Gitnux/Report 2026

Phishing Statistics

Phishing is not just a moment of clicking, it often turns into compromised accounts and lingering cleanup, with 47% of victims reporting extra remediation time and 62% of BEC cases using phishing or compromised credentials as the enabling step. The most unsettling pattern is human and persistent, 34% repeat the same login error after training, while defenses are getting clearer too, since Google blocked 8+ billion phishing URLs in 2024 and enforced DMARC reduced spoofed messages reaching users for 84% of organizations.
21Statistics
21Sources
8Sections
6mRead
2 mo agoUpdated
Phishing Statistics
Verified via a 4-step process
01Source

Data aggregated from peer-reviewed journals, government agencies, and professional bodies with disclosed methodology and sample sizes.

02Verify

Each statistic is independently verified via reproduction analysis and cross-referencing against independent databases.

03Grade

Figures are graded by cross-model consensus. Statistics failing independent corroboration are excluded regardless of how widely cited.

04Cite

Every figure carries a primary source. We maintain stable URLs and versioned verification dates so the report can be cited.

Read our full methodology →

Statistics that fail independent corroboration are excluded.

Next review Nov 2026
In 2024 alone, Google Safe Browsing blocked 8+ billion phishing URLs, yet phishing still keeps finding a way through. What’s more surprising is what happens after the click, with nearly half of phishing victims reporting extra cleanup time for compromised accounts and many people repeating the same login error even after training.

Key Takeaways

  • BEC cases in 2023 involved phishing/compromised credentials as an enabling step in 62% of cases (IC3 incident narrative analysis figure)
  • 47% of phishing victims report additional cleanup time for compromised accounts beyond initial incident response (measured in incident postmortem survey)
  • $1.8 billion in reported phishing-related losses in 2022 in the IC3’s “phishing” category (explicit phishing fraud category)
  • £1.0 billion+ in expected annual losses from phishing and other cyberenabled fraud in the UK (estimated by a national authority in a fraud review)
  • 28% of people use the wrong verification method for secure login attempts (measured in a human factors study)
  • 34% of users repeat the same error after initial training (measured retention failure in a study of phishing awareness training)
  • In Phishbowl’s benchmark, 4.2% of users clicked on phishing simulation links on average (Phishbowl phishing benchmarks)
  • In training programs, phishing susceptibility reduced by 40% on average after targeted interventions (measured in meta-analysis of phishing training studies)
  • Security awareness programs improved report-click behavior by 29% after 3 months (measured change in user reporting in a peer-reviewed study)
  • 84% of organizations with enforced DMARC policy had fewer spoofing messages reaching users (reported effectiveness measure in a government/industry email authentication study)
  • 47% of organizations use a dedicated email security solution to filter phishing attempts (Egress Phishing Benchmark report 2024)
  • In 2023, the US Federal Trade Commission reported that phishing was a common method reported in consumer fraud complaints, comprising millions of reports (FTC Consumer Sentinel dataset)
  • In the Canadian anti-spam regulator’s reporting for 2023, phishing/scams were among the top categories of spam complaints, with millions of complaints recorded (Canadian CRTC spam reports)
  • In ENISA’s threat landscape, phishing and social engineering are categorized under initial access tactics commonly observed in cyberattacks (ENISA report)
  • At least 1 in 6 phishing emails contain an attachment (or link) that attempts credential theft by impersonating a legitimate brand (PhishLabs Credential Phishing research)

Phishing costs billions, compromises credentials, and users still click or repeat mistakes without smarter, reinforced defenses.

01 · Category

Tactics And Vectors1 stats

01
BEC cases in 2023 involved phishing/compromised credentials as an enabling step in 62% of cases (IC3 incident narrative analysis figure)
Interpretation

Tactics And Vectors Interpretation

In the Tactics And Vectors category, 62% of 2023 BEC cases used phishing or compromised credentials as a key enabling step, showing how central credential theft remains to these attacks.

02 · Category

Financial Impact4 stats

01
47% of phishing victims report additional cleanup time for compromised accounts beyond initial incident response (measured in incident postmortem survey)
02
$1.8 billion in reported phishing-related losses in 2022 in the IC3’s “phishing” category (explicit phishing fraud category)
03
£1.0 billion+ in expected annual losses from phishing and other cyberenabled fraud in the UK (estimated by a national authority in a fraud review)
04
$17.1 billion total losses from cybercrime in 2019 (FBI IC3 annual report; phishing is a common enabler in many victim reports)
Interpretation

Financial Impact Interpretation

From a financial impact perspective, phishing is not just causing immediate losses such as $1.8 billion reported in 2022 but also drives ongoing account cleanup costs for 47% of victims and contributes to much larger cybercrime totals like $17.1 billion in 2019, with UK expected annual losses of £1.0 billion and more reinforcing the broader economic strain.

