Phishing has been around for decades. Yet today, it’s stronger than ever. Despite better technology, smarter users, and years of warnings, people still click. Companies still get breached. Money still gets stolen. Why?
1. 91% of all cyberattacks start with a phishing email
This stat is both shocking and telling. It means that nearly every major cyberattack begins with someone clicking on a fake email.
Think about that. Not with a complex hack, not with brute-force attacks—but with a simple email that tricks someone.
Attackers use phishing because it works. It’s the easiest way in. They don’t need to break through firewalls when they can just trick a person into giving them access.
Phishing emails can lead to ransomware attacks, data breaches, and even full takeovers of a company’s network.
Actionable Tip: Train every employee, even leadership, to spot suspicious emails. Focus on behavior changes, not just annual training. Run phishing simulations regularly. Also, enable multi-factor authentication.
Even if someone clicks, the attacker can’t get in without that second step.
2. 36% of data breaches involve phishing
More than a third of all data breaches come from phishing. That’s not small. It means your company’s sensitive data—customer records, trade secrets, financial data—can be exposed just because one person got tricked.
Phishing doesn’t just target IT teams or executives. Everyone is a target. A single HR employee clicking on a fake resume can be the start of a major breach. And once attackers get in, they often move laterally across networks, looking for more valuable data.
Actionable Tip: Use email filters and threat detection software, but also have a response plan. If someone reports a phishing attempt or clicks by mistake, your IT team should be able to act within minutes. The faster you respond, the more damage you can prevent.
3. 1 in every 99 emails is a phishing attack
Think of how many emails you get in a day. Now imagine that 1 out of every 99 is a phishing attempt. That’s a lot of fake messages trying to trick you.
Phishing emails don’t always look fake. Some are well-crafted, clean, and look like they came from your boss or a service you use every day. Attackers take time to make these emails believable.
Actionable Tip: Educate your team on red flags like strange links, urgent requests, or unknown senders. Encourage a culture where people feel safe reporting “weird” emails, even if they’re not sure.
4. 85% of organizations have experienced a phishing attack
This number is too high to ignore. Most businesses—large and small—have already faced phishing. If you haven’t yet, it’s likely only a matter of time.
Some businesses believe they’re too small to be targeted. That’s a myth. In fact, smaller companies may be targeted more because attackers think they have weaker defenses.
Actionable Tip: Create an incident response plan specifically for phishing. This should include who to notify, what to shut down, and how to recover quickly. Don’t wait until after an attack to make a plan.
5. 74% of phishing attacks are targeted at individuals in organizations
Attackers often don’t go for the company directly—they go for the people inside it. And not just CEOs or IT staff. Anyone with access to company systems is a target.
This is because humans are the weakest link. Attackers use names, titles, or even recent events to make their emails feel relevant and trustworthy. This is known as social engineering.
Actionable Tip: Use role-based training. Teach different departments what kinds of phishing attacks they’re most likely to see. For example, finance teams often get fake invoice emails. HR teams get fake resumes. Tailor your training for more impact.
6. 30% of phishing emails are opened by recipients
Nearly a third of phishing emails get opened. That means curiosity, urgency, or just being in a rush causes people to click and read these dangerous messages.
Attackers often create urgency in their messages. “Your account is about to be closed,” or “You missed a delivery.” These push people to act fast, without thinking.
Actionable Tip: Encourage a pause-and-check mindset. Ask employees to take a second look before clicking. Even adding a banner on external emails saying “This email came from outside your company” can slow things down just enough.
7. 12% of users click on malicious links in phishing emails
One in eight people click. That might not sound like much, but in a company of 500, that’s 60 potential entry points for attackers.
Clicking a malicious link can download malware, steal credentials, or redirect to fake websites. Once that happens, it’s hard to stop the damage.
Actionable Tip: Block known malicious URLs at the firewall or DNS level. Also, disable automatic link previews and ensure browsers are up to date with security patches.
8. 60% of those who clicked went on to provide sensitive information
This is where things go from bad to worse. It’s not just clicking a link. Over half of those who click also give up passwords, IDs, or payment information.
Attackers are good at faking login pages. They may mimic Office 365, Gmail, or your company portal. Once you enter your info, they have access.
Actionable Tip: Never trust a login page from an email. Train users to go directly to known URLs instead of clicking. Use browser bookmarks for important sites.
9. Business email compromise (BEC) caused $2.4 billion in losses in a single year
BEC is a specific kind of phishing. It’s when someone impersonates a company executive or vendor to request money or sensitive data. It’s low-tech but high-reward.
These scams don’t usually have links or attachments. They rely on tricking people through conversation and authority.
Actionable Tip: Set up internal controls. Always verify money transfer requests with a second method, like a phone call. And flag any requests that involve changing bank account numbers.
