Phishing remains the most reported cybercrime in the United States. In 2024, the FBI’s Internet Crime Complaint Center (IC3) received 193,407 phishing complaints β more than double any other crime category β while total cybercrime losses hit a record $16.6 billion.
The old advice β “just look for typos and bad grammar” β no longer works. AI-generated phishing emails are now grammatically flawless, hyper-personalized, and nearly indistinguishable from legitimate messages. This guide covers what phishing looks like today, how attacks have evolved, and what your organization can do to build real phishing awareness and prevention.
What Is Phishing?
Phishing is a form of social engineering where attackers impersonate trusted entities β banks, coworkers, software providers, even government agencies β to trick people into revealing sensitive information or installing malware.
The attack typically arrives as an email, but increasingly comes through text messages (smishing), phone calls (vishing), and even QR codes (quishing).
What makes phishing so effective isn’t technical sophistication β it’s psychological manipulation. Attackers exploit urgency, fear, authority, and trust to get you to act before you think. A message that says “Your account will be suspended in 24 hours” isn’t trying to inform you. It’s trying to panic you into clicking.
Phishing by the Numbers: 2025β2026 Statistics
The following data comes from the FBI IC3 2024 Annual Report, Verizon’s 2025 Data Breach Investigations Report (DBIR), the Anti-Phishing Working Group (APWG), and IBM’s Cost of a Data Breach Report.
| Metric | Figure | Source |
|---|---|---|
| Phishing/spoofing complaints to FBI (2024) | 193,407 | FBI IC3 2024 |
| Total U.S. cybercrime losses (2024) | $16.6 billion (+33% YoY) | FBI IC3 2024 |
| Business Email Compromise losses (2024) | $2.77 billion | FBI IC3 2024 |
| Average cost per phishing breach | $4.88 million | IBM 2025 |
| Breaches involving human action | 60% | Verizon 2025 DBIR |
| Phishing attacks recorded (Q2 2025) | 1.13 million | APWG |
| Ransomware present in breaches | 44% (up from 32%) | Verizon 2025 DBIR |
| Employees susceptible to phishing (no training) | 33.1% | KnowBe4 2025 |
| Phishing susceptibility reduction with training (1 year) | Up to 86% | KnowBe4 2025 |
Why Phishing Awareness and Prevention Matter More Than Ever
Technology alone cannot stop phishing. Spam filters, email gateways, and AI-based detection tools all help β but attackers design their campaigns specifically to bypass these defenses. The 2025 Verizon DBIR found that approximately 60% of all confirmed breaches involved a human action: a click, a download, a response to a spoofed email.
The data on training is compelling. KnowBe4’s 2025 benchmark report β based on 14.5 million users and 67.7 million simulated phishing tests β found that one-third of untrained employees will fall for a phishing simulation. But organizations running ongoing security awareness programs see susceptibility drop by up to 86% within a year.
Verizon’s data adds an important nuance: you can’t train people to never click. The median phishing simulation click rate holds steady at about 1.5% even with training. But recently trained employees report suspicious emails at a rate of 21%, compared to just 5% for those without recent training. That four-fold improvement in detection and reporting is where the real value lives.
Your people aren’t just the weakest link β with consistent training, they become a rapid-response detection network that catches what automated filters miss.
Types of Phishing Attacks to Watch For
Email phishing remains the most common vector. Bulk messages impersonate trusted brands to harvest credentials or deliver malware. In Q1 2025, Microsoft was impersonated in 36% of all brand phishing incidents worldwide, followed by Google (12%) and Apple (8%).
Spear phishing targets specific individuals with personalized messages. Attackers research their targets on LinkedIn, company websites, and social media to craft emails that reference real projects, colleagues, or events.
Business Email Compromise (BEC) is the most financially devastating variant. Attackers impersonate executives or vendors to authorize wire transfers or redirect payments. The FBI reported $2.77 billion in BEC losses in 2024, with nearly $8.5 billion lost over the 2022β2024 period alone. In 2025, 73% of BEC attacks originated from free webmail services.
Smishing and vishing use text messages and phone calls instead of email. CrowdStrike observed a 442% increase in vishing incidents between early and late 2024. These attacks exploit the trust people place in phone-based communication and the fact that mobile screens hide full URLs. For a deeper look, read our guide on how smishing attacks work and how to prevent them.
Quishing (QR code phishing) embeds malicious links in QR codes placed in emails, flyers, or physical locations. Because the link is encoded in an image rather than text, it bypasses many traditional email security filters. QR code phishing attacks surged an estimated 400% between 2023 and 2025, with energy, healthcare, and manufacturing sectors hit hardest.
Clone phishing takes a legitimate email you’ve already received, copies it, and replaces a link or attachment with a malicious version. Because the message looks identical to something real, it’s especially hard to detect.
MFA bypass attacks use adversary-in-the-middle (AiTM) techniques to intercept session cookies in real time, effectively neutralizing multi-factor authentication. AiTM attacks targeting MFA surged 146% in 2024.
How to Spot a Phishing Email: A Checklist
Use this checklist before acting on any suspicious message:
1. Check the sender’s actual email address. Display names are easily spoofed. Click or hover to reveal the full address. Watch for slight misspellings like support@arnazon.com instead of support@amazon.com.
2. Look for urgency or threats. Messages demanding immediate action β “Your account will be locked,” “Payment overdue,” “Respond within 24 hours” β are using fear to override your judgment. Legitimate organizations rarely communicate this way.
3. Hover over links before clicking. On desktop, preview the destination URL before clicking. If the URL doesn’t match the organization the email claims to be from, don’t click. Be especially cautious with shortened URLs (bit.ly, tinyurl) that hide the true destination.
