·6 min read

Phishing Statistics 2026: The Data on the Internet's #1 Attack

phishing statisticsphishing statistics 2026phishing factshow common is phishingphishing losses

Phishing is the most common cyberattack there is, and it's the front door to almost every identity-theft case. Below are the numbers that matter for 2026 — from the FBI's national complaint data to our own hands-on analysis of live phishing URLs. Every figure is sourced.


The headline numbers

MetricFigureYearSource
Phishing/spoofing complaints to the FBI191,5612025FBI IC3
Share of all cybercrime complaints~19%2025FBI IC3
Reported phishing losses$215.8 million2025FBI IC3
Year-over-year rise in phishing losses+208%2025FBI IC3
Most-reported crime type (years running)3rd year2025FBI IC3
Phishing URLs that passed a single automated scan64%2026Our study

Phishing is the #1 reported cybercrime — again

For the third consecutive year, phishing and spoofing was the single most-reported crime type in the FBI's 2025 Internet Crime Report:

  • 191,561 complaints, roughly 19% of everything reported to IC3.
  • Reported losses climbed 208% year over year, from about $70 million to $215.8 million.

That dollar figure is actually the least important number here. Phishing's real damage is indirect: it's how the credentials behind account takeover and new-account fraud get stolen in the first place. A single convincing fake login page is the entry point, and the resulting fraud gets counted in other categories. Phishing punches far above its own loss total.

Aura

Want full protection beyond link checks? Aura monitors threats, blocks phishing & protects your identity — all in one app.

Try Aura Free →

Complaint counts tell you the scale. To see what phishing links actually look like, we ran 300 confirmed, currently-live phishing URLs (from PhishTank and OpenPhish) plus 300 legitimate control sites through an automated safety scanner. The full methodology and results are here — the highlights:

  • 64% of the phishing URLs were rated "safe" by a single automated scan. Only ~36% tripped enough red flags to be flagged.
  • ~75% had a valid SSL certificate. The padlock is not a safety signal.
  • Only 7% were already on Google's Safe Browsing blacklist at scan time — blacklists are reactive and lag live threats by hours or days.
  • The strongest single tell was domain age: 82.7% of phishing URLs sat on a brand-new or unverifiable domain, versus 18.7% of legitimate sites.

The lesson: phishing increasingly hides on legitimate infrastructure — free-hosting subdomains and hacked real websites — that passes every automated check. No single signal catches the majority.


How phishing feeds identity theft

The reason phishing dominates identity-theft prevention advice is the chain it kicks off:

  1. Phishing message → you click a link or open an attachment.
  2. Fake login / credential capture → your username and password are stolen.
  3. Account takeover → the attacker seizes an account you already own (email is the jackpot, because it resets everything else).
  4. New-account fraud → with enough personal data, criminals open new accounts in your name.

The FTC's data shows how big those downstream stages are: imposter scams (which lean heavily on phishing tactics) drew 845,806 reports and $2.95 billion in losses in its most recent Data Book. For the full identity-fraud picture, see our Identity Theft Statistics 2026.


What the numbers mean for you

  • Assume phishing will reach you. It's the most-reported attack three years running; the question is whether you click.
  • Stop trusting surface signals. HTTPS padlocks and clean automated scans both miss most phishing. Learn the behavioral tells in How to Identify Phishing Links.
  • Scan, but don't rely on scanning alone. A link safety check catches the obvious cases in seconds — treat "safe" as "no obvious red flags," not a guarantee.
  • Add layers that survive a successful phish — multi-factor authentication and identity monitoring — so one stolen credential isn't the whole game.
AuraRecommended

All-in-one identity protection with $1M Insurance, credit monitoring, VPN & antivirus. From $10/mo.

Start Your Free Trial

* Affiliate link. We may earn a commission at no extra cost to you.


Sources & citation

All figures current as of mid-2026:

Citing these stats? Link back to this page (/statistics/Phishing-Statistics-2026) — we update it as new reports land.

Sources & References

  1. FBI IC3 — 2025 Internet Crime Report
  2. FTC — Consumer Sentinel Network Data Book 2024
  3. OnlineSafetyChecker — Anatomy of a Phishing Link (600-URL study, 2026)
  4. PhishTank — Verified Phishing URL Database

Frequently Asked Questions

How common is phishing in 2026?

Phishing and spoofing was the single most-reported cybercrime to the FBI in 2025 for the third straight year, with 191,561 complaints — roughly 19% of all cybercrime complaints filed to IC3. It remains the most common entry point for identity theft and account takeover.

How much money does phishing cost?

Reported phishing and spoofing losses to the FBI jumped 208% in 2025, from about $70 million to $215.8 million. That figure understates the true impact, because phishing is mainly the delivery method for larger downstream fraud like account takeover and new-account fraud, whose losses are counted in other categories.

Can a safety tool detect phishing links reliably?

Not on its own. In our own study of 300 confirmed-live phishing URLs, 64% were rated 'safe' by a single automated scan — because modern phishing often hides on legitimate platforms and compromised sites that pass domain, SSL, and reputation checks. Automated scanning catches the crude majority but should be one layer, not your only defense.

What percentage of phishing links use HTTPS?

In our 2026 analysis, roughly three-quarters of phishing URLs had a valid, working SSL certificate. HTTPS certificates are free and automated, so the padlock icon no longer indicates a site is trustworthy — it only means the connection is encrypted.

Jay D

Cybersecurity Analyst & Founder, OnlineSafetyChecker

Jay is a cybersecurity analyst with over a decade of experience in threat intelligence, network security, and digital forensics. He founded OnlineSafetyChecker to make practical security tools and knowledge accessible to everyone — not just IT professionals.

CybersecurityNetwork SecurityThreat Intelligence