What is Phishing?
Phishing is a form of social engineering attack in which cybercriminals use deceptive communications — most commonly emails, but increasingly text messages, phone calls, QR codes, and direct social media messages — to impersonate trusted entities and manipulate victims into revealing credentials, transferring funds, downloading malware, or surrendering sensitive personal and financial data. The term encompasses a wide family of related attack types: spear phishing (highly targeted attacks personalized to a specific individual or organization), smishing (phishing via SMS), vishing (voice phishing by phone), quishing (phishing via QR codes), and Business Email Compromise (BEC), the most financially damaging sub-category, in which attackers impersonate executives, vendors, or internal finance personnel to authorize fraudulent wire transfers. Phishing is not a niche threat or a secondary cybersecurity concern — it is the #1 most reported category of internet crime by complaint volume to the FBI, the leading initial attack vector for data breaches according to IBM, and the foundational entry method for the vast majority of ransomware deployments, account takeovers, and corporate espionage campaigns documented globally.
What makes phishing statistics in the US in 2026 particularly alarming is the documented acceleration in both the sophistication and the financial impact of these attacks. The volume of phishing attacks is vast and largely stable — the Anti-Phishing Working Group (APWG) recorded 3.8 million phishing attacks globally in 2025, a figure it tracks through its eCrime eXchange and member reporting network. But raw volume no longer captures the full story. The emergence of Phishing-as-a-Service (PhaaS) platforms that provide criminal networks with turnkey attack kits, the integration of large language models that generate grammatically perfect, contextually precise phishing lures at industrial scale, and the deployment of AI-driven spear phishing that personalizes attacks using scraped LinkedIn, social media, and data breach records have collectively transformed phishing from a high-volume, low-precision threat into a high-volume, high-precision one. The FBI IC3’s data confirms this shift: phishing losses grew 208% in a single year while complaint volume barely moved — meaning each attack is extracting dramatically more value. The sources used throughout this article include the FBI IC3 2025 Annual Report (April 2026), all four quarters of the APWG Phishing Activity Trends Reports (2025), the IBM Cost of a Data Breach Report 2025, and the Verizon Data Breach Investigations Report 2025.
Key Facts: Phishing Statistics in the US 2026
The following table captures the most important and current phishing facts 2026 — all drawn from verifiable federal law enforcement reports, official industry surveillance bodies, and peer-reviewed security research.
| Key Fact | Verified Stat |
|---|---|
| #1 reported crime by volume to FBI IC3 in 2025 | Phishing / Spoofing — 191,561 complaints |
| Phishing losses reported to FBI IC3 in 2025 | $215.8 million — up 208% from $70M in 2024 |
| Phishing losses reported to FBI IC3 in 2024 | $70 million — itself nearly 4× the $18.7M in 2023 |
| 11-year phishing loss trajectory (IC3 2023→2025) | From $18.7M → $70M → $215.8M — 11× increase in 2 years |
| Total global phishing attacks recorded by APWG in 2025 | 3.8 million unique phishing attacks — up from 3.76M in 2024 |
| Largest single quarter of phishing attacks in 2025 (APWG) | Q2 2025 — 1,130,393 attacks — highest since Q2 2023 |
| US share of top phishing targets by region (Q2 2025) | 66% — US accounted for 66% of top regional phishing targets (Rapid7) |
| Business Email Compromise (BEC) losses in 2025 | $3.046 billion — up from $2.77B in 2024; +10% YoY |
