Exclusive Offer view
10%
Discount
on first purchase
valid for all products
PrimeSSL Buy Now
Standard Certificate @ $5.99
Wildcard Certificate @ $26.00
Home What Global Surveys Say About Email Phishing: Shocking Stats

What Global Surveys Say About Email Phishing: Shocking Stats

By Ann-Anica Christian

The Alarming Rise in Phishing Attacks

Cyberattacks, including phishing emails, are evolving rapidly. Previously one could easily distinguish a malicious email from a genuine one. Whereas today, individuals targeted by sophisticated email phishing attacks face highly advanced tactics that demand a combination of thorough investigation and layered safeguards to prevent breaches and data leaks.

Compared to 2023, there has been a 180% increase in phishing attacks per week in 2025. Regardless of which report you trust, the message remains the same – the rise in email phishing scams shows no sign of slowing, and all sectors are vulnerable. This worrying increase can be attributed to many factors, including:

  • The rise of a remote-first workplace is now giving way to a hybrid workplace which has necessitated the use of various collaborative tools. So while earlier emails were a common phishing channel, today such attacks are spread across other communication platforms, including Slack, MS Teams, and more. Recent Slack data breaches illustrate how cybercriminals are now exploiting diverse channels to launch attacks.
  • Since the release of ChatGPT, phishing attacks have increased by 4,151%, and this is only the start. As AI continues to develop, it will become easier to carry out phishing attacks, which will likely increase the frequency and sophistication of these attacks.

So, the key question is: what can organizations do to prevent phishing attacks? While awareness of these threats is growing, the pool of potential targets is also expanding, and those being targeted are finding it harder to keep pace. The old cliché remains as true as ever; potential victims must get it right every single time, whereas cybercriminals only need to succeed once.

The most essential action for organizations is to recognize the severity of this issue, which helps them understand the scale and scope of phishing. This comprehension, in turn, allows them to build a case for adopting more advanced and comprehensive security measures to create a trustworthy and layered anti-phishing solution. This article aims to guide you through the key statistics that emphasize the growing incidence of phishing attacks.

Buy Verified Mark Certificate

Email Phishing By the Numbers

If you’re questioning the urgency of email phishing, the figures speak for themselves. This isn’t about causing panic, but about raising informed awareness. Understanding the scale of the threat is the first step towards protecting your organization.

Phishing Email Examples as an Initial Attack Vector

  • Credential abuse ranks highest, with 22% of the data breaches analyzed revealing some form of stolen credentials.
  • Vulnerability exploitation accounts for 20% across all data breaches analyzed.
  • Phishing comes in at 15% as the first attack vector in a data breach.

It must be noted, though, that one of the outcomes of phishing is stolen credentials, and therefore, the phishing and credential abuse figures should be looked at in totality, rather than in a mutually exclusive manner.

Top Countries Targeted by Phishing

Top Countries Targeted by Phishing

If you think more developed or advanced nations would be a popular target for cybercriminals, you would be wrong.

  • Despite a 31.8% decline in phishing activity, the United States remains the most targeted country, driven in part by the widespread adoption of stronger email authentication measures, such as DMARC and Google’s sender verification, which collectively blocked over 265 billion unauthenticated emails in 2024.
  • Attackers have shifted focus to emerging markets such as Brazil, Hong Kong, and the Netherlands, where rapid digital adoption often outpaces investment in cybersecurity.
  • Established targets such as India, Germany, and the UK continue to face sustained phishing pressure, with threat actors adapting their tactics to local behaviors and seasonal patterns.

Industries Most Affected by Phishing

Industries Most Affected by Phishing

One of the key industry-related statistics, although shocking in terms of the number, is not surprising: the education sector has experienced a significant surge in phishing attacks, with a 224% increase.