03 · Category

User Behavior4 stats

01
28% of people use the wrong verification method for secure login attempts (measured in a human factors study)
02
34% of users repeat the same error after initial training (measured retention failure in a study of phishing awareness training)
03
In Phishbowl’s benchmark, 4.2% of users clicked on phishing simulation links on average (Phishbowl phishing benchmarks)
04
In the UK’s NCSC guidance-based risk model, phishing is listed as one of the most common routes for initial compromise; the NCSC cites that most cyber incidents begin with social engineering (NCSC guidance)
Interpretation

User Behavior Interpretation

From a user behavior perspective, the data shows a stubborn pattern where 28% still use the wrong verification method and 34% repeat the same mistake even after training, while real-world click rates in simulations average 4.2% in Phishbowl benchmarks, reinforcing that human errors and retention gaps keep phishing working.

04 · Category

Mitigation Effectiveness5 stats

01
In training programs, phishing susceptibility reduced by 40% on average after targeted interventions (measured in meta-analysis of phishing training studies)
02
Security awareness programs improved report-click behavior by 29% after 3 months (measured change in user reporting in a peer-reviewed study)
03
84% of organizations with enforced DMARC policy had fewer spoofing messages reaching users (reported effectiveness measure in a government/industry email authentication study)
04
Organizations using message authentication (SPF+DKIM+DMARC) reduced impersonation attacks by 50% (measured reduction in a vendor benchmarking study)
05
Google Safe Browsing blocked billions of malicious URLs; in 2024 it protected users from 8+ billion phishing URLs (published protection metric in quarterly transparency reports)
Interpretation

Mitigation Effectiveness Interpretation

Overall, the mitigation effectiveness data show that targeted training and stronger email authentication can cut phishing impacts dramatically, with susceptibility down 40% on average and impersonation attacks reduced by 50% when SPF, DKIM, and DMARC are used.

05 · Category

User Adoption1 stats

01
47% of organizations use a dedicated email security solution to filter phishing attempts (Egress Phishing Benchmark report 2024)
Interpretation

User Adoption Interpretation

In the user adoption space, 47% of organizations already rely on dedicated email security to filter phishing attempts, showing that nearly half are adopting a specialized layer to help protect users from the start.

06 · Category

Incidence & Impacts2 stats

01
In 2023, the US Federal Trade Commission reported that phishing was a common method reported in consumer fraud complaints, comprising millions of reports (FTC Consumer Sentinel dataset)
02
In the Canadian anti-spam regulator’s reporting for 2023, phishing/scams were among the top categories of spam complaints, with millions of complaints recorded (Canadian CRTC spam reports)
Interpretation

Incidence & Impacts Interpretation

In 2023, phishing was reported in the millions as a leading type of consumer fraud complaint in the US and ranked among the top categories of spam complaints in Canada with millions more, showing that it remains a highly prevalent incidence driving real consumer harm under the Incidence and Impacts angle.

07 · Category

Phishing Landscape1 stats

01
In ENISA’s threat landscape, phishing and social engineering are categorized under initial access tactics commonly observed in cyberattacks (ENISA report)
Interpretation

Phishing Landscape Interpretation

ENISA’s threat landscape shows phishing and social engineering as common initial access tactics in cyberattacks, highlighting how central they remain to the Phishing Landscape.

08 · Category

Cost Analysis3 stats

01
At least 1 in 6 phishing emails contain an attachment (or link) that attempts credential theft by impersonating a legitimate brand (PhishLabs Credential Phishing research)
02
In IBM X-Force research, the average time to detect a phishing-enabled compromise was 250+ days across certain breach cases (IBM breach analytics report)
03
In CrowdStrike’s 2024 report, 1 in 5 breaches involved credential access obtained through phishing or stolen passwords (credential access findings in breach reviews)
Interpretation

Cost Analysis Interpretation

Cost-wise, phishing keeps getting expensive because 1 in 6 emails try brand impersonation to steal credentials and, once it slips through, breach detection can take 250 plus days while 1 in 5 incidents involve credential access gained via phishing or stolen passwords.
Reference

Cite This Report

This report is designed to be cited. We maintain stable URLs and versioned verification dates. Copy the format appropriate for your publication below.

APA
David Kowalski. (2026, February 13). Phishing Statistics. Gitnux. https://gitnux.org/phishing-statistics
MLA
David Kowalski. "Phishing Statistics." Gitnux, 13 Feb 2026, https://gitnux.org/phishing-statistics.
Chicago
David Kowalski. 2026. "Phishing Statistics." Gitnux. https://gitnux.org/phishing-statistics.