← All resources
Data

Phishing statistics 2026: the key numbers, all in one place

How big is phishing in 2026, what does it cost, and what’s changing? The most-cited figures from the FBI, APWG, IBM and Verizon — collected, sourced and updated quarterly.

Data · 9 min read · By SafeToOpen Research · July 2026

Last updated: July 2026 · Updated quarterly as new APWG, FBI IC3 and industry reports are released. Every figure below links to, or names, a primary source — you are welcome to cite this page.

Phishing is no longer one threat among many: it is the most-reported cybercrime on the planet and the most common way breaches begin. This page collects the key numbers from the most recent primary sources — the FBI’s Internet Crime Complaint Center (IC3), the Anti-Phishing Working Group (APWG), IBM’s Cost of a Data Breach study and others — in one place, so you don’t have to dig through six PDFs to find them.

191,561
Phishing/spoofing complaints reported to the FBI’s IC3 in 2025 — the most-reported cybercrime, with more than double the complaints of the second-place category (extortion, 89,129). Source: FBI IC3 2025 Internet Crime Report.

The scale of phishing

What phishing costs

US$20.9 billion
Total cybercrime losses reported to the FBI’s IC3 in 2025 — up 26% on 2024’s US$16.6 billion, and a record for the report’s 25-year history. Source: FBI IC3 2025.

The AI effect

16 hours → 5 minutes
How long it takes to write a convincing phishing email, before and after generative AI — the change that made fluent, personalised phishing effectively free. Source: IBM Cost of a Data Breach Report, 2025.

MFA bypass, kits and the industrialisation of phishing

Beyond email: QR codes, texts and calls

716,306
Unique malicious QR codes detected in a single quarter (Q3 2025), up 13% quarter-over-quarter — more than 3 million were detected in 12 months. Source: Mimecast, in APWG Q3 2025.

Who gets targeted

The detection gap — and what closes it

Sources

All statistics above are drawn from: FBI IC3 2025 Internet Crime Report · APWG Phishing Activity Trends Reports (Q1 2025 – Q1 2026) · IBM Cost of a Data Breach Report 2025 · Verizon Data Breach Investigations Report · BlackBerry Global Threat Intelligence Report 2025 · SafeToOpen network data. Figures are reported losses and observed attacks; actual totals are higher, since most incidents are never reported.

Citing this page: you’re welcome to reference these statistics with attribution to the named primary source and a link to this page. We review and update this page quarterly as new reports are published.

faq

Frequently asked questions

Phishing is the most-reported cybercrime: the FBI's IC3 logged 191,561 phishing/spoofing complaints in 2025 — more than double the second-place category — and APWG observed 971,181 phishing attacks in Q1 2026 alone, up 13.8% quarter-over-quarter.

IBM's 2025 study puts the average phishing-initiated breach at US$4.8 million, against roughly US$120 for an attacker to launch a campaign. US BEC losses alone reached US$3.05 billion in 2025 per the FBI.

Phishing was the single most common initial attack vector in IBM's 2025 study at 16% of breaches, overtaking stolen credentials — and Verizon's DBIR finds 60% of breaches involve the human element.

See it for yourself

SafeToOpen adds real-time, zero-day protection in your browser and inbox — free to start.

See plans →

Sources

  1. BlackBerry, Global Threat Intelligence Report 2025, cited in Bolster, “Real-Time Brand Protection Alerts.” bolster.ai
  2. Verizon, 2025 Data Breach Investigations Report (DBIR) — median time to click a phishing link. verizon.com
  3. Interisle Consulting Group, Phishing Landscape 2025, cited in Bolster and NetDiligence. netdiligence.com
  4. Check Point Research / industry analysis on HTTPS use in phishing, cited in ControlD, “Phishing Statistics & Industry Trends.” controld.com

External statistics are attributed to their original publishers and were accurate at the time of writing. Figures from industry reports vary by methodology and period; we link to primary sources so you can verify them.

test yourself

Could you spot the fake?

Put this into practice: 12 real-world scams and genuine messages, two minutes, no sign-up.