Phishing Statistics and Trends for 2026

Phishing remains a dominant choice for attackers looking to gain access to sensitive business systems. However, new and varied types of phishing attacks are growing increasingly popular with cybercriminals and, therefore, making the threat landscape more dangerous for business owners. Smishing, whaling, vishing, Business Email Compromise (BEC), and Phishing-as-a-Service (PhaaS) are all key vectors that companies must protect against more than ever.

Following our ransomware statistics dive, we’ve researched the current phishing landscape and unearthed insights to help inform your cybersecurity posture as threats grow more sophisticated.

Our research into phishing statistics reveals that:

• AI, PhaaS, and phishing toolkits are making it easier than ever for people to become phishers.
• Multi-channel attacks, BEC campaigns, and blagging are among the most frequently used phishing vectors.
• Microsoft remains the most imitated brand in phishing attacks across the year.
• Behavior-based training, as opposed to knowledge share, is more effective at reducing phishing susceptibility.
• Cyberattacks are increasingly emanating from Eastern states, with European and North American territories facing the most threats.

In this article, we explore trends in quishing, blagging, callback phishing, and more, with data covering the past four years, and citing research from sources such as Verizon, Microsoft, the Internet Crime Complaint Center (IC3), Cybersecurity and Infrastructure Security Agency (CISA), and IBM.

What's New in Phishing for 2026  

In 2026, phishing has shifted structurally, moving away from traditional strategies toward more sophisticated, large-scale campaigns. Ultimately, the barriers previously holding sophisticated vectors in place are collapsing.

For example, agentic AI, voice cloning, AI-driven chatbot interfaces, and PhaaS are key developments that are characteristic of this latest cycle.

Microsoft Defender Security Research, for instance, recently uncovered a successful, widespread device code phishing campaign that moves away from static scripting. The strategy instead leaned toward automation platforms and PhaaS toolkits to help bypass traditional detection measures.

A shift away from traditional phishing means that conventional detection signals in emails and online forms (such as typos, odd language use, unfamiliar senders, and strange formatting) are no longer reliable red flags for these attacks.

Instead, business owners need to be vigilant to cloned websites and URLs, targeted and personalized social media content that mimics their own natural and Large Language Model (LLM) produced content.

What’s more, physical QR phishing, or quishing, has evolved on its own - allowing attackers to bypass email gateways and lure victims into scanning images and redirecting their browsers to malicious links.

Phishing in 2026 is more subtle and nuanced than ever, and the reason why businesses need rolling threat detection and response measures to identify, sandbox, and remedy suspicious activity.

Global Phishing Trends and Attack Volume

Our research finds that phishing volumes are now at an all-time high, and that in most breach cases, it is the predominant starting point for hackers gaining access to business systems.

Volume and Prevalence

There is no longer a clean, spiking growth line for phishing volume - rather, it has reached a sustained high plateau, a state of high-risk that remains constant, saturating targets such as business owners.

APWG’s Phishing Activity Trends Report, 4th Quarter 2025, indicates that while phishing attacks may be down in volume quarter-on-quarter, the number of unique attacks and brands targeted by these campaigns is on a slow but steady rise.

Additionally, Verizon’s 2025 Data Breach Investigations Report suggests that phishing remains the prime social engineering technique used to lure employees. Interestingly, the report also suggests that AI is not entirely to blame for continued trends in social engineering:

“In our opinion, the really interesting thing about these types of attacks is not simply the scale of them but also the amount of time attackers seem to be dedicating to building familiarity with the victims. AI enthusiasts would, of course, state vehemently that this is solely due to AI tools, but in reality, the trend has simply been going on too long for AI to take all the credit. (81)”

Verizon 2025 DBIR

Key drivers that push phishing to its critical plateau include:

• Credential phishing, where an attacker impersonates a brand or company with fraudulent login pages or emails to steal access credentials.
• Session token harvesting, where an attacker intercepts an active user session to steal access credentials.
• Phishing kits, prepackaged toolkits including resources that attackers can use to build phishing campaigns out of the box.

A recent example of a prevalent phishing kit at the time of writing is EvilTokens, which Microsoft has reportedly found to be responsible for up to 15 phishing campaigns every 24 hours. Just one driver that is making sophisticated phishing easier to deploy.

Phishing as an Initial Access Vector

Phishing remains the most frequently used starting point for data breaches, largely as a result of human behavioral manipulation. IBM, for example, claims that it is the most common route for threat actors to access target networks.