Let’s understand these numbers a little better so that we don’t make the wrong assumptions:

  • Manufacturing tops the chart when it comes to phishing attacks, think supply chains, vulnerable production lines, and massive inventory, which make it an ideal target. However, manufacturers have now begun adhering to stricter compliance requirements and taking meaningful steps to enhance their cybersecurity posture, resulting in a 16.8% decrease in phishing attempts compared to the previous year.
  • The Technology & Communication industry is in the top 5, but has seen a 32.8% decrease in phishing attacks compared to 2023, largely due to companies adopting advanced security features such as anti phishing email software, AI-driven threat detection, comprehensive email authentication, and other measures.A key reason why this industry remains popular among cybercriminals is the vast trove of data these companies possess, including cloud credentials, source code repositories, subscriber PII, and payment data.
  • Education has become a favorite target of cybercriminals as it is a vulnerable area. Across the world, we see new students being added to the education ecosystem every year, overwhelming the administrative staff who must adhere to demanding timelines, which causes them to lose focus on cybersecurity. This disrupted vigilance mechanism creates gaps for attackers to exploit with phishing.

Common Phishing Techniques

Which phishing techniques are the most prevalent today, that is, which phishing tactics are being used commonly by cybercriminals?

  • In 2024, 64% of businesses faced a BEC (Business Email Compromise) attack.
  • Eighty per cent of phishing campaigns targeted personnel credentials.
  • There is a rise in HTTPS phishing sites, with 80% of phishing websites having HTTPS.
  • Deepfake impersonations have emerged as the next frontier in phishing, driven by AI, with such attacks projected to increase by 15% in 2024.

Cost and Business Impact of Phishing

Why should you invest in anti-phishing solutions and make sure that your organization is not susceptible to a phishing attack? It’s all about the cost.

  • According to the IBM study, phishing attacks were the second most commonly used attack vector, but were also the costliest, costing USD 4.88 million per breach.
  • It took 261 days to contain a data breach arising out of a phishing attack (the more days it takes to contain the attack, the more the money an organization loses)

A phishing attack can be very expensive, as just one successful attempt can lead to a credential compromise that generates significant financial benefits. For example, if a phishing attack targets the CFOs of various finance companies and even one CFO falls victim, the attacker hits the jackpot.

Gaining immediate access to high-value credentials also allows the next stage of the attack to be more sophisticated, tailored, and highly target-specific. Additionally, there is a domino effect regarding costs. A data breach can result in substantial fines being paid by the company for failing to comply with data protection regulations. Combine this with a loss of customer trust, and it becomes clear why phishing attacks can incur such high costs.

Organizations must train employees to quickly report phishing emails and invest in anti phishing email solutions to minimize losses.

Employee Awareness Levels

  • 71% of users across organizations took risky actions from a security perspective
  • 44% did so because it was convenient
  • 39% to save time
  • 24% to meet urgent deadlines
  • 96% of these users knew they were doing something risky
  • 85% of security professionals say that employees are well aware they are responsible for security
  • 99% of respondents said there is a security awareness program implemented in their organization
  • Fewer than a third of security awareness programs include internet safety, password hygiene, and remote work – showing a gap in anti phishing email training.

Employees keep falling for phishing emails, but it is an organization’s responsibility to ensure they strengthen their cybersecurity posture and stay vigilant against such threats.

As an organization, you must up the ante on security awareness for your employees with

Context-rich Awareness Workshops

Conduct short, scenario-based sessions tied to current attack trends help staff recognise persuasion triggers and stop clicks before they happen.

Continuous Simulation

Choose from platforms that drop realistic, customisable lures into users’ inboxes, score responses and auto-assign micro-training. Organizations that cycle simulations every four to six weeks map risk at the team level and spot areas of improvement quickly. Conduct anti phishing email simulation exercises regularly.

Metrics that Matter

Track phish-prone percentage, report phishing email rates (how many users hit the “Report Phish” button), and mean time to click. A rising report rate paired with a falling click rate is the clearest indicator that the culture is shifting.

Tie Training to Business Impact

Show executives the gap between the average breach cost of USD 4.88 million and the significantly lower costs for firms that detect and contain breaches within 200 days. Then, connect those savings to the risk reduction achievable through sustained security awareness programs.

Treat employees as an integral layer of defence rather than the perennial “weakest link” to convert your largest attack surface (your employees) into a reliable line of defence.