| BEC cumulative losses tracked by FBI IC3 (2013–2025) | ~$55.5 billion in cumulative losses |
| Wire transfer BEC attacks surge in Q4 2025 vs Q3 | +136% — largest quarterly BEC surge of the year (APWG/Fortra) |
| Average BEC wire transfer request amount (Q4 2024) | $128,980 per request (Fortra via APWG) |
| Most prolific BEC threat group in 2025 | Scripted Sparrow — sends up to 6 million targeted emails/month (Fortra) |
| BEC scammers using free Gmail accounts (Q1 2025) | 73.5% of BEC scammers use Gmail to set up accounts (Fortra/APWG) |
| Phishing as initial attack vector — IBM 2025 Breach Report | 16% of all breaches — #1 initial attack vector globally |
| Average cost of phishing-related data breach (IBM 2025) | $4.8 million per incident (US average breach: $10.22M) |
| US average cost of any data breach in 2025 | $10.22 million — a record high; +9% from prior year (IBM) |
| Human element in all 2025 breaches (Verizon DBIR 2025) | ~60% of all confirmed breaches involved a human element |
| Phishing appearing as initial vector in breaches (Verizon 2025) | 16% of breach cases — email attack vector in 27% of all breaches |
| Verizon DBIR 2025 — phishing click speed | Median time to first click on phishing link: 21 seconds |
| QR code phishing (quishing) attacks growth 2023–2025 | +400% increase in quishing attacks (Abnormal Security) |
| Unique malicious QR codes detected by Mimecast — Q2 2025 | 635,672 unique malicious QR codes in a single quarter |
| Unique malicious QR codes — combined Q4 2024 + Q1 2025 | Over 1.7 million malicious QR codes in 6-month span (Mimecast) |
| FBI Financial Fraud Kill Chain (FFKC) interventions in 2025 | ~3,900 interventions — froze $679 million at 58% success rate |
| Government impersonation complaints — IC3 2025 | 32,424 complaints — nearly doubled from 17,367 in 2023 |
| Government impersonation losses — IC3 2025 | $797.9 million — up from $405.6M in 2023 |
| Combined email-origin fraud losses (BEC + phishing + gov. impersonation) | Over $4 billion — ~19% of all IC3-reported cybercrime losses |
Data Sources: FBI Internet Crime Complaint Center (IC3) 2025 Annual Report (released April 6–7, 2026); Anti-Phishing Working Group (APWG) Phishing Activity Trends Reports — Q1, Q2, Q3, Q4 2025 (released through February 23, 2026); IBM Cost of a Data Breach Report 2025 (released August 2025); Verizon Data Breach Investigations Report (DBIR) 2025; Red Sift — “FBI IC3 2025 Report: Email Fraud Is Now a $4 Billion Problem” (April 2026); SpyCloud 2026 Annual Identity Exposure Report
These 26 facts establish a picture of a threat category that is simultaneously pervasive by volume and escalating dramatically by impact per attack. The 208% single-year increase in FBI-reported phishing losses — from $70 million in 2024 to $215.8 million in 2025 — while complaint volume barely moved (193,407 → 191,561) is the most important signal in the entire dataset. It means criminal phishing operations are not becoming more numerous; they are becoming dramatically more effective at converting each attempt into a larger financial extraction. The 3.8 million total phishing attacks recorded by APWG in 2025 provide the global scale context, while the FBI’s 191,561 US phishing complaints represent the slice of that volume that American victims formally reported — estimated to be a small fraction of actual incidents, given that the FTC has documented that only approximately 4.8% of fraud victims report to any government entity. The $4 billion in combined email-origin fraud losses (BEC + phishing + government impersonation) represents 19% of all IC3-reported cybercrime losses — making email the single most consequential attack surface in the American cybercrime landscape.
