Numbers prove that phishing is the mother of crimes, not just cybercrimes. These cyberattacks are deceptive communications masked as trusted voices to lure people into revealing sensitive information.

They are getting more sophisticated and target-oriented as the technology evolves. And though being tech-savvy helps, anyone can fall victim to a well-executed phishing attack.

As we navigate the ever-evolving world of online threats, it is crucial to understand the tactics used by scammers and spot red flags. 

This post summarizes key trends from leading security firms to help you understand the scamscape without being the victim 💀.

Phishing: A Statistical Summary

  • Phishing attacks are slightly declining overall, but still top the list of cybercrimes globally.
  • Microsoft was the most impersonated brand, with 68 million spoofing attempts, with Office 365 users as the prime targets.
  • Top phishing targets include the United States, India, and Brazil, and industries such as social media, SaaS, and finance.
  • 71% of users admitted to engaging in risky behavior, and 96% of them did so knowingly.
  • Business Email Compromise (BEC) remains a significant tactic, resulting in over 21,000 complaints and $2.7 billion losses in 2024 alone.
  • 74% of phishing emails employed polymorphic elements, making them more difficult to detect.
  • 87% of phishing is now delivered over encrypted channels (HTTPS), often using low-trust DV certificates.
  • AI-assisted phishing attacks increased by 60%, with more realistic emails and fake websites that mimic legitimate ones.
  • PDFs and embedded malicious URLs are now more common than ZIP/RAR files as phishing payloads.
  • Elderly users are the most vulnerable, according to IC3 age-based cybercrime data.
  • Phishing-as-a-Service (PhaaS) is lowering the entry barrier for attackers along with pre-built phishing kits.
  • Best defenses include MFA, user training, and stronger AI-based detection tools that go beyond grammar/spelling checks.

I will now discuss the above stats in detail with the trends.

1. Total Number of Phishing Attacks

As reported by APWG (Anti-Phishing Working Group), the total number of phishing attacks per year has decreased since 2023. Although it’s not yet conclusive and further research is needed to confirm the downward trend, it’s still positive to know that policies and cyber defenses are catching up.

2. Phishing Among All Crimes 2024

Among all the crime reports received by IC3, phishing came out on top. This highlights the need for immediate and constant training of business professionals and individuals of all age groups against this evolving cybercrime.

3. Types of Cyberattacks

Proofpoint, in their State of the Phish study, asked their survey participants about the types of attacks they faced during 2022-2023. Unsurprisingly, phishing claimed the top spot, if one counts all its categories—bulk phishing, spear phishing, smishing, etc.—as one.

4. Spam Origin

Kaspersky’s Spam and Phishing Report 2024 identified the top 20 countries as the source of global spam. Russia, China, and the USA secured the top 3 dubious positions.

The study observed an increase in spam share compared to previous studies from countries such as Russia, China, Kazakhstan, and Hong Kong, and a fall from a few locations that include India and the USA.

5. Phishing in Organizations

The 2025 Data Breach Investigations Report (DBIR) found that human error is still the root cause of approximately 60% of incidents.

In addition, the report noted that GenAI-assisted emails have doubled from nearly 5% to 10% now. This makes it increasingly difficult to identify scams, as these emails now flaunt professional writing without the tell-tale grammatical errors that were once the hallmarks of such deceptive communications.

Who’s in the Crosshairs? 🎯

6. Business Email Compromise (BEC)

BEC is the most popular phishing technique targeting business professionals.

Cyber criminals pose as founders or CEOs to target a company’s high-profile employees or new recruits, asking for their intervention for some “urgent” task. This is usually an attempt to lure someone into disclosing confidential data or simply trick them into transferring funds to a “client” citing an emergency.

The following table presents a summary of BEC crimes and losses reported to the Internet Crime Complaint Center (IC3) from 2018 to 2024.

7. Phishing Target Industries

APWG publishes a quarterly report that highlights industries bearing the brunt of phishing attacks. I’ve combined data for four years in the following table, indicating that social media, webmail/SAAS, and financial institutions were the prime targets.

8. Phishing Target Country

ThreatLabz 2025 Phishing Report by Zscaler indicates the most attacked countries by phishing scams. The report states that while overall phishing attacks are decreasing, some emerging digital markets, such as Brazil, are the new targets, witnessing an uptick.

Here’s the list of the top 10 phishing target countries.

