Phishing statistics and trends: What you need to know

Latest phishing attack trends

Phishing isn’t slowing down — it’s just changing its rhythm. Phishing attacks in 2024 have shown both fluctuations in volume and shifts in tactics. In the first quarter, 963,994 phishing attacks were recorded globally, which was the highest number recorded since late 2021.¹ However, by the third quarter, attacks declined, but only slightly, reaching nearly 933,000. 

Overall, in 2024, phishing attacks rose by 12% compared to the previous year due to more advanced methods and better-focused scams.² So while phishing threats may ebb and flow, they remain a constant threat. 

But have researchers noticed any changes in the attack medium? Since around the first quarter of 2024, cybercriminals have been shifting their focus to where people are most active — where they scroll and shop.

Social media platforms and popular brand websites have become prime targets, with 37.4% of all phishing attacks in Q1 aimed at users through fake brand accounts and deceptive links.³ Attackers may use fake websites with malicious links to trick you into revealing your credentials, which can later be used to steal your identity or get sold on the dark web.

Phone-based phishing scams are also on the rise. Vishing attacks increased by 28% in the third quarter of 2024, while smishing incidents rose by 22%.¹ Attackers use vishing and smishing to bypass email filters and directly target victims through calls and text messages. This shift shows how phishing is evolving beyond emails, which makes these scams harder to detect and prevent.

Unfortunately, the use of AI tools also makes it harder to spot phishing emails and messages. A 2024 study into AI-powered personalized phishing attacks reveals striking findings — AI-generated phishing emails achieved a click-through rate of 54%, matching the performance of emails crafted by human experts and outperforming a control group by 350%.⁴

Types of most frequent phishing attacks

Phishing attacks continue to evolve and target both individuals and organizations through various channels. But which types were the most common in recent years?

Email phishing

Email remains the primary medium for phishing attempts. In 2024, 74% of organizations reported that email phishing was the most common attack method.²

Malicious emails have been taking the lead in scam attacks for a while now, and the trend shows no signs of stopping. In December 2023, approximately 9.45 million phishing emails were detected globally, up from 5.59 million in September 2023.⁵ These phishing emails mostly aim to steal credentials or distribute malware. In 2022, nearly 70% of phishing emails that bypassed FortiNet’s secure email gateway were actual credential phishing attempts, while 11% of those that bypassed Google’s secure email gateways contained malware.⁶

The Cybersecurity and Infrastructure Security Agency (CISA) in the US also noted a rise in business email compromise (BEC) scams, where attackers pose as executives or vendors to trick employees into sending money or sensitive data.⁷ The overall statistics for 2024 show that BEC was the most common type of attack and made up 53% of all phishing attacks.²

Additionally, according to the FBI’s Internet Crime Complaint Center, between October 2013 and December 2023, over 305,000 BEC incidents were reported, resulting in losses exceeding $55 billion globally. In the US alone, victims reported losses totaling more than $20 billion during the same period.⁸

Spear phishing

In 2024, spear phishing increased by 25%.² It’s a targeted phishing type, in which attackers target specific individuals or organizations, often using personal information they've gathered to make their scams appear more legitimate and convincing. Unsurprisingly, 65% of successful phishing attacks in 2024 are attributed to spear phishing.²

Vishing 

Vishing (or voice phishing) is also among the “trendiest” phishing types. It involves using phone calls or voice messages to trick people into revealing sensitive data. In 2023, nearly 70% of surveyed working adults and IT professionals reported encountering vishing attacks,¹⁰ while in 2024, the number of vishing attacks on professionals rose by 28%.² 

Cybercriminals often use techniques like caller ID spoofing and, more recently, generative AI to mimic people’s voices. Attackers go as far as using AI-driven tools to impersonate company executives or government officials, tricking their victims into thinking they're speaking to someone they know and trust.

Smishing 

With so many people glued to their phones all day, smishing (or SMS phishing) has become a significant threat. In 2023, smartphone users in the US faced approximately 484,500 malicious smishing attempts — more than in any other place in the world.⁹ In 2024, the number of reported smishing attacks rose by 18%.²

The popularity of smishing among cyber attackers boils down to the fact that busy people are easy prey — and the well-crafted texts that look trustworthy and demand instant action are an excellent lure.

Attackers often use a combination of these phishing methods in their campaigns, which is why the percentages may overlap and total more than 100%.

Most common phishing targets

Cybercriminals find ways to target all demographics and industries. Some focus on individuals, others target businesses, and many exploit well-known brands to pull off their scams.