Phishing Attack Volume and Trends in the US 2026
APWG Global Phishing Attack Volume — Quarterly Trend 2024–2025
(Anti-Phishing Working Group Phishing Activity Trends Reports, Q1–Q4 2025)
Q2 2024 |████████████████████████████████████████████████ 877,536
Q3 2024 |█████████████████████████████████████████████████ 932,923
Q4 2024 |█████████████████████████████████████████████████ 989,123
Q1 2025 |████████████████████████████████████████████████████ 1,003,924 ← Largest since late 2023
Q2 2025 |██████████████████████████████████████████████████████████ 1,130,393 ← 2025 PEAK
Q3 2025 |████████████████████████████████████████████████████ 892,494
Q4 2025 |██████████████████████████████████████████████████ 853,244
──────────────────────────────────────────────────────────────────────────────────────
0 250K 500K 750K 1M 1.13M
2025 ANNUAL TOTAL: 3.8 million phishing attacks (3,880,055)
| Period / Metric | Phishing Attack Volume / Rate | Notable Development |
|---|---|---|
| Full Year 2025 (APWG) | 3,800,000+ unique phishing attacks | Up slightly from 3.76M in 2024 |
| Full Year 2024 (APWG) | 3,760,000 unique attacks | Near-record; slight 2025 increase |
| Q1 2025 (APWG) | 1,003,924 attacks | Largest since late 2023 |
| Q2 2025 (APWG) | 1,130,393 attacks — 2025 peak | +13% QoQ; highest quarterly count since Q2 2023 |
| Q3 2025 (APWG) | 892,494 attacks | Seasonal decline |
| Q4 2025 (APWG) | 853,244 attacks | −4% from Q3; but BEC surged +136% |
| Daily phishing rate (FBI IC3 2025 average) | ~525 FBI-reported phishing complaints/day | Subset of actual daily attacks |
| Total IC3 complaints (all types) per day in 2025 | ~2,760 complaints/day | First year exceeding 1M annual complaints |
| FBI IC3 phishing complaints 2025 | 191,561 | Barely changed from 193,407 in 2024 |
| FBI IC3 phishing losses 2025 | $215.8 million | +208% from $70M in 2024 |
| FBI IC3 phishing losses 2024 | $70 million | ~4× the $18.7M recorded in 2023 |
| FBI IC3 phishing losses 2023 | $18.7 million | Historical baseline for trajectory |
| US share of phishing targets (Q2 2025) | 66% of top regional targets | Rapid7 Q2 2025 data |
| Phishing attacks on social media platforms (ZeroFox, 2025) | Increased every single quarter of 2025 | Growth ranged from 51% to 843% QoQ |
Data Sources: Anti-Phishing Working Group (APWG) Phishing Activity Trends Reports — Q1 2025 (July 2, 2025), Q2 2025 (September 2, 2025), Q3 2025 (December 9–10, 2025), Q4 2025 (February 2026); APWG Year in Review press release (February 23, 2026, newswire.com); FBI IC3 2025 Annual Report (April 2026); Rapid7 Q2 2025 threat intelligence data (cited axis-intelligence.com, April 2026)
The phishing attack volume trends in the US in 2026 reflect a threat that has reached a kind of steady-state saturation at the infrastructure level — enormous and persistent — while simultaneously undergoing a rapid qualitative transformation at the attack level. The 3.8 million APWG-tracked phishing attacks in 2025 represent a near-identical total to 2024, suggesting that the raw volume of phishing campaigns has plateaued, likely because the infrastructure constraints (domains, hosting providers, and delivery bandwidth) that criminal networks work within have been largely maxed out. What has not plateaued is the financial damage each attack generates. The 208% single-year increase in FBI-reported phishing losses while complaint volume held flat confirms this directly: the attacks are increasingly sophisticated, better targeted, and more effective at circumventing both technical defenses and individual detection. The APWG Q4 2025 data adds a critical nuance: even as traditional email phishing volume declined slightly in the final quarter, BEC wire transfer attacks surged 136% quarter-over-quarter, driven by the Scripted Sparrow threat group’s deployment of mass-targeted BEC operations at a scale the APWG had not previously documented.
The ZeroFox social media threat intelligence contribution to APWG’s Q4 2025 report deserves particular attention. The finding that phishing threat volume on social media increased on every major platform, in every quarter of 2025, with growth rates ranging from 51% to 843% quarter-over-quarter, confirms what the FTC’s own social media scam Data Spotlight published in April 2026 documented from the consumer side: social media has become not a secondary phishing channel but a primary one. The migration of phishing from email to social media, SMS, and collaboration platforms (Microsoft Teams and Slack were specifically named in 2025 threat reports) is a structural evolution that traditional email-focused defenses are poorly positioned to address, and it is one of the most significant threat landscape changes captured in the 2025 phishing data record.
