Last updated: July 2026 · Updated quarterly as new APWG, FBI IC3 and industry reports are released. Every figure below links to, or names, a primary source — you are welcome to cite this page.
Phishing is no longer one threat among many: it is the most-reported cybercrime on the planet and the most common way breaches begin. This page collects the key numbers from the most recent primary sources — the FBI’s Internet Crime Complaint Center (IC3), the Anti-Phishing Working Group (APWG), IBM’s Cost of a Data Breach study and others — in one place, so you don’t have to dig through six PDFs to find them.
The scale of phishing
- 1,008,597 cybercrime complaints were filed with the FBI’s IC3 in 2025 — the first time the total has passed one million, averaging almost 3,000 complaints per day (FBI IC3, 2025).
- Phishing/spoofing was the #1 reported crime type at 191,561 complaints in 2025 — more than extortion (89,129) and investment fraud (72,984) combined (FBI IC3, 2025).
- APWG observed 971,181 phishing attacks in Q1 2026, up 13.8% from Q4 2025 (APWG Phishing Activity Trends, Q1 2026).
- Roughly 3.9 million phishing attacks were observed by APWG across 2025 (1,003,924 in Q1; 1,130,393 in Q2 — the highest quarterly total in two years; 892,494 in Q3; 853,244 in Q4) (APWG, 2025 quarterly reports).
- Phishing was the #1 initial attack vector in data breaches, responsible for 16% of breaches studied — overtaking stolen credentials (IBM Cost of a Data Breach Report, 2025).
- 60% of breaches involve the human element — a click, a reply, a mistake (Verizon Data Breach Investigations Report, 2025).
- The median time to click a phishing link is about 21 seconds after a message is opened, and about 28 more seconds to enter data — under a minute from open to compromise (Verizon DBIR, 2024).
What phishing costs
- A phishing-initiated breach costs US$4.8 million on average — among the most expensive initial vectors (IBM, 2025).
- The global average cost of any data breach is US$4.44 million — the first decline in five years (down 9%), while the US average rose to a record US$10.22 million (IBM, 2025).
- Business email compromise (BEC) cost US$3.05 billion in reported US losses in 2025, up from US$2.77 billion in 2024 (FBI IC3, 2025).
- Reported phishing losses grew 208% year-over-year in 2025 — each successful attack is doing more damage, even as complaint volume plateaus (FBI IC3, 2025).
- Tech-support scams cost US$2.13 billion and government-impersonation scams US$798 million (nearly double 2024) in reported 2025 losses (FBI IC3, 2025).
- Americans over 60 reported US$7.7 billion in losses in 2025 — the hardest-hit age group, with phishing/spoofing complaints from over-60s more than doubling year-over-year (FBI IC3, 2025).
- The average wire-transfer amount requested in a BEC attack peaked at US$83,099 in Q2 2025 (Fortra, in APWG Q2 2025).
- A modern phishing campaign costs the attacker roughly US$120 to launch — kit rental, hosting and a mailing list — against multi-million-dollar victim losses. See our breakdown in The economics of phishing.
- Healthcare remains the most expensive sector to breach at US$7.42 million per incident, taking 279 days on average to identify and contain (IBM, 2025).
The AI effect
- 1 in 6 breaches (16%) now involves attackers using AI — most commonly for AI-generated phishing (37% of those) and deepfake impersonation (35%) (IBM, 2025).
- The FBI logged 22,364 AI-related complaints with US$893 million in losses in 2025 — the first year "AI" appeared as a crime descriptor in the IC3 report (FBI IC3, 2025).
- Shadow AI featured in 20% of breaches, adding an average US$670,000 to breach costs — sensitive data pasted into unsanctioned AI tools is now a measurable breach vector (IBM, 2025; see our Paste Guard).
- 97% of organizations that suffered AI-related breaches lacked proper AI access controls (IBM, 2025).
MFA bypass, kits and the industrialisation of phishing
- Phishing kits with adversary-in-the-middle (AiTM) MFA bypass rent for around US$120, making session-token theft a commodity — the attack completes after the victim passes MFA. How it works: Does MFA stop phishing?
- Gift-card requests made up 51% of BEC scam attempts in Q1 2025; about 13% attempted payroll diversion (Fortra, in APWG Q1 2025).
- Roughly 70% of free webmail accounts set up for BEC scams used Gmail (Fortra, in APWG Q2 2025).
- The average phishing site lives about 12 hours before takedown — many lookalike domains are live for only a few hours, which is why blocklists structurally lag (BlackBerry Global Threat Intelligence Report, 2025).
Beyond email: QR codes, texts and calls
- About 2.7 million emails carrying QR codes were observed per day during late 2024–early 2025 — QR codes move the attack to a phone, where email filters can’t follow (Mimecast, in APWG Q1 2025). Explainer: What is quishing?
- SMS-based fraud detections grew 30–40% quarter-over-quarter through 2025 — smishing is the fastest-growing delivery channel (Crane Authentication, in APWG Q3–Q4 2025). Explainer: Smishing.
- 1,642 different brands were impersonated using malicious QR codes in a single quarter; Walmart and DHL topped the most-impersonated lists in consecutive quarters (Mimecast, in APWG Q2–Q3 2025).
Who gets targeted
- SaaS and webmail was the most-attacked sector at 21.2% of phishing attacks in Q3 2025, followed by social media at 14.6% (APWG, Q3 2025).
- Online payment and banking together drew 30.9% of all phishing attacks in Q1 2025 (APWG, Q1 2025).
- Customer personal data (PII) was compromised in 53% of breaches — the most commonly stolen data type (IBM, 2025).
- Phishing was the most-reported crime for every working-age group — the top complaint category for Americans in their 30s, 40s and 50s (FBI IC3, 2025).
- SafeToOpen’s VisionAI is trained on phishing that impersonates more than 40,000 brands — from global banks to regional couriers (SafeToOpen, 2026).
The detection gap — and what closes it
- The average breach takes 241 days to identify and contain — the lowest in nearly a decade, but still eight months of attacker dwell time (IBM, 2025).
- Organizations using security AI extensively saved about US$1.9 million per breach and shortened the breach lifecycle by 80 days versus those that didn’t (IBM, 2025).
- Breaches disclosed by the attacker cost US$5.08 million versus US$4.18 million when internal teams found them first — speed of detection is worth roughly US$900,000 (IBM, 2025).
- The FBI’s Recovery Asset Team froze US$679 million in fraudulent transfers in 2025 at a 58% success rate — recovery helps, but only after the click (FBI IC3, 2025).
- A zero-day phishing page can be detected in under a second by analysing the page itself as it loads — no waiting for a report or blocklist entry. How that works: real-time detection, explained.
Sources
All statistics above are drawn from: FBI IC3 2025 Internet Crime Report · APWG Phishing Activity Trends Reports (Q1 2025 – Q1 2026) · IBM Cost of a Data Breach Report 2025 · Verizon Data Breach Investigations Report · BlackBerry Global Threat Intelligence Report 2025 · SafeToOpen network data. Figures are reported losses and observed attacks; actual totals are higher, since most incidents are never reported.
Citing this page: you’re welcome to reference these statistics with attribution to the named primary source and a link to this page. We review and update this page quarterly as new reports are published.