
Picture this: You’re sipping your morning coffee, scrolling through emails, when you notice an urgent message from your bank. They need you to verify your account details immediately due to some “suspicious” activity.
The email looks legitimate, with the right logo and formatting. But something feels off. The email is forcing you to immediately verify your banking user credentials to ensure your safety, but you don’t recall any suspicious activity taking place.
Gladly, you call the bank in time to verify and that’s when it hits you hard; the bank denies sending any such email! Moreover, there was never a suspicious activity in the first place. Your account was never compromised.
What just happened is something that takes place to millions of people on a daily basis, who unfortunately get duped of millions of dollars.
This is called phishing, and despite digital literacy, it somehow takes hold of people’s fears into sharing sensitive information to cyber criminals, posing as legitimate companies. In this detailed guide, we are going to study some eye-opening statistics on this criminal technique and understand some ways to protect ourselves. Let’s get started.
The Digital Predator That Never Sleeps
Behind every email notification and message alert potentially lurks a predator waiting to exploit our trust. Updated with 2025’s latest figures, this guide will examine the latest phishing statistics and emerging trends that define today’s landscape, offering practical advice to help you stay safe from such predators.
Imagine having ALL the time in the world only to improve the methods of stealing millions and millions from hard-working individuals and corporations. What would be the result?
IBM’s Cost of a Data Breach Report 2024 states that each successful phishing attempt costs an average of $4.48 million in financial losses.
Phishing By the Numbers: A Growing Digital Epidemic
Even with stringent cybersecurity safety measures, phishing emails continue to land into inboxes, shattering previous records and creating havoc.
- Cybercriminals send approximately 4.5 billion deceptive emails daily. From 2024 figures, this is a staggering 32% increase.
- Approximately 2% of all email traffic worldwide now consists of phishing attempts.
- 32% of all successful data breaches start off with phishing emails.
- 93% of businesses reported at least one phishing incident targeting their employees in the past year.
- The Anti-Phishing Working Group’s latest quarterly report documented over 1.8 million distinct phishing campaigns in Q4 2024 alone.
Annually Documented Phishing Attempts
The following graph shows the dramatic rise in documented phishing campaigns from 2019 through 2024. We can make several key observations:
- Steep upward trajectory: Successful phishing attempts have kept an upward trajectory.
- Acceleration in volume: Between 2019 and 2021, we see phishing campaigns skyrocket by almost 4 times from 780,000 to 2.9 million over just two years.
- Continued growth: The period from 2021 to 2023 shows another sharp rise, with volumes approximately doubling from 2.9 million to 5.7 million.
- Recent trend: The most recent period (2023-2024) shows continued growth but at a somewhat slower rate, suggesting possible maturation of the threat landscape or increased effectiveness of defensive measures.
Nevertheless, even if the rate of growth slowed down between 2023 and 2024, the actual number of documented attempts have continued to rise, and work still needs to be done to mitigate risks and manage financial losses.

The Human Element: Click Rates and Vulnerability
Despite growing awareness, human error continues to represent the weakest link in security architecture. There could be a multitude of reasons to fall for phishing emails:
- Lack of time.
- Getting overwhelmed by receiving too many emails.
- Emails looking from a genuine sender.
- Nothing suspicious in the emails.
So Why Do Humans Keep Falling for it?
Remember those early days of Nigerian prince scam? You might think, “Who in their right mind would even fall for it in 2025?”
Well, guess what? Each year Nigerian Prince scam costs anywhere between $700,000 to $1 million to Americans!
But with specific phishing scams, hackers have always remained one step ahead by making their emails look as genuine as if originating from a legitimate company. Take a look at this email. To any average internet user, this looks a legitimate email originating from Netflix.

Did you find anything concerning? iTunes was off, plus the email never addressed the recipient with their full name.
6. In 2023, 10.4 percent of employees worldwide clicked on malicious links and over 60 percent of those who clicked, submitted a password on malicious websites.
But what comes as no surprise is the fact that employees of small and medium businesses are more likely to click on malicious links than those working at large organizations.
7. The average clickthrough rate for a phishing email in 2025 is nearly 20% (although exact figures could be in between 17.68% to 19.5%).
Precision Targeting: The Rise of Spear Phishing and Whaling
More concerning, however, is the effectiveness of targeted approaches known as Whaling and Spear Phishing.