4. Question unexpected attachments. PDF and Word attachments that arrive without context are a common malware delivery method. If you weren’t expecting a file, verify with the sender through a separate channel before opening it.
5. Watch for generic greetings in “personal” messages. An email from your bank that says “Dear Customer” instead of your name may be a mass phishing campaign. However, be aware that AI-powered phishing can now personalize greetings β a correct name alone doesn’t guarantee legitimacy.
6. Be skeptical of QR codes in unexpected places. Whether it’s in an email, on a parking meter sticker, or on a restaurant table card β check the URL a QR code loads before entering any information.
7. Watch for mismatched tone or context. An email from your CEO asking you to buy gift cards. A vendor suddenly changing their payment details. A coworker sending a link with no explanation. When something feels off, trust that instinct and verify.
Phishing Prevention Best Practices for Organizations
Run regular phishing simulations. Don’t train once a year and call it done. Conduct quarterly or monthly simulated phishing campaigns that mirror real-world attack patterns. Track click rates and reporting rates. The goal isn’t zero clicks β it’s faster detection and reporting.
Deploy multi-factor authentication β and understand its limits. MFA significantly reduces credential theft risk. But AiTM proxy attacks can bypass traditional MFA methods like SMS codes and push notifications. Where possible, adopt phishing-resistant MFA like FIDO2 hardware keys or passkeys, which are immune to session hijacking.
Implement email authentication protocols. Configure SPF, DKIM, and DMARC on your organization’s domains. CISA specifically recommends these protocols to prevent email spoofing. They won’t stop all phishing, but they make it significantly harder for attackers to impersonate your domain.
Verify through a separate channel. If an email requests a wire transfer, password reset, or sensitive data β even if it appears to come from your CEO β pick up the phone and confirm using a known number. Never use contact information provided in the suspicious email itself.
Build a reporting culture. Don’t just tell employees to delete suspicious emails β give them a simple way to report them. Forward phishing attempts to your IT or security team so they can block the sender, alert the organization, and improve filtering. Verizon’s 2025 data shows that building a reporting culture delivers more security value than trying to eliminate all clicks.
Keep software and systems updated. Phishing often delivers malware that exploits known vulnerabilities. Timely patching closes these doors. The 2025 Verizon DBIR found that vulnerability exploitation now accounts for 20% of all breaches, and for edge devices like VPNs, attackers often exploit flaws on the same day they’re published.
Protect your business data with layered defenses. No single tool stops phishing on its own. Combine email filtering, endpoint detection, DNS-level blocking, MFA, and employee training into a defense-in-depth strategy.
AI-Powered Phishing: What’s Changed
Generative AI has fundamentally shifted the phishing landscape. Attackers no longer rely on volume alone β they can now produce polished, context-aware, multilingual messages in minutes. IBM estimates that a convincing phishing email can be generated in about five minutes using AI tools, compared to roughly sixteen hours for a human team.
The data reflects this shift. Over 82% of phishing emails detected between September 2024 and February 2025 showed indicators of AI assistance. During the 2025 holiday season, Hoxhunt’s threat detection network observed AI-generated phishing jump from about 4% of detected phishing emails in November to 56% in December β a 14x surge.
AI is also powering deepfake scams: cloned executive voices used in fraudulent phone calls that blend vishing with BEC. These attacks are still relatively rare, but growing.
For a deeper look at how generative AI has changed attack methods and what your organization can do about it, read our full guide: AI-Powered Phishing Attacks: How Generative AI Is Changing Scams.
Frequently Asked Questions About Phishing
What is the most common type of phishing attack?
Email phishing remains the most widespread method. The FBI received 193,407 phishing and spoofing complaints in 2024 β more than any other cybercrime category. However, attacks via text message (smishing) and phone calls (vishing) are growing rapidly.
How much does a phishing attack cost a business?
The average cost of a phishing-related data breach is $4.88 million, according to IBM’s 2025 Cost of a Data Breach Report. Business Email Compromise attacks alone caused $2.77 billion in losses in the U.S. in 2024.
Does security awareness training actually reduce phishing risk?
Yes. KnowBe4’s 2025 report found that one-third of untrained employees fall for simulated phishing, but organizations with ongoing training reduce susceptibility by up to 86% within a year. Verizon’s data shows trained employees are four times more likely to report suspicious emails.
Can phishing bypass multi-factor authentication (MFA)?
Yes. Adversary-in-the-middle (AiTM) attacks can intercept session cookies and bypass traditional MFA methods like SMS codes or push notifications. Phishing-resistant MFA β such as FIDO2 hardware keys or passkeys β is the most effective defense against these attacks.
What should I do if I clicked a phishing link?
Disconnect from the network immediately. Change your passwords from a known-safe device. Enable or reset MFA on affected accounts. Report the incident to your IT or security team. Monitor your accounts and consider enrolling in an identity theft protection service.
What is quishing?
Quishing is phishing delivered via QR codes. Attackers place malicious QR codes in emails, physical flyers, or even on top of legitimate QR codes in public places. Scanning the code takes you to a credential-harvesting or malware-delivery site. These attacks surged an estimated 400% between 2023 and 2025.
Last updated: March 2026
Related reading from Defend-ID:
- AI-Powered Phishing Attacks: How Generative AI Is Changing Scams
- Smishing Explained: How to Recognize and Prevent Text Message Phishing
- Deepfake Scams: How AI-Powered Impersonation Is the Next Big Threat
- Business Data Protection Practices: Six Pillars Every Company Needs
- 2025 Identity Theft: What’s Really Hitting Employees
- Password Best Practices: How to Create Strong Passwords That Actually Protect You