10. Phishing attacks increased by 150% in the past five years
Phishing isn’t going away. It’s growing fast. More attackers, more tools, and better techniques have made it easier than ever to run large-scale phishing campaigns.
Attackers can now buy phishing kits online. These come with templates, fake login pages, and even instructions.
Actionable Tip: Don’t treat phishing as a one-time threat. Review your email security, policies, and training quarterly. Make this part of your ongoing risk management.
11. Credential phishing accounts for 67% of phishing attempts
Most phishing emails aren’t trying to install malware or steal money right away. They’re trying to get login credentials. Why? Because usernames and passwords are keys to the kingdom.
Once attackers get credentials, they can log in just like you. No alarms go off. They look like a normal user, and that gives them time to explore, steal data, or plant malware quietly.
Actionable Tip: Limit how much access each user has. Even if an account gets compromised, the damage can be contained. Also, use tools that detect unusual logins, like someone logging in from a country where your team doesn’t operate.
12. 57% of organizations cite phishing as their top cybersecurity threat
Over half of companies say phishing is their biggest concern. Not malware. Not ransomware. Not insider threats. Phishing takes the top spot.
This makes sense when you consider how often people fall for phishing, and how much damage it can cause. Whether it’s money, data, or access—phishing is the front door for many threats.
Actionable Tip: Make phishing part of your executive risk discussions. Budget for phishing simulations, security awareness tools, and stronger email gateways. Your board and leadership should understand this risk clearly.
13. 76% of ransomware is delivered via phishing
Ransomware often starts with a simple email. One click, and malware gets downloaded. It encrypts your data, locks your systems, and demands payment. That’s how dangerous phishing can be.
Attackers use Word docs, PDFs, and even image files that seem harmless. Once opened, the malware begins its work.
Actionable Tip: Disable macros by default in Microsoft Office. Use sandboxing to test unknown attachments. And back up your data daily—offline and offsite—so you’re not at the mercy of ransomware.
14. 43% of employees admit they have made mistakes that caused cybersecurity incidents
Almost half of employees know they’ve made mistakes that led to security problems. Whether it was clicking a link, downloading a file, or sharing credentials—they’ve felt the regret.
The good news is that awareness is growing. But knowing isn’t always enough. People still make mistakes under pressure, stress, or distraction.
Actionable Tip: Foster a blame-free reporting culture. Encourage employees to speak up if they click something wrong. The faster your IT team knows, the faster they can stop the spread.
15. The average cost of a phishing attack is $4.91 million
This isn’t just about a few thousand dollars. Phishing attacks can cost millions. Between lost data, legal fees, downtime, and reputation damage—it adds up fast.
Small companies aren’t safe either. They may not lose millions, but the impact can still be devastating.
Actionable Tip: Invest in layered security—email filters, antivirus, employee training, and strong authentication. Prevention costs less than recovery. Always.
16. 90% of phishing attacks use social engineering techniques
Phishing is all about manipulating people. Attackers pretend to be someone you trust. They use urgent messages, fake familiarity, or fear to push you into clicking.
It’s not always about bad grammar or obvious mistakes. Some phishing emails are written better than internal ones.
Actionable Tip: Teach your team about manipulation tactics. Help them recognize when something feels “off,” even if it looks polished. The gut feeling of “this seems weird” should never be ignored.
17. Only 3% of targeted users report phishing emails to IT
This is a big problem. Most people either ignore phishing emails or delete them quietly. Only a tiny percent report them.
That means IT may not know an attack is happening. And if one person clicked, others probably got the same email.
Actionable Tip: Make reporting easy. Use a one-click “report phishing” button in your email client. Also, recognize and reward employees who report threats—it builds a stronger security culture.
18. 25% of phishing emails bypass default security defenses
Even with filters in place, one out of every four phishing emails still makes it through. Attackers constantly test their emails to slip past defenses.
They use clean links that redirect later. They change file names and types. They use known services like Dropbox or Google Docs to hide.
Actionable Tip: Use advanced email threat protection tools with real-time scanning and machine learning. Also, update your spam filters weekly and adjust rules based on what threats you’re seeing.
19. 70% of phishing sites use HTTPS to appear legitimate
For years, we’ve told users to “look for the padlock.” Now, attackers use HTTPS too. It doesn’t mean a site is safe—it just means the traffic is encrypted.
Fake banking sites, login pages, and even internal portals now use HTTPS to look real. The green lock no longer means what it used to.
Actionable Tip: Train employees not to rely on the padlock. Teach them to check URLs carefully and look for subtle misspellings or strange domains. Bookmark trusted sites and always navigate directly.
20. 58% of phishing attacks involve brand impersonation
Attackers love to impersonate big names—banks, software companies, or internal tools like Microsoft, Zoom, or Adobe. When people see a familiar logo, they’re more likely to trust the message.
