Phishing Statistics

88% of internal audit leaders identify AI-powered phishing attacks as a top risk.

51% of organizations have faced sophisticated, personalized phishing emails powered by deepfake technology.

In Q4 2025, callback phishing increased from 3% to 18% of all phishing incidents, a 500% spike.

82% of malicious files have unique hashes that traditional pattern-matching fails to detect.

Credential phishing campaigns using .es domains increase 51 times year-over-year, with the .es top-level domain jumping from the 56th to the 3rd most-abused TLD.

76% of initial infection URLs in abalyzed phishing attacks were unique and have not appeared in other campaigns across Cofense's customer base.

Conversational attacks comprise 18% of all malicious emails.

In 2025, a malicious email attack occurs every 19 seconds, more than doubling from 2024’s pace of one every 42 seconds.

Abuse of legitimate remote access tools increased by 900% by volume.

Fifty percent of affected consumers cite immediate financial fraud as their primary fear, and 54 percent of consumers report an increase in targeted phishing attempts after a breach (2025)

Eighty-eight percent of consumers who received a data breach notice experience at least one negative consequence after a breach; 40 percent experience an increase in phishing or scam attempts; 49 percent experience an increase in spam emails or robocalls; 40 percent experience attempted takeover of an existing account (2025)

Clicks on phishing links decreased by 27%, from 119 per 10,000 users last year to 87 per 10,000 users this year.

87 out of every 10,000 users clicked on a phishing link each month in 2025.

77% of advanced email attacks failed SPF, DKIM, or DMARC authentication yet still reached inboxes.

Approximately 45% of advanced email attacks showed indicators of AI assistance, projected to rise to 75–95% within the next 18 months

77% of advanced email attacks impersonated business-critical brands such as DocuSign, Microsoft, and Google.

100% of advanced email threats bypassed incumbent email security, including Microsoft E3/E5 and leading secure email gateways.

DocuSign accounted for more than 20% of all advanced email attacks analyzed.

In 2025, attacks bypassing multifactor authentication (MFA) were reported in 48% of phishing attacks.

In 2025, malicious QR codes were observed in 19% of phishing attacks.

In 2025, obfuscations to hide URLs from detection were seen in 48% of phishing attacks.

The number of known phishing kits doubled during 2025, reaching a significant increase in active use.

In 2025, 'ClickFix' social engineering techniques were used in 1% of phishing attacks.

In 2025, 90% of high-volume phishing campaigns utilized Phishing-as-a-Service (PhaaS) kits.

In late 2025, there were 10 million Mamba 2FA phishing attacks recorded.

In 2025, malicious attachments were present in 18% of phishing attacks.

In 2025, the abuse of trusted, legitimate online platforms was noted in 10% of phishing attacks.

In 2025, the use of 'Blob URIs' was noted in 2% of phishing attacks.

In 2025, attacks leveraging generative AI were reported in 10% of phishing attacks.

In 2025, CAPTCHA was leveraged for added authenticity in 43% of phishing attacks.

In 2025, 'polymorphic' attacks that varied the email header, body, and destination were seen in 20% of phishing attacks.

89% of schools experienced at least one cyber incident in the past year, primarily phishing, unauthorized access, and malware.

92% of school IT leaders expect AI-powered phishing to be the most dangerous threat in the coming year

68% of all phishing infrastructure tracked operates on Cloudflare as of the current year.

Almost 60% of the observed indicators of compromise (IOCs) are linked with Phishing-as-a-Service (PhaaS).

The mean DNS resolution rate for phishing operators was 96.16%, indicating high availability and minimal downtime.

51.54% of the phishing infrastructure is directly hosted, while 48.46% is protected by CDN/proxy services.

IT leaders estimate only 5% of known phishing attacks are reported by healthcare employees to their security teams.

Over the past four months, 20 distinct phishing clusters were identified based on shared infrastructure fingerprints.

In the last quarter, over 42,000 validated URLs and domains were identified as actively serving phishing kits, command-and-control infrastructure, or payload delivery.