The 2025 Phishing Trends Report provides the first reference point for the global incidence of real malicious clicks and the phishing attacks that bypass email filters. This information fills a critical gap in the cybersecurity literature.
As phishing continuously reaches new levels, effective phishing protections and cyber security training models must do the same.
The good news is that phishing risk can be measurably reduced when phishing training is based on behavior.
Employees can be trained to recognize and report social engineering attacks with a 6x improvement in 6 months, and reduce the number of phishing incidents per organization by 86%.
This report reveals an escalation in phishing attacks that evade email filters and land in inboxes, be they AI-enabled or otherwise.
The results are categorized by: AI vs. non-AI; threat type; targeting organizational vs. personal assets; and by departments, locations, and industries.
Over 50 million data points were collected from the real and simulated threat reports of over 2.5 million threat hunters from around the world.
Connecting phishing simulation results to real threat detection outcomes unfolds new dimensions of analysis, insights, and targeted interventions.
These phishing statistics and insights can help SAMs break through engagement plateaus with their training programs, and give CISOs a map to securing the human element.
The biggest human cyber-risk is neglecting your humans. By leaving them unattended, you leave yourself exposed to, and uninformed of, the greatest risk factor in cybersecurity: social engineering.
Phishing Trends & Statistics
Business email compromise (BEC) A staggering 64% of businesses report facing BEC attacks in 2024, with a typical financial loss averaging $150,000 per incident. These phishing attacks frequently target employees with access to financial systems, mimicking executives or trusted contacts.
Credential phishing Around 80% of phishing campaigns aim to steal credentials, particularly targeting cloud-based services like Microsoft 365 and Google Workspace. With the growing reliance on cloud platforms, cyber attackers leverage realistic fake login pages to deceive users.
HTTPS phishing An increasing number of phishing sites now use HTTPS to appear legitimate. In 2024, approximately 80% of phishing websites feature HTTPS, complicating detection for users.
Voice phishing (vishing) Vishing attacks are growing in prevalence, with 30% of organizations reporting instances where threat actors used fake calls to impersonate officials or executives.
Quishing (QR code phishing) QR code phishing attacks (quishing) increased by 25% year-over-year, as attackers exploit physical spaces like posters or fake business cards to lure victims.
AI-driven attacks AI is powering phishing attacks, with deepfake impersonations increasing by 15% in the last year. These attacks often target high-value individuals in finance and HR.
Multi-channel phishing Attackers are increasingly exploiting platforms like Slack, Teams, and social media. Around 40% of phishing campaigns now extend beyond email, reflecting a shift to these channels.
Government agency impersonation Phishing emails mimicking government bodies such as the IRS or international tax agencies have increased by 35%. These often involve claims about overdue taxes or fines.
Phishing kits The availability of ready-to-use phishing kits on the dark web has risen by 50%, enabling less sophisticated attackers to deploy high-quality phishing schemes.
Brand impersonation Attackers frequently impersonate well-known brands like Microsoft, Amazon, and Facebook, leveraging user trust. For example, over 44,750 phishing attacks specifically targeted Facebook by embedding its name in domains and subdomains over the past year.