The FBI’s IC3 recently reported that phishing ranked among the top reasons for complaints in 2025, which helped to push toward almost $21 billion lost to cyber-enabled crime in the US alone.

CISA, reporting in 2023, raises further concerns about human susceptibility that remain just as relevant today, in particular, that 84% of employees receiving malicious emails interact with them within ten minutes of receiving.

With phishing techniques growing more sophisticated and easier to launch, there’s little wonder why human susceptibility is still such a major concern.

The AI Phishing Surge

With AI, entry-level cyber criminals no longer need programming knowledge or linguistic expertise to launch successful campaigns. Bad actors can manipulate AI to generate malicious code, hide language mistakes, and even automate reconnaissance at speed.

AI is both lowering the entry bar to phishing and making attacks more sophisticated and harder to spot. Phishing emails, for example, are no longer crafted by hand, but generated through LLMs in minutes.

What’s more, AI can now impersonate people’s voices and physical appearances in video, making phishing attempts even more difficult to assess with the naked eye.

To combat the AI phishing surge, companies are investing in:

• (Endpoint Detection and Response (EDR) solutions, which identify subtle, suspicious access attempts and isolate AI-driven threats.
• Security Information and Event Management (SIEM) systems, which learn legitimate use patterns, flag deviations, and connect suspicious events together at scale.
• Adaptive training, which helps employees understand how to better detect and adapt to AI phishing scams.

Evolving Phishing Attack Vectors

Phishing attack vectors that are evolving fast include BEC, callback phishing, quishing, Scalable Vector Graphics (SVG) attachments, calendar invites, vishing, and Adversary-in-The-Middle (AiTM) scams.

BEC, Callback Phishing, and Quishing

BEC, or Business Email Compromise, is the highest-dollar threat among phishing vectors right now. The IC3’s 2025 report shows BEC fraud cost US complainants more than $3 billion across 12 months.

Alongside callback phishing and quishing, BEC attacks are evolving to dodge attack filters through reverse psychology and sophisticated social engineering. Here’s a quick breakdown:

SVG Attachments, Calendar Invites, Vishing, and AiTM

Phishers are increasingly hiding malicious code and links in plain sight to bypass filters, too. For example, seemingly innocuous SVG attachments and ICS invites might not get picked up by legacy endpoint protection, and attackers have found ways to manipulate them.

Here’s a quick breakdown:

Phishing Attack Techniques and Tactics

Popular phishing attack techniques and tactics in 2026 include credential harvesting, open redirects, phishing kit use, and multi-channel and social engineering.

Credential Harvesting, Open Redirects, and Phishing Kits

The goal behind many phishing campaigns is to harvest credentials, which can then be used to access corporate networks or even sold on.

By using open redirects, for example, attackers can send victims to malicious links or forms purely because user inputs haven’t been validated.

Phishing kits, too, as discussed, provide entry-level hackers with a wealth of AI-driven tools and resources to build malicious pages and craft messages to get people there.

Regarding key targets for these attacks, Microsoft 365 and Google Workspace are prioritized. These tools are highly ubiquitous among modern workforces and are therefore frequently targeted for credential harvesting.

What’s more, phishers use evasion techniques to make credential harvesting strategies harder to spot. For example, many offer CAPTCHA forms to complete before their malicious content loads, which can stop automated scanners in their tracks.

Others may use IP filtering to block security scanners, allowing only their targets to access their fake pages.

Multi-Channel and Social Engineering Tactics

Modern phishing is a multi-channel discipline that uses sophisticated techniques and social engineering alongside specialized toolkits. Targets may receive scam SMS messages, phone calls, and even conference call requests, all of which can build into an attack chain.

Angler phishing, for example, is a technique where attackers pose as branded support staff and target unhappy customers, pretending they are helping - the victim is already “warmed up” and easier to exploit than most.

Blagging, meanwhile, is a concerning trend where phishers pretend to be someone personally close to the victim to gain money or access to sensitive details. This type of attack has only become more threatening thanks to AI’s potential for deepfaking voices.

Social engineering essentially refers to confidence tricks - ways that attackers use conversational tactics to convince targets to give up sensitive details. Studies show that, while social engineering remains prevalent, combining technology with awareness training can reduce threat effectiveness by up to 75%.

It’s therefore important to invest in social engineering penetration testing and rolling training to ensure your company stays protected.

Phishing by Industry and Region

Research shows that SaaS/webmail, healthcare, and finance are sectors that remain most at risk for phishing, and that millennials and Gen-Z are most at risk from the latest techniques. Data also suggests that the majority of cybercrime in general (phishing included) emanates from Eastern states.