Business Email Compromise (BEC) Phishing Losses in the US 2026
BEC Losses — FBI IC3 Annual Data (3-Year Trend)
(FBI IC3 Annual Reports; BEC = Business Email Compromise phishing / wire fraud)
2023 |█████████████████████████████████████████████ $2.94 billion
2024 |████████████████████████████████████████████ $2.77 billion (brief dip)
2025 |████████████████████████████████████████████████ $3.046 billion ← New record
─────────────────────────────────────────────────────────────────────────────────────
$0 $500M $1B $1.5B $2B $2.5B $3.046B
Cumulative FBI IC3 BEC losses since tracking began (2013–2025): ~$55.5 BILLION
Q4 2025 Wire Transfer BEC Surge:
+136% increase vs Q3 2025 — driven by Scripted Sparrow threat group
Scripted Sparrow sends ~6 MILLION targeted emails per month
| BEC / Email Phishing Metric | 2024 Figure | 2025 Figure | Change |
|---|---|---|---|
| Total BEC losses (FBI IC3) | $2.77 billion | $3.046 billion | +10% YoY |
| BEC complaints to IC3 | ~21,442 | Significant | +YoY |
| Cumulative BEC losses 2013–2025 | ~$52B (2013–2024) | ~$55.5 billion | +$3.046B |
| Average BEC wire transfer request (Fortra/APWG) | $128,980 (Q4 2024) | $50,297 (Q4 2025 avg) | Varies by campaign |
| Average per-complaint BEC loss | — | ~$122,000 | Red Sift analysis |
| BEC scammers using Gmail (Q1 2025) | — | 73.5% | Fortra/APWG Q1 2025 |
| BEC scammers using Cloudflare as registrar | — | Most popular (Q1 2025) | Fortra/APWG Q1 2025 |
| Wire transfer BEC surge Q4 2025 vs Q3 | — | +136% | APWG/Fortra Q4 2025 |
| Most prolific BEC group (2025) | — | Scripted Sparrow | First observed June 2024 |
| Scripted Sparrow monthly targeted email volume | — | ~6 million emails/month | Fortra/APWG Q4 2025 |
| % of BEC funds moved via wire transfer or ACH | — | 86% | Red Sift citing IC3 2025 data |
| AI-attributed BEC losses (confirmed AI component) | — | $30 million+ | FBI IC3 2025 AI category |
| FBI FFKC 2025 BEC interventions | — | ~3,900 actions; $679M frozen | IC3 2025 Annual Report |
| FFKC success rate 2025 | — | 58% overall; 65% healthcare | FBI IC3 2025 |
Data Sources: FBI IC3 2025 Annual Report (ic3.gov, April 2026); FBI IC3 2024 Annual Report; APWG Phishing Activity Trends Report Q1 2025 (July 2, 2025) and Q4 2025 (released February 2026); APWG Year in Review — February 23, 2026; Red Sift — “FBI IC3 2025 Report: Email Fraud Is Now a $4 Billion Problem” (April 18, 2026); Paubox — “US Cybercrime Losses Hit $20.9 Billion in 2025” (April 2026)
Business Email Compromise statistics in the US in 2026 confirm BEC’s enduring status as the single most financially damaging phishing sub-category in the American cybercrime landscape. The $3.046 billion in BEC losses reported to the FBI IC3 for 2025 represents a 10% increase from 2024’s $2.77 billion and re-establishes the upward trajectory after the brief 2024 dip in that figure. Accumulated across the decade-plus of FBI tracking, cumulative BEC losses have now crossed $55.5 billion — a number so large that it approaches the GDP of some mid-sized nations. The $122,000 average per-complaint BEC loss is not the result of massive single attacks skewing the data; it reflects a systematic criminal economy that has standardized wire fraud operations down to a reproducible formula: impersonate an executive or vendor, create appropriate urgency, and direct a finance employee to wire a large sum. The 86% of BEC funds that move via wire transfer or ACH is the reason recovery rates are so low — wire transfers move fast, often internationally, and become extremely difficult to reverse once they clear the recipient institution.
