Phishing Statistics 2026: The Data on the Internet's #1 Attack
Phishing is the most common cyberattack there is, and it's the front door to almost every identity-theft case. Below are the numbers that matter for 2026 — from the FBI's national complaint data to our own hands-on analysis of live phishing URLs. Every figure is sourced.
The headline numbers
| Metric | Figure | Year | Source |
|---|---|---|---|
| Phishing/spoofing complaints to the FBI | 191,561 | 2025 | FBI IC3 |
| Share of all cybercrime complaints | ~19% | 2025 | FBI IC3 |
| Reported phishing losses | $215.8 million | 2025 | FBI IC3 |
| Year-over-year rise in phishing losses | +208% | 2025 | FBI IC3 |
| Most-reported crime type (years running) | 3rd year | 2025 | FBI IC3 |
| Phishing URLs that passed a single automated scan | 64% | 2026 | Our study |
Phishing is the #1 reported cybercrime — again
For the third consecutive year, phishing and spoofing was the single most-reported crime type in the FBI's 2025 Internet Crime Report:
- 191,561 complaints, roughly 19% of everything reported to IC3.
- Reported losses climbed 208% year over year, from about $70 million to $215.8 million.
That dollar figure is actually the least important number here. Phishing's real damage is indirect: it's how the credentials behind account takeover and new-account fraud get stolen in the first place. A single convincing fake login page is the entry point, and the resulting fraud gets counted in other categories. Phishing punches far above its own loss total.
Want full protection beyond link checks? Aura monitors threats, blocks phishing & protects your identity — all in one app.
Try Aura Free →What we found analyzing 300 live phishing links
Complaint counts tell you the scale. To see what phishing links actually look like, we ran 300 confirmed, currently-live phishing URLs (from PhishTank and OpenPhish) plus 300 legitimate control sites through an automated safety scanner. The full methodology and results are here — the highlights:
- 64% of the phishing URLs were rated "safe" by a single automated scan. Only ~36% tripped enough red flags to be flagged.
- ~75% had a valid SSL certificate. The padlock is not a safety signal.
- Only 7% were already on Google's Safe Browsing blacklist at scan time — blacklists are reactive and lag live threats by hours or days.
- The strongest single tell was domain age: 82.7% of phishing URLs sat on a brand-new or unverifiable domain, versus 18.7% of legitimate sites.
The lesson: phishing increasingly hides on legitimate infrastructure — free-hosting subdomains and hacked real websites — that passes every automated check. No single signal catches the majority.
How phishing feeds identity theft
The reason phishing dominates identity-theft prevention advice is the chain it kicks off:
- Phishing message → you click a link or open an attachment.
- Fake login / credential capture → your username and password are stolen.
- Account takeover → the attacker seizes an account you already own (email is the jackpot, because it resets everything else).
- New-account fraud → with enough personal data, criminals open new accounts in your name.
The FTC's data shows how big those downstream stages are: imposter scams (which lean heavily on phishing tactics) drew 845,806 reports and $2.95 billion in losses in its most recent Data Book. For the full identity-fraud picture, see our Identity Theft Statistics 2026.
What the numbers mean for you
- Assume phishing will reach you. It's the most-reported attack three years running; the question is whether you click.
- Stop trusting surface signals. HTTPS padlocks and clean automated scans both miss most phishing. Learn the behavioral tells in How to Identify Phishing Links.
- Scan, but don't rely on scanning alone. A link safety check catches the obvious cases in seconds — treat "safe" as "no obvious red flags," not a guarantee.
- Add layers that survive a successful phish — multi-factor authentication and identity monitoring — so one stolen credential isn't the whole game.
All-in-one identity protection with $1M Insurance, credit monitoring, VPN & antivirus. From $10/mo.
* Affiliate link. We may earn a commission at no extra cost to you.
Sources & citation
All figures current as of mid-2026:
- FBI IC3 — 2025 Internet Crime Report
- FTC — Consumer Sentinel Network Data Book 2024
- OnlineSafetyChecker — The Anatomy of a Phishing Link (original 600-URL study, 2026)
Citing these stats? Link back to this page (/statistics/Phishing-Statistics-2026) — we update it as new reports land.
Sources & References
Frequently Asked Questions
How common is phishing in 2026?
Phishing and spoofing was the single most-reported cybercrime to the FBI in 2025 for the third straight year, with 191,561 complaints — roughly 19% of all cybercrime complaints filed to IC3. It remains the most common entry point for identity theft and account takeover.
How much money does phishing cost?
Reported phishing and spoofing losses to the FBI jumped 208% in 2025, from about $70 million to $215.8 million. That figure understates the true impact, because phishing is mainly the delivery method for larger downstream fraud like account takeover and new-account fraud, whose losses are counted in other categories.
Can a safety tool detect phishing links reliably?
Not on its own. In our own study of 300 confirmed-live phishing URLs, 64% were rated 'safe' by a single automated scan — because modern phishing often hides on legitimate platforms and compromised sites that pass domain, SSL, and reputation checks. Automated scanning catches the crude majority but should be one layer, not your only defense.
What percentage of phishing links use HTTPS?
In our 2026 analysis, roughly three-quarters of phishing URLs had a valid, working SSL certificate. HTTPS certificates are free and automated, so the padlock icon no longer indicates a site is trustworthy — it only means the connection is encrypted.