Brand impersonation works because it lowers suspicion. People see a message from “Netflix” or “Google” and act quickly, thinking it’s legit.
Actionable Tip: Alert employees about popular impersonation campaigns. Send updates when major phishing scams are trending, and explain how to recognize them. Keep people one step ahead.
21. Microsoft is the most impersonated brand in phishing attacks
Microsoft is everywhere. Outlook, OneDrive, Teams, and Office 365 are standard in most workplaces. That makes Microsoft the top choice for attackers trying to steal logins.
Fake “reset your password” emails or “unusual sign-in attempt” alerts are common phishing lures. These mimic Microsoft’s real alerts closely.
Actionable Tip: Create a company policy that password resets or account alerts will only come from internal IT. Train people to go directly to the Microsoft login site—not through email links.
22. Mobile phishing has increased by over 160% in recent years
Phones are less secure than desktops in many ways. Smaller screens hide full URLs. People are more distracted. And apps can open links automatically without showing context.
As mobile use increases, so do mobile-based phishing attacks—especially via SMS or social apps like WhatsApp.
Actionable Tip: Encourage employees to avoid clicking links in texts or messaging apps unless they’re verified. Use mobile threat detection tools on company devices and restrict access to sensitive systems from mobile when possible.
23. 48% of phishing emails pretend to be work-related documents
“Here’s your invoice.” “Please review this contract.” These phrases appear in nearly half of phishing emails. They’re believable, common, and create urgency.
Attackers often attach a document that looks real but contains hidden malware or asks for login details.
Actionable Tip: Train employees to confirm unexpected attachments with the sender directly. Never open a document unless you were expecting it—and even then, double-check the sender’s address carefully.
24. Spear-phishing emails are 7 times more effective than regular phishing
Spear-phishing is when attackers craft emails specifically for one person or department. It might include your name, your boss’s name, or even recent projects.
Because they’re so targeted, these emails are much more convincing—and much more dangerous.
Actionable Tip: Use “least privilege” access policies to limit damage if one account is compromised. Also, monitor executive accounts closely for unusual activity or email forwarding rules.
25. 34% of phishing victims are repeat victims
People who fall for phishing once are more likely to fall again. This could be due to lack of training, overconfidence, or simply being too trusting.
Some attackers even target previous victims again, assuming they’re easier to fool.
Actionable Tip: Provide extra coaching to those who have clicked in the past. Don’t shame them—support them with one-on-one sessions, reminders, and custom training paths.
26. 59% of users cannot identify a phishing email accurately
Even with all the awareness efforts, most people still struggle to spot phishing emails. Some look too real. Others are too subtle. And many users just don’t know what to look for.
The truth is, email is a risky tool if not used wisely.
Actionable Tip: Send monthly internal phishing tests with real examples. After each test, explain what to look for and how to do better. Learning through experience works better than long courses.
27. Training reduces phishing susceptibility by up to 70%
The best news? Training works. Regular, relevant, and engaging training can cut down phishing risk by more than half.
But it has to be more than a boring webinar once a year. It needs to be consistent, varied, and built into your culture.
Actionable Tip: Use micro-learning videos, gamified quizzes, and phishing simulations to reinforce learning. Rotate topics monthly and update content to reflect new tactics attackers use.
28. 1 in 3 phishing emails evade anti-phishing filters
Email filters are great—but they’re not perfect. A third of phishing emails sneak through, using tricks like image-only text, redirects, or clean URLs that later change.
This is why human detection is still so important. Technology alone can’t catch it all.
Actionable Tip: Combine multiple email security tools. Use spam filters, threat intelligence, and real-time link analysis. And always back it up with user awareness.
29. Fake invoices and payment requests are the most common phishing lures
“Please process this invoice.” “Can you approve this payment?” These are everyday business requests. That’s why they’re such effective bait.
Attackers target finance teams, hoping someone will wire money or update payment details without verifying.
Actionable Tip: Require dual approval for all payments. Train finance teams to verify every request by voice before processing. Even simple call-back policies can stop major losses.
30. 92% of malware is delivered through email phishing
Most malware doesn’t come from sketchy websites or USB sticks anymore. It comes straight to your inbox. One click on the wrong file, and it begins.
Email is still the biggest malware delivery system because it’s trusted, fast, and easy.
Actionable Tip: Block risky file types at the gateway—like .exe, .js, and .scr. Also, open attachments in a sandbox environment when possible. And never allow macros from unknown sources.
wrapping it up
Phishing isn’t a new threat. But it keeps growing because it adapts faster than most defenses. It preys on human behavior—curiosity, urgency, trust. And as we’ve seen, the numbers don’t lie: people still click, and businesses still suffer.