Most Targeted Sectors

The following sectors are, according to reports, the most under threat from phishing worldwide:

• SaaS and Webmail (due to centralizing extensive sensitive data across internal corporate systems).
• Social Media (due to ubiquitousness and easy access to personal information).
• Finance (due to highly valuable data).
  

However, due to their sensitive data and critical operations, companies in healthcare and on the global supply chain – as well as MSPs – are considered high-risk for phishing. Ultimately, disruption to these sectors is likely to prove the most chaotic, and data held is frequently high value.

Employee Demographics and Susceptibility

Research shows that Gen-Z is the employee demographic at highest risk from phishing, though the same data also indicates that there are no generational swings when it comes to being able to spot a phishing attempt.

The research shows that Gen-Z is significantly more likely than other demographics to interact with a phishing message, regardless of their ability to judge legitimacy.

Regional Phishing Shifts

The World Cybercrime Index shows that it is predominantly middle-to-Eastern countries that produce the most hackers, phishers among them - with Russia, Ukraine, and China topping its scoring system.

And yet, national targets differ slightly. Reports indicate that the Netherlands, Russia, and Moldova are most at risk from international phishing attacks.

Most Impersonated Brands and Phishing Lures

As of 2026, Microsoft remains the most-impersonated brand by phishers worldwide, with Facebook, Roblox, McAfee, and Steam making up the top five. There’s a clear trend towards targeting social and gaming platform users, though Microsoft’s prevalence in the remote workplace makes it a clear candidate for mimicry.

Typically, threats used in the corporate landscape take the shape of fake requests from HR departments, payroll administration issues, and even security alerts from company cloud environments - all areas of the business that employees should implicitly trust.

Cybersecurity measures deployed to help fight back against the proliferation of these threats include technical controls, such as Domain-based Message Authentication, Reporting, and Conformance (DMARC). This is a record-based standard that allows email senders to check that mail is sent from whitelisted IP addresses, and that domain owners have applied signatures to verify where email is coming from.

DNS filtering, meanwhile, effectively prevents malicious content from reaching innocent users - for example, even if they have gotten far enough to access a phishing website. Crucially, these tools are only two that are recommended for ongoing phishing protection.

Company Size and the SMB Exposure Gap

SMBs are often viewed by phishing attackers as lowhanging fruit: they store valuable and sensitive data but typically lack the robust security defenses of larger enterprises. When these businesses are hit with credential theft or ransomware, the financial impact can be far more difficult for them to absorb and recover from.

The compounding costs of data breaches, while apparently decreasing year-on-year on average, threaten to put smaller firms out of business.

This threat is all the more concerning when Microsoft’s research claims that a third of all SMBs have experienced some form of cyberattack, and that only 53% focus their spending specifically on phishing protection.  

Phishers are attacking SMBs in 2026 because they are accessible, often highly vulnerable compared to enterprises, and may not have the extensive training or awareness resources available to employees at larger firms.

Human Factors and Employee Vulnerability

Even with phishing strategy awareness and associated training, the most diligent of employees can still fall prey to emotional manipulation and basic human error. Verizon’s 2025 DBIR shows that while “human elements” in cyber attacks have decreased over the years, it has plateaued in around 60% of cases for some time.

As discussed, phishing in 2026 is becoming increasingly sophisticated, in part thanks to AI capabilities and multi-channel attack vectors. Therefore, awareness is purely foundational knowledge - employees must regularly submit to phishing training, for example, via simulations, to keep ahead of the latest trends.

There needs to be a movement away from compliance-focused completion-rate training and toward behavior-based, adaptive, hands-on education - to not only cement new knowledge, but to also challenge and change existing behaviors.

Studies show that a repeated, actively engaging approach to phishing training improves robustness against these attacks - and that current training methods leave less than a quarter of employees susceptible.

Financial and Data Impact of Phishing Attacks

Businesses must consider the individual risk factors that arise from phishing attacks, not just average breach cost implications. Consider again the IC3’s report that BEC attacks and recovery costs alone are, for example, losing US businesses billions of dollars every year.

Further real and possible impacts of phishing attacks include:

• Regulatory fines, such as those applied by the FTC, FCC, and state-level regulators.
• Identity theft, leading to unlimited fraudulent activity.
• The detection time-cost gap, which dictates that the longer a threat dwells, the more it costs to repair the damage.
• Downstream consequences, such as costly ransomware and crypto scams.

