Phishing Statistics 2026: 20 Numbers Every Executive Should Know

Volume and Frequency

1. 1.2 million phishing sites detected per quarter

The Anti-Phishing Working Group's most recent quarterly report tracked over 1.2 million unique phishing sites observed during Q4 2024 — the highest quarterly volume ever recorded and roughly 4x the volume observed in 2019. The growth curve has accelerated rather than plateaued.

2. 71% of organizations experienced a successful phishing attack in the past year

Proofpoint's State of the Phish 2024 report found that 71% of surveyed organizations confirmed at least one successful phishing attack — meaning credentials were compromised, malware was installed, or financial fraud was committed. The figure has remained above 65% every year since 2020, indicating that even substantial improvements in security awareness training have not closed the gap.

3. 96% of organizations received phishing email attempts

The same Proofpoint report identified 96% of organizations receiving phishing emails at some volume — meaning the threat is essentially universal. Organizations without measurable phishing volume are typically those whose email systems are not properly monitoring the threat.

4. 156,000 daily BEC attempts blocked by Microsoft

Microsoft's 2024 Digital Defense Report disclosed that Microsoft 365 services block approximately 156,000 business email compromise (BEC) attempts per day across the customer base. Microsoft Defender for Office 365 telemetry suggests BEC volume grew 38% year-over-year in 2024.

5. 3.4 billion phishing emails sent daily globally

Independent estimates from APWG, Proofpoint, and Mimecast consensus put daily global phishing email volume in the 3-4 billion range. Phishing is operationally cheaper to send than legitimate marketing email, has no meaningful enforcement against it at international scale, and generates economic return whenever a small fraction of recipients engage.

6. 30-day average dwell time for credential phishing kits

Cloudflare's threat intelligence team tracks the median lifespan of credential phishing kits at approximately 30 days before takedown. The economic model of phishing-as-a-service assumes a known short operational lifespan and is engineered around the takedown cycle.

7. 91% of cyberattacks begin with phishing

The Deloitte annual cyber survey and Verizon DBIR have both attributed 80-91% of cyber incidents to phishing as the initial access vector. The figure varies year over year but consistently identifies phishing as the dominant entry point across virtually every threat category — ransomware, nation-state operations, business email compromise, data theft.

Cost and Impact

8. $4.88M average data breach cost

IBM's 2024 Cost of a Data Breach Report set the global average at $4.88M per incident — a record high and 10% higher than the prior year. Phishing-initiated breaches averaged $4.76M, slightly below the global mean but well within the high-cost tier of breach origins.

9. $50B+ in BEC losses since 2013

The FBI Internet Crime Complaint Center (IC3) tracks cumulative BEC losses since 2013 at over $50 billion globally. Annual BEC losses have consistently been in the $2-3B range in the US alone for the past five years, and the IC3 acknowledges substantial under-reporting.

10. $137,132 median cost per BEC incident

The IC3's 2024 report set the median per-incident BEC loss at $137,132 — a substantial increase from the $80K median five years prior. The shift reflects attacker focus on higher-value targets and more sophisticated social engineering against finance and HR functions.

11. 67% of ransomware incidents begin with phishing

Sophos' annual State of Ransomware report and the Coveware quarterly threat report both consistently identify phishing as the entry point for roughly 65-70% of ransomware incidents that ultimately produce ransom demands. The remaining incidents typically involve exploited public-facing vulnerabilities or compromised third-party access.

12. 60% of breaches involve the human element

Verizon DBIR 2024 attributed 60% of breaches to social engineering, phishing, errors, or misuse — the human element broadly defined. Pure-technical exploitation (zero-day vulnerabilities, network attacks against unpatched systems) accounts for a smaller share than the cybersecurity industry's marketing focus might suggest.

13. $10.5T projected global cybercrime cost in 2025

Cybersecurity Ventures projects global cybercrime costs reaching $10.5 trillion annually by 2025, more than double the 2021 figure. Phishing-driven losses — BEC, ransomware, credential theft for downstream fraud — account for the largest single category within that projection.

The Modern Phishing Threat Surface

14. AI-generated phishing surpassed human-crafted phishing by volume in late 2024

Microsoft Digital Defense Report 2024 documented that AI-generated phishing content surpassed human-authored phishing in observed campaign volume during Q3-Q4 2024. The shift represents a structural change in phishing economics: AI tooling makes high-quality, personalized, multilingual phishing essentially free to produce, eliminating the labor cost that previously bounded campaign sophistication.

15. 30-second human detection rate dropped to 16%

IRONSCALES and Egress threat research consistently shows user detection rates for AI-generated phishing at roughly 16% — down from the 40-50% detection rates for legacy phishing five years ago. Users cannot be expected to identify modern phishing through inspection alone; the AI-generated content is too well-crafted.

16. AiTM phishing kits bypass 95% of push-notification MFA

Microsoft, Okta, and Cloudflare have all documented that adversary-in-the-middle (AiTM) phishing tooling — Evilginx, Modlishka, and the broader category — successfully captures session tokens after legitimate MFA approval in the substantial majority of attempts against push-notification, SMS-based, and TOTP-based MFA. Phishing-resistant FIDO2 hardware keys and platform passkeys remain effective against AiTM tooling.

17. 90% of phishing pages now use HTTPS

Anti-Phishing Working Group reports that approximately 90% of observed phishing pages now operate over HTTPS with valid TLS certificates, frequently obtained from Let's Encrypt or other free CA services. The user education advice from a decade ago — "check for the padlock" — is now actively misleading. Modern phishing pages have valid TLS by default.

18. 3.5-minute median time-to-click after receipt

Verizon DBIR 2024 measured the median time from phishing email receipt to first user click at approximately 3.5 minutes, with the 5.5-minute median for data entry (credentials, payment info). User-centric defensive layers — awareness training, suspicious email reporting — cannot operationally respond at this speed. Technical defensive layers (URL detonation, AiTM detection, conditional access risk policies) must catch what users will not.

19. 25% of phishing campaigns target executives specifically

Mimecast and Proofpoint threat intelligence indicate that approximately one in four phishing campaigns explicitly targets executive or senior management roles — the elevated phishing category known as whaling or BEC. The high-value targeting is operationally efficient: a single successful whaling compromise typically produces 10-100x the financial yield of bulk consumer phishing.

20. <$0.001 marginal cost per AI-generated phishing email

The arithmetic that drove the AI phishing inflection point: at current LLM API pricing, producing a high-quality, personalized phishing email costs fractions of a cent in inference. Campaign scale is no longer limited by labor; it is limited only by the cost of acquiring target lists. The defensive economics have inverted compared to a decade ago, when phishing required meaningful human effort per email.