Phishing Attacks in 2026: Statistics and Protection Strategies

Published 2026-02-02 by TechNet New England

Phishing volume remains high in 2026. APWG reported 1,130,393 phishing attacks in Q2 2025, up from 1,003,924 in Q1 2025. On average, 3.4 billion phishing emails are sent every day worldwide.

Small Business Vulnerability

According to Verizon's 2025 Data Breach Report, nearly 70% of phishing-related breaches now hit small and medium businesses. These organizations are attractive targets because they handle valuable data but often lack enterprise-grade security teams or budgets.

The statistics are concerning:

• Small businesses account for 43% of cyber attacks annually
• Only 14% of SMEs have a cyber security plan in place
• A third of employees are susceptible to phishing and social engineering attacks

The Human Factor

Verizon's 2025 DBIR links about 60% of breaches to human actions. Despite technical controls, people remain the primary vulnerability:

• The median time for users to click on a phishing link was just 21 seconds
• Users submitted sensitive data within 28 seconds of clicking
• With an industry-wide baseline of 33.1%, one in three employees will fall for phishing attempts

AI-Powered Attacks

Artificial intelligence has transformed phishing effectiveness:

• AI has driven a 1,265% increase in phishing emails since the launch of generative AI tools
• In 2025, nearly 82% of phishing campaigns were AI-crafted
• AI-crafted phishing emails achieve 54% click rates compared to 12% for human-written ones

Modern AI-generated phishing messages are grammatically correct, contextually appropriate, and personalized based on publicly available information about targets.

Financial Impact

The costs of successful phishing attacks are substantial:

• The average phishing-related data breach costs organizations $4.88 million
• Business Email Compromise caused $2.77 billion in losses in 2024
• Total cybercrime losses reached $16.6 billion in 2024

Security Awareness Training Works

The good news: training dramatically reduces risk. Organizations that implement security awareness training see:

• Over 40% reduction in phishing risk within 90 days
• Up to 86% reduction within one year

Effective training programs include regular simulated phishing tests, immediate feedback for users who click, and ongoing education about emerging threats.

Technical Controls

Technical measures that reduce phishing risk:

Email Security

• Advanced spam filtering with AI detection
• DMARC, DKIM, and SPF implementation
• URL rewriting and click-time protection
• Attachment sandboxing

Access Controls

• Multi-factor authentication on all accounts
• Conditional access policies
• Password managers to prevent credential reuse

Detection and Response

• Endpoint detection and response (EDR)
• User reporting mechanisms for suspicious emails
• Incident response procedures

Building a Phishing-Resistant Culture

Beyond technology and training, organizations should:

1. Establish clear procedures for verifying sensitive requests
2. Encourage reporting without blame
3. Regularly communicate about current threats
4. Lead by example with executive participation in security programs

TechNet New England provides security awareness training and email security solutions for small businesses.

Sources: APWG Phishing Activity Trends Report, KnowBe4 Phishing by Industry Benchmarking Report, Guardz MSP Phishing Statistics