Phishing remains the most pervasive initial attack vector in cybercrime, consistently appearing as a top entry point for data breaches, ransomware, and financial fraud. The introduction of AI-generated phishing — using large language models to craft hyper-personalized, grammatically flawless deceptive messages at scale — has substantially reduced the effectiveness of traditional phishing defenses. This page aggregates the most authoritative published statistics on phishing attack volume, success rates, financial impact, and the AI-driven transformation of the threat landscape. All data is sourced from primary publications. This reference is intended for security researchers, enterprise risk professionals, journalists, and policy makers.
3.4 Billion
Phishing emails sent globally every day — making email-based phishing the single highest-volume attack vector in cybersecurity.
— Proofpoint, "State of the Phish," 2024
Attack Volume & Scale
4.7M
Unique phishing sites tracked by APWG in 2023 — a record annual total
— APWG Phishing Activity Trends Report, 2023
1M+
Unique phishing attacks recorded by APWG in Q1 2023 alone — a record quarterly high
— APWG, Q1 2023
The Anti-Phishing Working Group (APWG) tracked a total of 4.7 million unique phishing sites in 2023, a 40% increase from the 3.4 million tracked in 2022, driven in part by AI-assisted site generation and bulk domain acquisition.
— APWG Phishing Activity Trends Report, Annual 2023
Proofpoint's 2024 State of the Phish report found that 94% of organizations worldwide experienced email-based phishing attacks in 2023 — effectively a universal threat for enterprises of any size.
— Proofpoint, "State of the Phish," 2024
Microsoft's Digital Defense Report 2024 noted that Microsoft blocks over 600 million cyberattacks per day across its ecosystem, with phishing and credential theft comprising the largest share of blocked attempts.
— Microsoft Digital Defense Report, 2024
Google's Safe Browsing API identifies and blocks approximately 10 million potentially unsafe URLs per day, a significant portion of which are active phishing pages targeting Google account credentials.
— Google Safe Browsing Transparency Report, 2024
The FBI IC3 received 298,878 phishing and spoofing complaints in 2023 — making it the highest-volume individual cybercrime type by complaint count, even as its dollar losses rank below investment and BEC fraud.
— FBI IC3 Internet Crime Report, 2023
Phishing in Data Breaches
Verizon's 2024 Data Breach Investigations Report (DBIR), analyzing 30,458 security incidents and 10,626 confirmed data breaches, found phishing was involved in 36% of all data breaches — the single most common initial attack vector.
— Verizon 2024 Data Breach Investigations Report
The Verizon DBIR also found the human element was involved in 68% of breaches in 2024 — and that phishing and social engineering represent the primary mechanism by which the human element is exploited.
— Verizon 2024 Data Breach Investigations Report
IBM's 2024 Cost of a Data Breach Report, based on 604 organizations that experienced breaches between March 2023 and February 2024, identified phishing as the leading initial attack vector in 16% of breaches — and phishing-initiated breaches averaged $4.88 million in total breach costs.
— IBM Security, Cost of a Data Breach Report, 2024
Credential-based attacks enabled by phishing are responsible for 86% of web application breaches, according to Verizon DBIR analysis — as phished credentials are subsequently used to access corporate systems, cloud accounts, and email.
— Verizon 2024 Data Breach Investigations Report
Ransomware attacks, which reached a record in 2023, primarily enter corporate networks through phishing. The Verizon DBIR found ransomware was a component in 23% of all breaches analyzed, with phishing as the dominant precursor attack.
— Verizon 2024 Data Breach Investigations Report
Financial Impact of Phishing
$4.88M
Average cost of a data breach when phishing was the initial attack vector (2024)
— IBM Security, 2024
$2.9B
Business Email Compromise losses reported to FBI IC3 in 2023, predominantly enabled by phishing
— FBI IC3, 2023
The Ponemon Institute's 2023 Cost of Phishing Study found that the average annual cost of phishing attacks to a large U.S. company is $14.8 million, including lost productivity, technical remediation, and credential-theft consequences.
— Ponemon Institute, "The Cost of Phishing," 2023
Spear phishing — targeted attacks using personalized information about the recipient — has an average success rate of 47% vs. 3% for generic mass phishing, making it the preferred approach for high-value corporate targets.
— Proofpoint, "State of the Phish," 2024
APWG found that financial institutions remain the most impersonated sector in phishing campaigns, accounting for 27.8% of all phishing attacks in 2023. PayPal, Bank of America, and Wells Fargo were among the most commonly spoofed brands.
— APWG Phishing Activity Trends Report, 2023
AI-Powered Phishing
AI-generated phishing emails are now indistinguishable from legitimate email in 65% of cases tested by enterprise security teams, compared to 30% for human-written phishing in 2021 — reflecting the dramatic quality improvement from LLM-generated content.
— Microsoft Digital Defense Report, 2024
Researchers at IBM X-Force demonstrated in 2023 that AI-generated phishing emails achieved a click-through rate of 11% compared to 14% for human-crafted spear phishing — closing the gap dramatically and enabling attacks at 50× the scale in the same time.
— IBM X-Force, "Cybersecurity in the Era of AI," 2023
The use of LLMs to generate polymorphic phishing — where each email variant is slightly different to evade signature-based detection — increased by an estimated 4,151% between Q4 2022 and Q4 2023, according to Darktrace's threat intelligence platform.