Take-Aways for Decision-Makers

Phishing as an Attack Vector is Not Going Away

Despite advancements in security technologies and increasing awareness levels within organizations, attacks continue to rise. The reason is that they target human vulnerabilities—fear, uncertainty, and doubt. The human factor in phishing makes it such a popular and evergreen attack vector. Even well-trained staff can make split-second errors.

Additionally, it is a vicious cycle; the success rate of phishing attacks and their popularity among cybercriminals mean that off-the-shelf phishing kits are easily available, which attackers can use to launch a phishing campaign tailored to their target industry or geography.

AI is Raising the Stakes

AI is going to make things even more difficult for cybersecurity professionals tasked with providing anti-phishing solutions and employees who are an essential line of defence. Attackers can now:

  • Craft flawless, custom emails at scale courtesy of natural language processing NLP.
  • The evolution of deep-fake voice and video means that phishing attacks will become even more convincing.

Action Play for the C-Suite and Key Decision Makers

Action Play for the C-Suite and Key Decision Makers

  • Harden the Perimeter with Authentication Standards: Implement DMARC (Domain-based Message Authentication, Reporting & Conformance) to block spoofed domains and unauthorized senders. Enforce alignment with SPF and DKIM to ensure every outbound email passes identity verification before delivery.
  • Build Visual Trust Through BIMI and VMC: Adopt BIMI (Brand Indicators for Message Identification) to display verified brand logos in recipients’ inboxes. Pair it with a Verified Mark Certificate (VMC) to authenticate your brand’s visual identity – reinforcing trust before the first click and preventing visual impersonation.
  • Strengthen Brand Integrity with Common Mark Certificate (CMC): For brands that aren’t yet trademarked, a Common Mark Certificate (CMC) provides a verified identity alternative to VMC, ensuring legitimate organizations can still display a verified logo and secure brand recognition while meeting BIMI requirements.
  • Put people at the center: Run monthly, scenario-based phishing simulations; track click rate, report rate, and mean time to click as board-level KPIs.
  • Adopt a “continuous tuning” mindset: Review phishing telemetry quarterly, refine rules, and quickly patch gaps. Treat the program like a living product, not a one-off project.
  • Plan for supply-chain spill-over: Extend zero-trust and DMARC mandates to partners, MSPs and SaaS vendors; require breach-notification SLAs in every contract.
Also Read: 7 Email Security Best Practices to Protect Your Business

Final Thoughts

Phishing is like a shapeshifter. As phishing tools evolve, the anti-phishing strategy must keep pace. The successful organizations will be those that integrate adaptive defense combining cutting-edge technology and controls – with agile, data-driven training to outsmart the attacker, rather than merely react.

References: Verizon’s 2025 Data Breach Investigation Report, Zscaler ThreatLabz 2025 Phishing Report, Hoxhunt, Cost of a Data Breach Report 2024 (IBM-Ponemon)

Build Recognition That Phishing Can’t Imitate
Email Phishing thrives on look-alike messages that blur identity. A Verified Mark Certificate restores that clarity, displaying your verified logo beside outgoing emails and reinforcing brand trust before users even open the message.
Buy VMC Certificate

Related Articles:

About the Author
Ann-Anica Christian

Ann-Anica Christian

Ann-Anica Christian is a seasoned Content Creator with 7+ years of expertise in SaaS, Digital eCommerce, and Cybersecurity. With a Master's in Electronics Science, she has a knack for breaking down complex security concepts into clear, user-friendly insights. Her expertise spans website security, SSL/TLS, Encryption, and IT infrastructure. Her work featured on SSL2Buy’s Wiki and Cybersecurity sections, helps readers navigate the ever-evolving world of online security.

Trusted by Millions

SSL2BUY delivers highly trusted security products from globally reputed top 5 Certificate Authorities. The digital certificates available in our store are trusted by millions – eCommerce, Enterprise, Government, Inc. 500, and more.
PayPal
Verizon
2Checkout
Lenovo
Forbes
Walmart
Dribbble
cPanel
Toyota
Pearson
The Guardian
SpaceX