  1. United States
  2. India
  3. Germany
  4. Canada
  5. United Kingdom
  6. Spain
  7. France
  8. Australia
  9. South Africa
  10. Brazil

9. Cybercrimes Targets by Age

IC3 annual reports also segregate cybercrime by age. I have presented the data for 2024, which clearly shows the elderly as the most vulnerable age group among all. Call it the inability to keep up with the scam sophistication or simply the age factor, the elderly need special attention so that they do not lose their lives’ savings to criminals.

Phishing Techniques and Tactics 🎭

10. Most Impersonated Brand

Proofpoint’s 2024 State of the Phish report “crowns” Microsoft as the most spoofed brand by cybercriminals against innocent users. It was impersonated a whopping 68 million times, with over 20 million attacks targeting Office 365 users alone, making it the most abused of Microsoft’s products.

11. Most Imitated E-commerce Platforms

As summarized by Statista for 2023, Amazon was the most impersonated brand, followed by Apple and Netflix.

12. Polymorphic Email Phishing

Polymorphic phishing campaigns send a series of emails with randomized elements to evade security filters. Although this technique is not new, AI assistance has skyrocketed the trend.

A recent study by KnowBe4 revealed polymorphic elements in 74.3% of all phishing emails in December 2024.

13. Encrypted Cyberattacks

Once a symbol of trust and security, the padlock icon in the URL bar means little now. The Zscaler ThreatLabz 2024 Encrypted Attacks Report states that over 87% of attacks are now delivered using encrypted technologies, such as HTTPS. And though phishing constituted just 2.9% of all monitored encrypted attacks, the trend witnessed a massive 34.1% jump from the previous year.

However, there is still something the scammers couldn’t fix. The same report mentioned that 64.5% of encrypted attacks used Domain Validated (DV) TLS/SSL certificates—the easiest to obtain. Certificates with Extended Validation (EV) were used just for 1% of attacks. The remaining 34.6% had certificates with Organization Validation (OV).

14. Domains Hosting Phishing Sites

Kaspersky Securelist 2024 study lists the domain extensions (ex., .com & .net) used for hosting phishing sites. No surprises, with COM (.com) being the most popular top-level domain (TLD) still being used to lure people into phishing traps, followed by .xyz and .top.

15. PDFs and URLs are The New Weapons

IBM X-Force 2025 Threat Intelligence Index report revealed a clear 70% and 45% downfall in scammers using malicious ZIPs and RARs.

Instead, malicious URLs in open and encrypted PDFs are the new weapons of choice to evade detection. For PDFs, in particular, bad actors used URL obfuscation (42%), PDF streams (28%), and password encryption (7%) to hide their malicious actions.

User Behavior & Attack Outcomes 👤

16. Simulated Attacks

An October 2023 study conducted on global organizations revealed how professionals in various industries fare against phishing attacks.

This simulation highlighted that people from education, construction, and service-providing domains were the most vulnerable to clicking malicious links and submitting passwords to replicas of original web portals. However, the good thing is that 89.6 percent of all participants did not fall for malicious links.

17. User Behavior

The 2024 State of the Phish survey found that 71% of their participants admit to taking risky actions, and a shocking 96% of them did it while being fully aware of the malicious intent.

The survey also identified risky end-user behavior that could cause disastrous outcomes in various categories.

18. Phishing Attack Outcomes

State of the Phish 2024 from Proofpoint lists the damage successful phishing attacks did to their victims. While some incidents were one-time events, such as data loss, a few, including ransomware infections, exposed the end user to further complications.

19. PHAAS and GenAI Assistance

PHAAS (Phishing as a service) is tagged as the latest dangerous phishing trend by cybersecurity experts. This, along with ready-to-use phishing kits, lowers the entry barrier for cybercriminals, allowing them to target business professionals and individuals alike.

An even greater threat is the GenAI-powered tools. These softwares can write entire emails and even an entire website copy with eye-catching images, helping the phishing websites to pass as originals. As a worrying trend, Zscaler has noted a 60% increase in AI-assisted phishing attacks.

Overall, this asks for more user awareness than mere attempts to catch grammatical errors and spot bad design to combat phishing.

Final Words

It is important to remain vigilant against the shifting landscape of phishing attacks. Assuming ignorance or incompetence can easily lead to disastrous results in terms of financial and operational impact.

A few measures to fight back are using multi-factor authentication (MFA) wherever available without exception. At the very least, one should deploy MFA for online banking, social media, and work-related accounts.

Finally, there is no substitute for awareness and keeping oneself abreast of the latest cybersecurity trends.

More on Phishing