Phishing Prevention Strategies and Security Training

The ideal approach to phishing protection in 2026 will vary depending on the size, threat risk, and nature of your business. However, it is important to follow a multi-layered approach, covering technical measures, ongoing training and engagement, and taking a proactive stance on detecting and responding to suspicious activity.

To effectively prevent phishing and strengthen their ability to recover, businesses need to focus on:

• Technical prevention strategies (e.g., using DMARC, running DNS filtering, submitting to scheduled penetration testing, and applying robust email authentication).
• Human support (e.g., behavior-based SAT, simulating real-world phishing attacks, and maintaining an open-door reporting culture).
• Proactive defense (e.g., by applying phishing-resistant MFA, and establishing enterprise-grade, 24x7 threat detection and response measures).
  

Taking a collective, proactive stance on phishing is already creating positive ripples worldwide. Operation Synergia III, for example, was an INTERPOL operation focusing on cracking down upon phishing and ransomware schemes - with more than 45,000 malicious operations terminated, and at least 94 people arrested.

Operation Secure, meanwhile, is another INTERPOL crackdown that removed more than 20,000 malicious domains and IPs between January and April 2025 alone.

Conclusion

The evolution of AI, growth of PhaaS accessibility, and the increasing costs of late detection and recovery all make phishing just as threatening in 2026 as it has ever been, and this is reflected by the phishing statistics pulled together here.

Right now, we are at an inflection point, meaning this is a collective, pivotal moment for businesses and agencies of all sizes to take a tougher, more proactive stance on phishing attacks as threats evolve.

Contact VikingCloud today to learn more about how tailored threat detection and regular penetration testing can help strengthen your business against phishing, ransomware, and the costs of cybercrime.

FAQs

What brands are most impersonated in phishing attacks?

Microsoft and Facebook are among the most impersonated brands in phishing attacks. However, “seasonal rotation” allows for retail and ecommerce brands such as Amazon to become highly mimicked around holidays, for example. Many phishers catch victims with lookalike domains, such as those with slight differences in how URLs are spelt, or with slightly different suffixes.

Why do employees keep falling for phishing attacks?

Even with awareness and training, employees can still fall victim to emotional manipulation, social engineering, and multi-channel tricks. Beyond this, AI is making it more difficult for employees to spot phishing attempts - with LLMs making typos and language barrier tells obsolete.

How is AI making phishing harder to detect?

AI is erasing many of the classic signs of phishing—like awkward grammar or obvious typos—by enabling attackers to generate flawless, convincing text. At the same time, PhaaS platforms and AIenhanced phishing kits are lowering the skill required to launch attacks, making phishing accessible to far more criminals. Deepfake technology is also advancing quickly, giving attackers the ability to closely replicate real people’s faces and voices with unsettling accuracy.

What are the most effective controls for reducing phishing risk?

The best approach to a robust phishing defense is to apply intensive technical, training, and detection layers. For example, we recommend using DMARC, applying phishing-resistant MFA standards, training employees to change behavior (not just raise awareness), and DNS filtering.

What are the financial consequences of a phishing attack beyond the immediate breach cost?

Beyond immediate breaches, companies face costs associated with identity theft, reputational damage, regulatory fines, and the detection time-cost gap, which increases as long as threats go undetected.

Sources

1. VikingCloud. (2025, December 17). 46 Ransomware Statistics and Trends Report 2026. VikingCloud Blog. Retrieved April 12, 2026, from https://www.vikingcloud.com/blog/ransomware-statistics

2. Microsoft Defender Security Research Team. (2026, April 6). Inside an AI‑enabled device code phishing campaign. Microsoft Security. Retrieved April 12, 2026, from https://www.microsoft.com/en-us/security/blog/2026/04/06/ai-enabled-device-code-phishing-campaign-april-2026/

3. VikingCloud. (n.d.). Threat Detection & Response. VikingCloud. Retrieved April 12, 2026, from https://www.vikingcloud.com/cybersecurity/threat-detection-and-response

4. APWG. (2026, February 18). Phishing Activity Trends Report, 4th Quarter 2025. APWG. Retrieved April 12, 2026, from https://docs.apwg.org/reports/apwg_trends_report_q4_2025.pdf

5. Verizon. (2026). 2025 Data Breach Investigations Report. Verizon. Retrieved April 12, 2026, from https://www.verizon.com/business/resources/T16f/reports/2025-dbir-data-breach-investigations-report.pdf

6. Lyons, J. (2026, April 7). Hundreds of orgs compromised daily in Microsoft device code phishing attacks. The Register. Retrieved April 12, 2026, from https://www.theregister.com/2026/04/07/microsoft_device_code_phishing/

