Phishing Statistics 2026: 20 Numbers Every Executive Should Know

Volume and Frequency

1. 1.2 million phishing sites detected per quarter

The Anti-Phishing Working Group's most recent quarterly report tracked over 1.2 million unique phishing sites observed during Q4 2024 — the highest quarterly volume ever recorded and roughly 4x the volume observed in 2019. The growth curve has accelerated rather than plateaued.

2. 71% of organizations experienced a successful phishing attack in the past year

Proofpoint's State of the Phish 2024 report found that 71% of surveyed organizations confirmed at least one successful phishing attack — meaning credentials were compromised, malware was installed, or financial fraud was committed. The figure has remained above 65% every year since 2020, indicating that even substantial improvements in security awareness training have not closed the gap.

3. 96% of organizations received phishing email attempts

The same Proofpoint report identified 96% of organizations receiving phishing emails at some volume — meaning the threat is essentially universal. Organizations without measurable phishing volume are typically those whose email systems are not properly monitoring the threat.

4. 156,000 daily BEC attempts blocked by Microsoft

Microsoft's 2024 Digital Defense Report disclosed that Microsoft 365 services block approximately 156,000 business email compromise (BEC) attempts per day across the customer base. Microsoft Defender for Office 365 telemetry suggests BEC volume grew 38% year-over-year in 2024.

5. 3.4 billion phishing emails sent daily globally

Independent estimates from APWG, Proofpoint, and Mimecast consensus put daily global phishing email volume in the 3-4 billion range. Phishing is operationally cheaper to send than legitimate marketing email, has no meaningful enforcement against it at international scale, and generates economic return whenever a small fraction of recipients engage.

6. 30-day average dwell time for credential phishing kits

Cloudflare's threat intelligence team tracks the median lifespan of credential phishing kits at approximately 30 days before takedown. The economic model of phishing-as-a-service assumes a known short operational lifespan and is engineered around the takedown cycle.

7. 91% of cyberattacks begin with phishing

The Deloitte annual cyber survey and Verizon DBIR have both attributed 80-91% of cyber incidents to phishing as the initial access vector. The figure varies year over year but consistently identifies phishing as the dominant entry point across virtually every threat category — ransomware, nation-state operations, business email compromise, data theft.

Cost and Impact

8. $4.88M average data breach cost

IBM's 2024 Cost of a Data Breach Report set the global average at $4.88M per incident — a record high and 10% higher than the prior year. Phishing-initiated breaches averaged $4.76M, slightly below the global mean but well within the high-cost tier of breach origins.

9. $50B+ in BEC losses since 2013

The FBI Internet Crime Complaint Center (IC3) tracks cumulative BEC losses since 2013 at over $50 billion globally. Annual BEC losses have consistently been in the $2-3B range in the US alone for the past five years, and the IC3 acknowledges substantial under-reporting.

10. $137,132 median cost per BEC incident

The IC3's 2024 report set the median per-incident BEC loss at $137,132 — a substantial increase from the $80K median five years prior. The shift reflects attacker focus on higher-value targets and more sophisticated social engineering against finance and HR functions.

11. 67% of ransomware incidents begin with phishing

Sophos' annual State of Ransomware report and the Coveware quarterly threat report both consistently identify phishing as the entry point for roughly 65-70% of ransomware incidents that ultimately produce ransom demands. The remaining incidents typically involve exploited public-facing vulnerabilities or compromised third-party access.

12. 60% of breaches involve the human element

Verizon DBIR 2024 attributed 60% of breaches to social engineering, phishing, errors, or misuse — the human element broadly defined. Pure-technical exploitation (zero-day vulnerabilities, network attacks against unpatched systems) accounts for a smaller share than the cybersecurity industry's marketing focus might suggest.

13. $10.5T projected global cybercrime cost in 2025

Cybersecurity Ventures projects global cybercrime costs reaching $10.5 trillion annually by 2025, more than double the 2021 figure. Phishing-driven losses — BEC, ransomware, credential theft for downstream fraud — account for the largest single category within that projection.

The Modern Phishing Threat Surface

14. AI-generated phishing surpassed human-crafted phishing by volume in late 2024

Microsoft Digital Defense Report 2024 documented that AI-generated phishing content surpassed human-authored phishing in observed campaign volume during Q3-Q4 2024. The shift represents a structural change in phishing economics: AI tooling makes high-quality, personalized, multilingual phishing essentially free to produce, eliminating the labor cost that previously bounded campaign sophistication.

15. Human detection rate dropped to 16%

IRONSCALES and Egress threat research consistently shows user detection rates for AI-generated phishing at roughly 16%, down from the 40-50% detection rates for legacy phishing five years ago. Users cannot be expected to identify modern phishing through inspection alone; the AI-generated content is too well-crafted.

16. AiTM phishing kits bypass the majority of push-notification MFA

Microsoft, Okta, and Cloudflare have all documented that adversary-in-the-middle (AiTM) phishing tooling, including Evilginx and Modlishka, captures session tokens after legitimate MFA approval in the substantial majority of attempts against push, SMS, and TOTP-based MFA. Phishing-resistant FIDO2 hardware keys and platform passkeys remain effective against AiTM tooling.

17. 90% of phishing pages now use HTTPS

The Anti-Phishing Working Group reports that approximately 90% of observed phishing pages now operate over HTTPS with valid TLS certificates, frequently obtained from free certificate authorities. The decade-old advice to check for the padlock is now actively misleading; modern phishing pages have valid TLS by default.

18. 3.5-minute median time-to-click after receipt

Verizon DBIR 2024 measured the median time from phishing email receipt to first user click at roughly 3.5 minutes, with a 5.5-minute median for data entry. User-centric defensive layers cannot operationally respond at this speed. Technical layers such as URL detonation, AiTM detection, and conditional access risk policies must catch what users will not.

19. 25% of phishing campaigns target executives specifically

Mimecast and Proofpoint threat intelligence indicate that roughly one in four phishing campaigns explicitly targets executive or senior management roles, the elevated category known as whaling or BEC. The targeting is operationally efficient: a single successful whaling compromise typically produces 10-100x the yield of bulk consumer phishing.

20. Under $0.001 marginal cost per AI-generated phishing email

The arithmetic that drove the AI phishing inflection point: at current model pricing, producing a high-quality, personalized phishing email costs fractions of a cent. Campaign scale is no longer limited by labor; it is limited only by the cost of acquiring target lists. The defensive economics have inverted compared to a decade ago.

What to Do About It

The statistics above describe a threat surface that has structurally changed in the past 18 months. Three priorities follow from the data.

Migrate to phishing-resistant MFA where it matters most. Push notifications and SMS-based MFA are operationally obsolete against AiTM tooling. Hardware security keys and platform passkeys defeat the current generation of credential-harvesting infrastructure. The migration is non-trivial but the defensive return is substantial.

Layer technical defense above user awareness. The 3.5-minute median time to click means the security team cannot rely on users to identify and report phishing in time. URL detonation, AiTM detection in conditional access, BEC indicators, and session-risk scoring need to operate as the primary defensive layer, with user reporting as a secondary signal.

Treat AI-generated phishing as the baseline threat model. Defenses calibrated against the phishing of 2019-2022 are insufficient against current campaign sophistication. Email security configuration, training content, and SOC playbooks need refreshing to reflect that the median phishing email a user receives in 2026 is well-crafted, personalized, and frequently multilingual.