The emergence of Scripted Sparrow — the BEC threat group first identified by Fortra in June 2024 and now documented as the world’s most prolific BEC operation — represents a qualitative change in how BEC attacks are conducted. Sending approximately 6 million highly targeted emails per month, Scripted Sparrow operates at a scale that dwarfs previous BEC groups and is directly connected to the 136% surge in wire transfer BEC attacks in Q4 2025 documented by APWG. The FBI’s Financial Fraud Kill Chain (FFKC) intervention mechanism — which froze $679 million in fraudulent transfers across ~3,900 interventions in 2025 at a 58% success rate — remains the most effective recovery mechanism available, but it requires rapid victim reporting, and the majority of BEC victims file complaints after funds have already cleared. The documented real-world case in which an Oregon city government lost $6 million to a BEC attack in April 2025 — funds that were recovered because the FFKC happened to have a prior freeze on the same fraudulent recipient account — illustrates both the scale of individual BEC incidents and the narrow conditions under which recovery is possible.
Most Targeted Sectors and Attack Methods in Phishing 2026
Most-Attacked Sectors by Phishing Attack Share — APWG 2025
(APWG Phishing Activity Trends Reports Q1–Q4 2025; OpSec Security / Crane Authentication data)
Q1 2025: Q2 2025: Q4 2025:
SaaS/Webmail 17.6% Financial Inst. 18.3% Social Media 20.3% (tie)
Financial+Pay 30.9% combined SaaS/Webmail 18.2% SaaS/Webmail 20.3% (tie)
(Fin+SaaS = 36.5% combined) Telecom/IT 18.7% ↑ surging
Full-year 2025 sector picture (APWG + Crane Authentication composite):
Financial Services (banks, insurance, fintech): 23.5% — #1 target category
SaaS / Webmail (Microsoft 365, Google Workspace): 19.4% — #2 target category
Social Media platforms: 12.8% — rapidly growing
E-commerce / Retail (Amazon, PayPal): 14.2%
Logistics / Shipping: 8.1%
| Target Sector | 2025 Attack Share | Key Brands Targeted | Why Targeted |
|---|---|---|---|
| Financial Services (banks, fintech) | ~23.5% — #1 | Major US banks; PayPal; Mastercard | Credentials convert directly to cash |
| SaaS / Webmail | ~19.4% — #2 | Microsoft 365; Google Workspace; Salesforce | Credentials access full enterprise ecosystems |
| Social Media | ~12.8–20.3% (Q4 peak) | Facebook; LinkedIn; Instagram | Account takeover; fraud distribution |
| E-commerce / Retail | ~14.2% | Amazon; Walmart (Q3 #1 impersonated brand) | Payment credentials; purchase fraud |
| Logistics / Shipping | ~8.1% | DHL (Q2 most-impersonated QR brand); FedEx | Fake delivery tracking widely trusted |
| Telecom / IT | 18.7% in Q4 2025 — sharp rise | Telecom providers | Phone account recovery exploitation |
| Healthcare (breach cost lens) | Not highest volume; highest cost | — | $7.42M avg breach cost (IBM 2025) |
| Government impersonation | 32,424 IC3 complaints in 2025 | IRS; SSA; FTC; law enforcement | Authority exploited for urgency |
| Most-impersonated brand for QR phishing (Q1 2025) | — | Mastercard — 14,233 QR codes | Payment credential theft |
| Most-impersonated brand for QR phishing (Q2 2025) | — | DHL — 3,543 QR codes | Delivery fraud |
| Most-impersonated brand for QR phishing (Q3 2025) | — | Walmart — supplanted DHL | Retail credential/payment theft |
Data Sources: APWG Phishing Activity Trends Reports — Q1 2025 (July 2025), Q2 2025 (September 2025), Q3 2025 (December 2025), Q4 2025 (February 2026); Crane Authentication / OpSec Security sector analysis within each APWG quarterly report; Mimecast QR code intelligence — Q1–Q3 2025 within APWG reports; Red Sift — IC3 2025 email fraud analysis (April 2026)
The most targeted sectors for phishing in 2026 follow a consistent, rational logic: criminals attack where credentials are most convertible to money. Financial services at 23.5% of all APWG-tracked phishing attacks is the largest single target category because a stolen banking login or credit card number provides immediate, direct financial access. SaaS and webmail at 19.4% — targeting Microsoft 365, Google Workspace, and Salesforce login pages — are attacked because a single corporate credential provides entry to the entire cloud ecosystem of an organization, enabling lateral movement, data theft, and BEC execution from a trusted internal account. The Q4 2025 surge of telecom/IT to 18.7% of all attacks is a newer pattern that APWG specifically flagged: attackers are increasingly exploiting phone-based account recovery mechanisms, using smishing and vishing to intercept SMS verification codes and gain control of accounts linked to both personal and corporate services. This shift correlates with the documented surge in SMS-based phishing in Q4 2025 noted in the APWG quarterly data.