Individuals

Phishing isn’t just a corporate concern — attackers target individuals as well. In 2023, personal phishing attacks accounted for approximately 28% of all phishing attempts. Attackers delivered most of them through malicious emails and SMS messages containing malicious links. Notably, individuals aged 25-44 are most susceptible, with 45% reporting exposure to phishing attempts.¹¹

Businesses

Business-targeted phishing attacks saw a sharp rise, particularly in spear phishing and BEC scams, which have become more financially damaging in 2024. The FBI reports that between October 2013 and December 2023, 305,033 BEC incidents happened both domestically and internationally — threat actors impersonated executives or suppliers to deceive employees into transferring funds or revealing sensitive data, which resulted in losses totaling $55 million.¹²

Meanwhile, in 2024, 96% of phishing emails targeting businesses exploited trusted domains, such as SharePoint and Zoom, to gain credibility and bypass email security filters.¹³

Specific industries

Certain industries were disproportionately affected by phishing attacks in 2024.

• Financial institutions. 31% of all phishing attacks globally targeted financial institutions, with a 22% increase from 2023 to 2024.²
• Healthcare saw a 32% increase in phishing and social engineering-related data breaches.²
• Social media. In the third quarter of 2024, 30.5% of phishing attacks targeted social media platforms.¹⁴ 
• Web-based services and webmail sectors accounted for approximately 21.2% of phishing attacks during the third quarter of 2024.¹⁴

Top brands affected by phishing attacks

Phishing attacks frequently mimic communication from well-known brands to exploit people’s trust in them. According to the data gathered by Statista in the first quarter of 2024, cybercriminals commonly impersonated several major brands, including Microsoft, Adobe, DHL, and Google.¹⁵

• Microsoft. Statista found Microsoft to be the most impersonated brand in 2024. Attackers send out approximately 68 million malicious emails, with Office 365 alone appearing in 20 million emails, impersonating the company in their various phishing schemes.
• Adobe. Threat actors also exploited the trust users place in popular software tools, such as Photoshop, developed by Adobe. Criminals sent out malicious emails, supposedly from Adobe, to try and gain access to users’ personal data.
• DHL. Cybercriminals frequently impersonated DHL in phishing scams related to shipment tracking or delivery issues. Attackers design these emails to convince users to click on malicious links or provide sensitive information that they could later use for identity theft.
• Google. Google was another brand heavily targeted by phishing schemes, particularly with fake login pages designed to steal user credentials. Google’s widespread use and trusted status make it a prime candidate for cybercriminals.

These well-known brands are targeted because users are more likely to trust emails that appear to come from them. Unfortunately, falling for a phishing email can have dire consequences.

The impact of phishing attacks

Phishing attacks continue to escalate and cause huge financial losses, reputational harm, and recovery expenses for individuals and organizations worldwide.

Financial losses 

In 2024, global financial losses from phishing attacks were estimated at $17.4 billion, which is 45% more than in the previous year.² The average cost of a data breach (phishing included) reached a startling $4.88 million, marking a 10% increase over last year.¹⁶

Last year, phishing accounted for 15% of all reported attacks that resulted in data breaches, with an average cost of $4.88 million per attack.¹⁷

Reputational damage

Phishing attacks not only result in financial losses but also severely damage the reputation of affected organizations. In 2023 alone, 27% of organizations reported reputational harm after phishing incidents.¹⁸ These attacks eroded customer trust and strained business relationships.

Recovery costs

Recovering from phishing attacks can be incredibly costly for businesses. In the US, the average cost per data breach, including phishing incidents, reached $9.36 million in 2024.¹⁹

These financial losses caused by a successful phishing attack for a business go far beyond immediate theft — they also include legal fees, regulatory fines, system restoration costs, and remediation costs that may add up to staggering amounts.

Most prominent phishing attacks in 2024

It’s no surprise that the biggest phishing campaigns of 2024 targeted well-known organizations — after all, that’s where cybercriminals can make the most money.