— Darktrace, "Email Security Trends Report," 2024
Proofpoint found that 84% of organizations experienced phishing attacks in 2023, and that AI-assisted attacks were more effective at credential harvesting than traditional phishing — resulting in 2.3× more successful account compromises per campaign.
— Proofpoint, "State of the Phish," 2024
Nation-state-affiliated actors, including groups attributed to Russia, China, and North Korea, have been observed using AI-generated phishing content in targeted campaigns against government, defense, and critical infrastructure organizations, according to Microsoft's Digital Defense Report.
— Microsoft Digital Defense Report, 2024
AI-powered phishing-as-a-service (PhaaS) platforms — which provide campaign management, template generation, and real-time site cloning — were identified by APWG in 19% of analyzed phishing campaigns in 2023, enabling non-technical criminals to run sophisticated attacks.
— APWG Phishing Activity Trends Report, 2023
Industry Targeting
Financial services face the highest phishing attack volume of any industry sector. APWG found financial institutions were the most impersonated brand category, accounting for 27.8% of all phishing campaigns in 2023.
— APWG Phishing Activity Trends Report, 2023
Healthcare organizations experience a disproportionately severe impact from phishing breaches: IBM found that healthcare data breaches have the highest average cost of any industry at $9.77 million per breach in 2024, with phishing as a primary entry point.
— IBM Security, Cost of a Data Breach Report, 2024
Government and public sector entities are targeted in approximately 16% of nation-state phishing campaigns. Microsoft's Digital Defense Report identified government as the top-targeted sector by state-sponsored threat actors using AI-enhanced spear phishing.
— Microsoft Digital Defense Report, 2024
Smishing & Vishing Trends
Smishing (SMS phishing) grew by 50% in complaint volume reported to the FTC between 2022 and 2023, driven by package delivery impersonation scams, fake bank alerts, and toll payment demands.
— FTC Consumer Sentinel Network Data Book, 2023
Proofpoint found that 76% of organizations experienced smishing attacks in 2023, up from 61% in 2022. Mobile devices are increasingly targeted because corporate security controls are typically weaker on personal phones than managed desktops.
— Proofpoint, "State of the Phish," 2024
Vishing (voice phishing) attacks increased 260% in 2023 according to Agari, increasingly combining AI voice synthesis to impersonate IT helpdesks and financial institutions in real-time calls designed to harvest multi-factor authentication tokens.
— Agari / HelpSystems, "Vishing and Hybrid Attack Trends," 2023
Defensive Effectiveness
Multi-factor authentication (MFA) prevents 99.9% of automated credential-stuffing attacks and significantly reduces the impact of phished credentials, according to Microsoft's analysis across its authentication infrastructure.
— Microsoft Security Research, 2023
However, adversary-in-the-middle (AiTM) phishing kits — which intercept MFA tokens in real time — bypassed standard MFA in 60% of targeted enterprise attacks where AiTM techniques were used, according to Microsoft's Digital Defense Report.
— Microsoft Digital Defense Report, 2024
Security awareness training reduces successful phishing click rates from approximately 30% for untrained users to 5% for well-trained employees, according to KnowBe4's global benchmark study of 12.5 million simulated phishing tests.
— KnowBe4 Phishing by Industry Benchmarking Report, 2024
Despite training, 85% of organizations that had conducted phishing simulation programs still experienced successful real phishing attacks in 2023 — demonstrating that training alone is insufficient without technical controls.
— Proofpoint, "State of the Phish," 2024
Cite This Page:
AIScamRecovery.com. "Phishing Statistics 2026: Attack Volume, Success Rates & AI-Powered Trends." April 2026. https://aiscamrecovery.com/stats/phishing-statistics-2026
Frequently Asked Questions
How many phishing attacks occur each day?
Proofpoint estimates 3.4 billion phishing emails are sent globally every day. The Anti-Phishing Working Group tracked 4.7 million unique phishing sites in 2023 and recorded over 1 million unique phishing attacks in Q1 2023 alone. Microsoft blocks over 600 million cyberattacks daily across its ecosystem, with phishing comprising the largest category.
What percentage of breaches involve phishing?
Verizon's 2024 DBIR found phishing was involved in 36% of all data breaches analyzed — making it the leading initial attack vector. IBM's 2024 Cost of a Data Breach Report found phishing initiated 16% of breaches and resulted in an average breach cost of $4.88 million. The human element — primarily exploited through phishing — was present in 68% of all breaches.
How has AI changed phishing attacks?
AI enables hyper-personalized spear phishing at scale that previously required manual research per target. Microsoft found AI-generated phishing emails are indistinguishable from legitimate email in 65% of cases tested. IBM X-Force demonstrated AI phishing achieving click rates comparable to expert human-crafted spear phishing at 50× the speed and scale. LLMs also generate polymorphic variants that evade signature-based email filters.
What industries are most targeted by phishing?
Financial services face the highest attack volume — accounting for 27.8% of all phishing campaigns in APWG data. Healthcare experiences the most expensive breaches at $9.77 million average per incident when phishing is the entry point. Government and defense organizations are primary targets for nation-state spear phishing campaigns using AI-enhanced content.
How do I report a phishing attack?
Forward phishing emails to the Anti-Phishing Working Group at [email protected]. Report phishing to the FTC at reportfraud.ftc.gov. If you clicked a link and entered credentials, immediately change passwords on any affected accounts and enable MFA. For business phishing incidents involving credential compromise, notify your IT security team and file with FBI IC3 at ic3.gov. Report phishing text messages by forwarding to 7726 (SPAM).