The QR code phishing (quishing) data from Mimecast within the APWG quarterly reports provides granular insight into one of the fastest-growing phishing delivery mechanisms of 2025. The 635,672 unique malicious QR codes detected by Mimecast in Q2 2025 alone — and the combined 1.7 million malicious QR codes in the Q4 2024 + Q1 2025 period — represent a delivery vector that specifically circumvents traditional email link-scanning defenses, because the malicious URL is encoded in an image rather than as scannable text. Attackers rotated their most-impersonated brands aggressively — Mastercard dominated Q1 by volume, DHL surged to #1 in Q2, and Walmart became the top-impersonated brand in Q3 — demonstrating operational agility that keeps defenders scrambling to update blocklists and detection rules. The underlying “quishing surge of +400% between 2023 and 2025” (Abnormal Security) confirms that QR-based phishing has moved from experimental to mainstream within criminal playbooks.
Phishing and Data Breach Costs in the US 2026
Cost of Phishing-Related Data Breaches — IBM Cost of a Data Breach Report 2025
(Published August 2025 — covers breaches investigated through mid-2025)
GLOBAL average data breach cost (2025): $4.44M ← Down 9% from $4.88M in 2024 (first decline in 5 years)
PHISHING-specific average breach cost: $4.80M ← Above global average; #1 most common initial vector
US average data breach cost (2025): $10.22M ← Record high; UP 9% (against global trend)
Healthcare breach average cost (2025): $7.42M ← Highest of any sector globally
Average breach lifecycle (2025): 241 days ← Lowest in 9 years; AI-driven detection improving
AI advantage:
Organizations using AI security tools: $3.62M average breach cost
Organizations without AI security tools: $5.52M average breach cost
AI saves organizations: ~$1.9M per breach + 80 days faster containment
| Data Breach Cost / Phishing Metric | 2024 Figure | 2025 Figure | Source |
|---|---|---|---|
| Global average data breach cost | $4.88 million | $4.44 million (−9%) | IBM Cost of Data Breach 2025 |
| US average data breach cost | $9.36 million | $10.22 million (+9%) — record | IBM Cost of Data Breach 2025 |
| Phishing-initiated breach cost | $4.88M (all vectors avg) | $4.8 million per incident | IBM Cost of Data Breach 2025 |
| Phishing as #1 breach initial vector | — | 16% of all breaches | IBM Cost of Data Breach 2025 |
| Supply chain compromise cost | — | $4.91 million — 2nd most expensive | IBM Cost of Data Breach 2025 |
| Healthcare sector breach cost | $9.77 million | $7.42 million (still #1 sector) | IBM Cost of Data Breach 2025 |
| Healthcare breach detection + containment | — | 279 days — longest of any sector | IBM Cost of Data Breach 2025 |
| Average breach lifecycle (all sectors) | 258 days | 241 days — 9-year low | IBM Cost of Data Breach 2025 |
| AI security adopters: average breach cost | — | $3.62 million | IBM Cost of Data Breach 2025 |
| Non-AI security adopters: average breach cost | — | $5.52 million | IBM Cost of Data Breach 2025 |
| AI security advantage per breach | — | ~$1.9M savings; 80 days faster | IBM Cost of Data Breach 2025 |
| Shadow AI involvement in breaches | — | 20% of breaches | IBM Cost of Data Breach 2025 |
| AI used in breaches by attackers | — | 16% of breaches | IBM Cost of Data Breach 2025 |
| Customer PII compromised (most common data type) | — | 53% of breaches | IBM Cost of Data Breach 2025 |
| Organizations that raised prices post-breach | — | 45% | IBM Cost of Data Breach 2025 |
| Organizations investing in security only after breach | — | 49% | IBM Cost of Data Breach 2025 |
Data Sources: IBM Security Cost of a Data Breach Report 2025 (published August 2025 — research by Ponemon Institute, studying 600+ organizations globally across 17 industries; 20th annual edition); IBM press release and full report at ibm.com/reports/data-breach; Bluefin, Abnormal AI, Breachsense analysis of IBM 2025 data (August–October 2025)