8. Spear phishing campaigns (highly personalized attacks aimed at specific individuals) have a nearly 60% success rate.
Imagine receiving an email from your bank addressing you with your full name, and verifiable transaction details. There are high chances that you may fall victim to it.
Even though spear phishing account for less than 0.5% of all phishing attempts, they are responsible for 70% of successful breaches. This highlights the immensely successful impact of a highly targeted and personalized approach.
9. Nearly 65% of large organizations reported experiencing targeted spear phishing in 2024, receiving an average of seven carefully crafted deceptive messages daily.
Even more concerning, senior executives face increasingly sophisticated “whaling” attacks. These are impersonation attempts designed to exploit their authority.
10. Impersonation attacks increased by nearly 50% between early 2024 and the first quarter of 2025.
Also known as BEC, or Business Email Compromise, hackers impersonate senior executives, CEOs, CFOs and other top management professionals to infiltrate company networks, steal data, and authorize fund transfers.
Brand Exploitation and Psychological Triggers
Cybercriminals continue to leverage established brand trust to enhance the credibility of their deceptive practices.
11. Nearly 60% of phishing attempts now impersonate recognized brands, with Microsoft, LinkedIn, and Google emerging as the most frequently exploited entities.
Phishing emails incorporate an urgency-inducing language, with subject lines and message content built around terms like:
- “Urgent action required”
- “Security alert”
- “Account verification needed”
- “Payment processing error”
- “Unusual login detected”
- “Suspicious activity detected”
- “Unpaid Invoice”
- “Urgent verification required”
- “Take action now”
- “Reset password now”
These triggers exploit fundamental human psychology—fear, urgency, and authority—to encourage people in making impulsive actions.
The AI Revolution in Phishing
But nothing is more concerning than the increasing use of Artificial Intelligence in scraping data, composing emails and mass targeting individuals and corporations.
12. There is a 341% increase in phishing campaigns exhibiting advanced linguistic sophistication, thanks to the powerful large language models making it easier than ever for amateur hackers to steal victim’s hard-earned funds.
Gone were the days of text full of grammatical errors.
Today’s AI-enhanced phishing attempts feature grammatically perfect text, contextually appropriate references, and highly convincing impersonation of recognized brands and individuals. This evolution is keeping hackers one step ahead of everyone else.
If a layman can use ChatGPT, Gemini and other commonly available LLMs to generate images and text, imagine what can hackers do with such technology!
A new emerging trend – Scamming the travelers
The year 2025 has brought itself with new trends in phishing which prove that cybercriminals will stop at nothing in perfecting their tricks and coming up with ways never seen before. The following screenshot is of a phishing website that shows a collaboration of Booking.com and Airbnb. To an unsuspecting traveler, this may most likely look as a genuine collaboration.
But that’s not it. Scammers built a fully functional booking website with all the bells and whistles to make it as convincing as possible to the end users. Then, they would ask for the credit card details and “block” some funds for “verification purposes.”
Key Takeaways
As one of the most profitable crimes, there is no doubt that phishing remains a highly successful hacking technique despite governments introducing digital literacy programs to combat this heinous crime.
Even with top notch anti-spam and threat intelligence tools, human beings will likely click on malicious links and inadvertently share sensitive information.
This is why it is critical for employees to stay cautious, practice cyber hygiene rules, and never act on the company’s behalf sharing any type of financial or sensitive information unless consulted with experts in the field.
Cross verification and looking for the obvious signs are the two most important ways that companies can avoid becoming a victim of a phishing attack.
Nearly 95% of all phishing attacks are driven by financial motives.
Something in the email address’s domain, sender’s name, and/or grammatical/spelling errors should be enough to signal a probable phishing attempt. In addition to this, words triggering urgency such as payment clearing, invoice, verification, update passwords, etc. are also highly likely to be phishing attempts.
Hackers use domain name permutation engines to generate realistic domains to impersonate real brands. They also use Gmail and recognized email brands to stage attacks, including Google for Workspace. There are spam tools designed specifically for staging attacks. Last but not the least, Google Gemini, ChatGPT, Microsoft CoPilot and other Gen AI tools are widely used for phishing attacks.
If in doubt, cut it out! It means always delete such emails, or if the email looks genuine, confirm by calling the sender and verifying.
With a 17%+ success rate of phishing emails, it remains one of the most lucrative methods of stealing funds in 2025.
Leave a Reply