Key Takeaways
- In the Verizon DBIR, organizations that practiced security awareness training reported fewer successful phishing events (training maturity correlated with reduced incidents), with a quantified reduction shown in the report’s human element section.
- In Microsoft’s guidance, enabling Attack Surface Reduction rules and blocking malicious attachments in Microsoft Defender can reduce phishing impact; Microsoft cites “up to 90% reduction” for certain malware classes in Defender reports.
- Proofpoint reported that MFA phishing bypass remains effective: 60% of phishing campaigns targeted accounts without phishing-resistant MFA as of 2023 (campaign targeting observation).
- In Microsoft’s Digital Defense Report, 78% of organizations reported improvements in phishing reporting workflows, measured via configuration adoption and reporting in tenant surveys (survey result).
- A 2020 meta-analysis reported average phishing susceptibility (click rate) of ~17% across experiments (range depends on training), per the peer-reviewed paper in Computers & Security.
- In KnowBe4’s 2024 industry report, 31% of employees reported that they are “sometimes” likely to click a phishing link, indicating susceptibility.
- In the ENISA Threat Landscape 2024, phishing is identified as a primary initial access technique in the threat landscape section with measured prevalence among user-facing frauds (quantified figure in report).
- In the APWG Phishing Activity Trends report, overall phishing detections increased from 2022 to 2023 by 16% (annual comparison figure shown in report executive summary).
- In the FBI IC3 2023 report, impersonation scams led to $1.8 billion in losses; impersonation often relies on phishing to obtain credentials or to increase credibility.
- In the IBM 2023 Cost of a Data Breach report, phishing-led breaches averaged $4.91M, tying phishing to breach cost estimates based on incident causes.
- Phishing is the most common form of social engineering used by attackers, at 64% of reported incidents in the ENISA Threat Landscape 2023 (social engineering prevalence section).
- In the CISA ‘Phishing’ guide, organizations are advised that a single successful phishing email can lead to credential theft and lateral movement; CISA references incident examples with quantified time-to-compromise in cited cases.
- 35% of organizations reported that they use automated phishing simulations, according to a 2022 survey by Tessian (simulation adoption share).
- 2.5x higher click probability was observed in a controlled lab study when phishing emails included personalized elements compared with non-personalized lures (effect size ratio).
- In an academic study, 6% of participants provided credentials after viewing a realistic phishing page, showing baseline disclosure risk under lab conditions (credential submission rate).
Training, stronger email authentication, and phishing resistant protections substantially cut phishing success and user harm.
Related reading
01 · Category
Mitigation & Control10 stats
Mitigation & Control Interpretation
02 · Category
User Behavior & Susceptibility6 stats
User Behavior & Susceptibility Interpretation
03 · Category
Threat Prevalence2 stats
Threat Prevalence Interpretation
More related reading
04 · Category
Impact & Losses2 stats
Impact & Losses Interpretation
05 · Category
Tactics & Techniques2 stats
Tactics & Techniques Interpretation
06 · Category
Industry Overview4 stats
Industry Overview Interpretation
Phishing Risk: Where It Shows Up and How Controls Reduce Impact
Phishing remains a dominant initial-access and social-engineering tactic, but organizations that improve detection, reporting workflows, and use phishing-resistant protections see measurable reductions in susceptibility and successful clicks.
Cite This Report
This report is designed to be cited. We maintain stable URLs and versioned verification dates. Copy the format appropriate for your publication below.
Priya Chandrasekaran. (2026, February 13). Phishing Scam Statistics. Gitnux. https://gitnux.org/phishing-scam-statistics
Priya Chandrasekaran. "Phishing Scam Statistics." Gitnux, 13 Feb 2026, https://gitnux.org/phishing-scam-statistics.
Priya Chandrasekaran. 2026. "Phishing Scam Statistics." Gitnux. https://gitnux.org/phishing-scam-statistics.
Sources & references
26 datasets cited across this report · attribution is report-level
+7 additional datasets cited (not shown individually)