The IBM Cost of a Data Breach Report 2025 delivers a nuanced but ultimately troubling picture for US organizations. The headline finding — that the global average breach cost fell 9% to $4.44 million, the first decline in five years — is real and meaningful: AI-powered detection tools are genuinely shortening breach lifecycles and reducing containment costs. But that global improvement conceals a directly opposite US-specific trend. American organizations paid a record $10.22 million per breach on average in 2025, driven by higher regulatory penalties, longer post-breach litigation, and slower average detection times compared to the global mean. The $10.22 million US figure represents a 9% increase in the same year that global costs declined 9% — a transatlantic divergence that reflects both the severity of US data breach regulations and the particularly target-rich environment American enterprises represent. Phishing as the #1 initial attack vector in 16% of IBM-studied breaches — averaging $4.8 million per phishing-initiated incident — confirms that the credential-theft gateway phishing provides is the single most consequential entry point into enterprise security architectures.
The AI advantage data in IBM’s 2025 report is among the most strategically important findings for any organization making security investment decisions in 2026. Organizations with AI security tools comprehensively integrated into their operations incurred breach costs of approximately $3.62 million per incident — versus $5.52 million for those without. That $1.9 million per-breach saving compounds across any organization’s expected annual incident frequency and represents the clearest return-on-investment figure in the entire security vendor landscape. The irony documented by IBM is sharp: AI is simultaneously the best defensive tool and a growing offensive weapon, with attackers using AI in 16% of breaches and shadow AI (unauthorized employee AI tool usage) implicated in 20% of breaches — almost all in organizations that lacked any AI governance policy. The 49% of breached organizations that only invested in security improvements after experiencing a breach — rather than proactively — is the data point that most directly explains why breach costs continue to compound year after year despite growing awareness.
AI-Powered Phishing and Emerging Threats in the US 2026
AI Phishing Adoption — From Niche to Mainstream (Hoxhunt 4M-User Network Data, 2025)
Jan–Nov 2025: AI-generated phishing = under 5% of filter-bypassing attacks
Dec 2025: AI-generated phishing SURGES to 56% of filter-bypassing attacks
↑
14× increase in weeks during Christmas holiday period
AI-enhanced phishing vs. traditional phishing effectiveness:
Traditional phishing click rate: Baseline
AI-generated phishing click rate: +60% higher (Oxford University study)
AI phishing bypasses MFA: Adversary-in-the-Middle (AiTM) attacks now routine
PhaaS — Phishing-as-a-Service platforms:
Tycoon 2FA (mid-2025): Generated ~62% of Microsoft-blocked phishing — 30M emails in one month
SpyCloud 2026 report: 28.6 million phished identity records recaptured in 2025 criminal underground
| AI Phishing / Emerging Threat Metric | Figure | Source |
|---|---|---|
| AI-generated phishing surge Dec 2025 | From 4% → 56% of filter-bypassing attacks in weeks | Hoxhunt 4M-user network (cited axis-intelligence.com) |
| 14× surge in AI phishing in 4 weeks (Dec 2025) | 14-fold increase in filter-bypassing AI phishing | Hoxhunt phishing trends data (December 2025) |
| AI-generated phishing click rate advantage | +60% higher click rate than traditional phishing | University of Oxford study (cited multiple 2025 sources) |
| AI phishing targeted click rate improvement | 4× higher than human-crafted phishing (general research) | Cited in Verizon DBIR 2025 / multiple 2025 reports |
| PhaaS platform — Tycoon 2FA (mid-2025) | ~62% of Microsoft-blocked phishing — 30M+ emails/month | SpyCloud / Deepstrike analysis 2025 |
| Phished identity records on criminal underground (2025) | 28.6 million phished identity records | SpyCloud 2026 Annual Identity Exposure Report |
| Corporate users as share of phished victims | 49% of phished records were corporate users | SpyCloud 2026 Annual Identity Exposure Report |
| Account takeover complaints to IC3 (2025) | 4,700 complaints; $359.7 million in losses | FBI IC3 2025 Annual Report — new category |
