significant shift in the threat landscape. The elimination of grammatical errors, spelling mistakes, and formatting problems — historically the most reliable detection signals — requires a fundamental update to human detection training. See How to Recognize a Phishing Email for updated detection guidance.
Emerging Attack Vectors (Late 2025 – 2026)
| Vector | Description |
|---|---|
| SVG file attachments | Embedded scripts bypass email scanners |
| Calendar invite exploits | .ics files with malicious links |
| QR code in PDF | Embedded QR codes bypass URL scanners |
| Callback phishing (BazarCall) | Email instructs victim to call a number |
| Recruitment scams | Fake job listings harvest personal data |
| OAuth consent phishing | Tricking users into granting app permissions |
Click and Susceptibility Rates
By Organization Size
| Organization Size | Average Phish-Prone Percentage |
|---|---|
| Small (1–249 employees) | 32.4% |
| Medium (250–999 employees) | 29.8% |
| Large (1,000+ employees) | 33.1% |
The similarity across organization sizes indicates that phishing vulnerability is not a function of company resources. All sizes remain susceptible without active training programs.
Impact of Training
Organizations implementing regular phishing simulations and security awareness training report significant reductions in click rates over time, with some achieving below 5% within 12 months of starting a program. The key factor is frequency — monthly simulations outperform quarterly, which outperform annual training.
What the Data Means for You
For individuals: The statistics confirm that phishing is not a niche or declining threat. It is growing. The defenses described in our Online Security Checklist — password managers, MFA, and phishing awareness — address the attack vectors responsible for the majority of the $27.2 billion in annual losses.
For organizations: The sector targeting data helps prioritize defense investments. Financial services and SaaS companies face concentrated risk and should invest in advanced email security and phishing-resistant MFA. All organizations benefit from regular phishing simulations. Comprehensive account security starts with the right tools, covered in our best password managers guide and antivirus comparison.
Key Takeaways
- Approximately 3.8 million phishing attacks were recorded in 2025, continuing a five-year upward trend
- Financial services and SaaS/webmail account for over 40% of all attacks
- AI-generated phishing achieves 54% click rates vs 12% for human-written, fundamentally changing the detection challenge
- The average phishing-related data breach costs $4.88 million, up 10% year-over-year
- Multi-channel phishing (SMS, voice, collaboration tools) is growing as email share decreases
Next Steps
- Implement defenses in Phishing Protection Guide 2026
- Update detection skills in How to Recognize a Phishing Email
- Protect credentials with Best Password Managers 2026
- Complete the Online Security Checklist
- Get answers to common questions in Cybersecurity FAQ
Statistics sourced from APWG, Keepnet Labs, Secureframe, and industry reports. 2025 data represents full-year figures where available and partial-year projections where noted. The phishing landscape evolves rapidly; numbers should be interpreted as indicative of trends rather than precise counts.
Sources
- 2025 Phishing Statistics — Keepnet Labs — accessed March 27, 2026
- 60+ Phishing Attack Statistics — Secureframe — accessed March 27, 2026
- Phishing Statistics 2025-2026 — Zensec — accessed March 27, 2026