1. 1.Pepco Group attack. In February 2024, Pepco Group’s Hungarian branch lost around €15.5 million in a successful phishing attack. Fraudulent emails, crafted with advanced AI tools to mirror previous communications, deceived employees into authorizing money transfers.
2. 2.Exploitation of Roundcube flaws. In early 2024, a phishing campaign exploited a flaw in the Roundcube webmail client to target several European governments, including Germany. The attack, believed to be carried out by Russian state-sponsored actors, used phishing emails to steal sensitive data and compromise government communications. It raised alarms about the need for stronger email security and better protection against targeted campaigns.
3. 3.Twilio phishing attack. Twilio, a cloud communications platform, experienced a sophisticated spear phishing campaign that compromised employee credentials. Attackers used social engineering to obtain user credentials, then bypassed two-factor authentication and accessed customer data. 
4. 4.SOVA Android malware distribution via phishing. Cybercriminals spread the SOVA Android malware through phishing emails, which led to ransomware demands and locked victims' devices. This malware mainly targeted people using banking apps, putting their financial data in danger.
5. 5.Petya ransomware resurgence. The Petya ransomware variant resurfaced in 2024 and spread via phishing emails. It encrypted entire networks and caused widespread disruptions across various industries. Affected organizations had to deal with major setbacks and high costs while trying to recover.​
6. 6.SugarGh0st RAT campaign. SugarGh0st RAT (remote access trojan) malware was distributed through malicious email attachments, which is a classic example of phishing. The emails were designed to trick recipients into downloading the attachment, which then allowed the attackers to gain unauthorized access to the systems and resulted in cyber espionage and data theft. 

But what do these specific examples and, especially, the trends from 2022-2024 mean for the future? 

Phishing attacks: What lies ahead in 2025

Phishing attacks are expected to evolve in 2025. Criminals are likely to use more sophisticated — AI-powered — tactics and target multiple platforms to improve the success rate of these cyber attacks.

• A rise in attack frequency. The statistics from previous years show a steady incline in the phishing attack frequency. Therefore, researchers estimate that in 2025 and onwards, 83% of organizations will experience at least one phishing attack annually.²
• The use of artificial intelligence. AI-powered tools will become more integrated into phishing scams. Attackers will use AI to craft hyper-personalized emails by analyzing social media activity, which will inevitably make phishing attempts harder to detect.²⁰
• Rise in multi-channel attacks. As predicted by CISA, phishing tactics are likely to diversify.⁶ Attackers are expected to use multiple channels in a single attack operation, such as email, text messages, social media, and voice calls. This multi-pronged approach lets them expand the attack surface and makes it more challenging for the targets to defend against phishing attempts.
• Targeting of specific demographics and industries. Phishing attacks will likely become more targeted and focused on specific demographics and industries. For instance, corporate executives may be targeted with sophisticated scams that exploit personal information gathered through AI analysis. Industries such as finance and healthcare, which handle sensitive data, may also experience an uptick in phishing attempts.
• Expansion of brand-impersonation scams. According to Statista’s researchers, the trend of brand impersonation will continue, with attackers creating fake websites and communications that closely mimic legitimate brands.³ This tactic aims to deceive individuals into divulging personal information or credentials, posing significant risks to both consumers and businesses. 
• New phishing techniques. According to CISA, innovative phishing methods are likely to surface, utilizing advanced techniques such as AI-generated text and sophisticated social engineering tactics. These methods aim to bypass traditional security measures and exploit human vulnerabilities, making phishing attempts more difficult to identify and prevent.

How to protect yourself from phishing attacks

While the phishing statistics are alarming, they don’t have to ruin your online experience. By staying alert, you can avoid most attacks, and with the right tools, you’ll be ready to spot the sneakiest ones. Check out these tips to prevent phishing attacks and feel safer online:

• Look out for the signs of an attack. Beware of unfamiliar sender email addresses, generic greetings like “Dear customer” instead of your name, unexpected attachments, and other red flags. Most importantly, avoid clicking on suspicious links in emails or text messages and double-check website URLs to ensure they are legitimate.
• Use strong, unique passwords and enable two-factor authentication. Multiple studies highlight that multi-factor authentication (MFA) remains one of the most effective defenses against phishing, so set it up for all your accounts that allow it if you haven’t already. The more defenses the attacker has to break, the safer your private information will be. 
• Use a reliable anti-phishing tool. NordVPN’s anti-phishing software catches malicious downloads, blocks phishing URLs, and even detects fake shopping sites. This AI-powered anti-phishing tool comes with our most extensive cybersecurity packages, together with a super fast VPN and a password manager.
• Update your software and security systems. Updates install the latest fixes and prevent phishing attacks from taking advantage of old systems.
• Don’t overshare online. The less information attackers have on you, the better, so keep your sensitive data offline.
• Report phishing attempts to your email provider or IT department. Report phishing incidents to help track and block threats to prevent future attacks.