| MFA bypass via AiTM (Adversary-in-the-Middle) attacks | Documented as routine in 2025 enterprise environments | Verizon DBIR 2025; Beyond Identity analysis |
| QR code phishing growth 2023–2025 | +400% increase | Abnormal Security (cited getastra.com 2026) |
| Unique malicious QR codes Q3 2025 (Mimecast) | 716,306 — up 13% from Q2 | APWG Q3 2025 Report (December 2025) |
| Vishing / smishing surge 2025 Q1 (OpSec/APWG) | Noted increase in vishing/smishing volume | APWG Q1 2025 Report |
| 94% of cybersecurity leaders (WEF 2026 Outlook) | AI is the most significant cybersecurity force in 2026 | World Economic Forum Global Cybersecurity Outlook 2026 |
| Median time to click a phishing link | 21 seconds | Verizon DBIR 2025 |
| Training impact on phishing click rate (Verizon 2025) | No significant improvement — “click rate unaffected by training” | Verizon DBIR 2025 |
Data Sources: Hoxhunt Phishing Trends Report 2025 (cited in axis-intelligence.com Phishing Statistics 2026, April 12, 2026); SpyCloud 2026 Annual Identity Exposure Report; Anti-Phishing Working Group Q3 2025 Phishing Activity Trends Report (December 2025) — Mimecast QR data; FBI IC3 2025 Annual Report (April 2026) — account takeover category; Verizon Data Breach Investigations Report 2025; Abnormal Security — QR code phishing research 2025; World Economic Forum Global Cybersecurity Outlook 2026
The AI-powered phishing data from 2025 and 2026 represents the most consequential inflection point in the history of the phishing threat. The finding from Hoxhunt’s 4 million-user detection network — that AI-generated phishing constituted under 5% of filter-bypassing attacks for most of 2025, then surged to 56% in the space of a few weeks in December — is perhaps the single most dramatic data point in this entire article. It confirms a pattern that AI researchers and security analysts have theorized but that is now empirically documented: AI adoption in phishing operations is not gradual but step-change. Criminal groups that achieved functional AI phishing capabilities in late 2025 did not incrementally scale up — they immediately deployed at maximum volume, transforming the filter-bypass rate overnight. The University of Oxford-cited finding that AI-generated phishing emails achieve a 60% higher click rate than human-crafted phishing — combined with the Verizon DBIR 2025 finding that the median time to click a phishing link is just 21 seconds — creates an arithmetic of compromise that no static, rule-based defense can reliably interrupt.
The Phishing-as-a-Service (PhaaS) ecosystem has made this AI capability available at scale even to technically unsophisticated criminal operators. The Tycoon 2FA platform — which generated approximately 62% of all Microsoft-blocked phishing in a single month in mid-2025, representing over 30 million emails — is a turnkey service that specifically provides Adversary-in-the-Middle (AiTM) capabilities designed to bypass multifactor authentication. AiTM attacks proxy the legitimate login session in real time, capturing session cookies and one-time codes at the moment they are entered, rendering traditional SMS-based and TOTP-based MFA effectively useless against a properly executed PhaaS campaign. The Verizon DBIR 2025’s direct finding that security awareness training has no measurable effect on phishing click rates — “the failure rate was unaffected by training” — is the most uncomfortable data point in the security awareness industry, and it points inexorably toward the conclusion that technical controls, particularly behavioral AI detection and phishing-resistant FIDO2 authentication, must carry the defensive weight that training alone has consistently failed to provide.
Disclaimer: This research report is compiled from publicly available sources. While reasonable efforts have been made to ensure accuracy, no representation or warranty, express or implied, is given as to the completeness or reliability of the information. We accept no liability for any errors, omissions, losses, or damages of any kind arising from the use of this report.