7. IBM Security X-Force Team. (n.d.). Why phishing is still the top attack method. IBM: Think. Retrieved April 12, 2026, from https://www.ibm.com/think/x-force/why-phishing-still-top-attack-method-2

8. Federal Bureau of Investigation / IC3. (2026). Federal Bureau of Investigation Internet Crime Report 2025. Internet Crime Complaint Center. Retrieved April 12, 2026, from https://www.ic3.gov/AnnualReport/Reports/2025_IC3Report.pdf

9. Cybersecurity & Infrastructure Security Agency. (2023). Phishing. CISA.gov. Retrieved April 12, 2026, from https://www.cisa.gov/sites/default/files/2023-02/phishing-infographic-508c.pdf

10. Almatarneh, R., Aljaidi, M., Alsarhan, A., Aziz Alshammari, S., and Alshammari, N.H. (2025). The rising tide of social engineering: Trends, impacts, and multi-layered mitigation strategies. International Journal of Innovative Research and Scientific Studies 8(3). Retrieved April 12, 2026, from https://ijirss.com/index.php/ijirss/article/view/6443 DOI: https://doi.org/10.53894/ijirss.v8i3.6443    

11. Brown, C. (2025, November 11). Social Engineering Penetration Testing: What You Need to Know. VikingCloud Blog. Retrieved April 12, 2026, from https://www.vikingcloud.com/blog/social-engineering-penetration-testing

12. Statista Research Department. (2026, February 2). Distribution of industries worldwide most targeted by phishing attacks in 4th quarter 2024. Statista. Retrieved April 12, 2026, from https://www.statista.com/statistics/266161/websites-most-affected-by-phishing/

13. Bruce, M., Lusthaus, J., Kashyap, R., Phair, N., and Varese, F. (2024, April 10). Mapping the global geography of cybercrime with the World Cybercrime Index. PLoS ONE 19(4): e0297312. Retrieved April 12, 2026, from https://journals.plos.org/plosone/article?id=10.1371/journal.pone.0297312 DOI: https://doi.org/10.1371/journal.pone.0297312

14. EasyDMARC. (2025, December 1). Phishing Statistics and DMARC. EasyDMARC. Retrieved April 12, 2026, from https://easydmarc.com/blog/phishing-statistics-easydmarc-report-january-june-2022/

15. Amod, F. (2026, January 20). Microsoft ranks as the most impersonated brand in phishing attacks. Paubox. Retrieved April 12, 2026, from https://www.paubox.com/blog/microsoft-ranks-as-the-most-impersonated-brand-in-phishing-attacks

16. VikingCloud Team. (2022, March 7). Phishing 101: Everything You Need to Know to Protect Your Business. VikingCloud. Retrieved April 12, 2026, from https://www.vikingcloud.com/blog/phishing-101-everything-you-need-to-know-to-protect-your-business

17. IBM. (2025). Cost of a Data Breach Report 2025. IBM. Retrieved April 12, 2026, from https://www.ibm.com/reports/data-breach

18. Microsoft Security. (n.d.) New research: Small and medium business (SMB) cyberattacks are frequent and costly. Microsoft. Retrieved April 12, 2026, from https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/SMBCybersecurity-Report-Final.pdf

19. Marshall, N., Sturman, D., and Auton, J.C. (2024, April). Exploring the evidence for email phishing training: A scoping review. Computers & Security, 139, 103695. Retrieved April 12, 2026, from https://www.sciencedirect.com/science/article/pii/S0167404823006053 DOI: https://doi.org/10.1016/j.cose.2023.103695

20. VikingCloud. (n.d.). Penetration Testing Services. VikingCloud. Retrieved April 12, 2026, from https://www.vikingcloud.com/security-testing/penetration-testing

21. INTERPOL. (2026, March 13). 45,000 malicious IP addresses taken down in international cyber operation. INTERPOL. Retrieved April 12, 2026, from https://www.interpol.int/en/News-and-Events/News/2026/45-000-malicious-IP-addresses-taken-down-in-international-cyber-operation

22. Paganini, P. (2025, June 11). Operation Secure: INTERPOL Dismantles 20,000+ Malicious IPs in Major Cybercrime Crackdown. Security Affairs. Retrieved April 12, 2026, from https://securityaffairs.com/178898/cyber-crime/operation-secure-interpol-dismantles-20000-malicious-ips-in-major-cybercrime-crackdown.html