References

¹The Anti-Phishing Working Group. (2024). Phishing Activity Trends Report, 3rd Quarter 2024. Retrieved March 10, 2025, from https://docs.apwg.org/reports/apwg_trends_report_q3_2024.pdf 

²Dey, M. and Madrekar, A. (2024). Phishing Statistics By Demographic, Healthcare, Industry and Country. Sci-Tech Today. Retrieved March 10, 2025, from https://www.sci-tech-today.com/stats/phishing-statistics/

³Petrosyan, A. (2024). Phishing — Statistics & Facts. Statista. Retrieved March 10, 2025, from https://www.statista.com/topics/8385/phishing/#topicOverview 

⁴Heiding, F., Lermen, S., Kao, A., Schneier, B., & Vishwanath A. (2024). arXiv at Cornell University. Retrieved March 10, 2025, from https://arxiv.org/abs/2412.00586

⁵Petrosyan, A. (2024). Global number of e-mail phishing attacks 2022-2023. Statista. Retrieved March 10, 2025, from https://www.statista.com/statistics/1493550/phishing-attacks-global-number/ 

⁶Petrosyan, A. (2024). Percentage of phishing e-mails in 2022, by type and secure e-mail gateways (SEG). Statista. Retrieved March 10, 2025, from https://www.statista.com/statistics/1256793/phishing-email-type-seg/

⁷Cybersecurity and Infrastructure Security Agency (CISA). (n.d.). Business Email Compromise. Retrieved March 10, 2025, from https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-frauds-and-scams/business-email-compromise

⁸Alder, S. (2024). FBI Issues Warning About BEC Attacks as Losses Increase to $55.5 Billion. The HIPAA Journal. Retrieved March 10, 2025, from https://www.hipaajournal.com/fbi-bec-warning-55-billion-lost/

⁹Petrosyan, A. (2024). Global mobile phishing rate Q4 2022-Q2 2023, by region. Statista. Retrieved March 10, 2025, from https://www.statista.com/statistics/1306224/smishing-mobile-phishing-rate-worldwide-by-region/

¹⁰Petrosyan, A. (2025). Volume of vishing attacks on global organizations 2020-2023. Statista. Retrieved March 10, 2025, from https://www.statista.com/statistics/1306269/volume-vishing-attacks-organizations/

¹¹Smith, G. (2024). Top Phishing Statistics for 2025: Latest Figures and Trends. StationX. Retrieved March 10, 2025, from https://www.stationx.net/phishing-statistics/

¹²Weisman, S. (2024). FBI Issues Warning About The Business Email Compromise. Forbes. Retrieved March 10, 2025, from https://www.forbes.com/sites/steveweisman/2024/11/09/fbi-issues-warning-about-the-business-email-compromise/

¹³Jackson, F. (2025). Darktrace: 96% of Phishing Attacks in 2024 Exploited Trusted Domains Including SharePoint & Zoom Docs. TechRepublic. Retrieved March 10, 2025, from https://www.techrepublic.com/article/darktrace-threat-report/

¹⁴Petrosyan, A. (2024). Online industries worldwide most targeted by phishing attacks as of 3rd quarter 2024. Retrieved March 12, 2025, from https://www.statista.com/statistics/266161/websites-most-affected-by-phishing/ 

¹⁵Richter, F. (2024). The Most Impersonated Brands in Email Scams. Statista. Retrieved March 10, 2025, from https://www.statista.com/chart/22528/most-impersonated-brands-in-phishing-attacks/

¹⁶Thomson Reuters. (2024). Retrieved March 12, 2025, from https://legal.thomsonreuters.com/blog/the-cost-of-data-breaches/

¹⁷IBM. (n.d.). Cost of a Data Breach Report 2024. Retrieved March 12, 2025, from https://www.ibm.com/reports/data-breach 

¹⁸Petrosyan, A. (2025). Consequences of successful phishing attacks on organizations worldwide in 2021 and 2023. Statista. Retrieved March 12, 2025, from https://www.statista.com/statistics/1350723/consequences-phishing-attacks/

¹⁹Petrosyan, A. (2024). Average cost of a data breach in the United States from 2006 to 2024. Statista. Retrieved March 12, 2025, from https://www.statista.com/statistics/273575/us-average-cost-incurred-by-a-data-breach/

²⁰Kato, B. (2025). Gmail, Outlook and Apple users urged to watch out for this new email scam: Cybersecurity experts sound alarm. New York Post. Retrieved March 12, 2025, from https://nypost.com/2025/01/04/tech/gmail-outlook-and-apple-users-urged-to-watch-out-for-this-new-email-scam-cybersecurity-experts-sound-alarm/