← View All Articles

  • December 9, 2025

The Phishing Surge in 2025

Shocking Statistics and the Compliance Challenge

Phishing is not just a persistent threat; it is evolving at an alarming rate. For Compliance and information security professionals, understanding the latest statistics is crucial for building effective defenses and ensuring regulatory adherence in an increasingly hostile cybersecurity landscape.

The data from 2025 confirms that the human element remains the weakest link and that Artificial Intelligence (AI) is redefining cyber risk.

The Big Picture: Phishing as a Catalyst for Breaches

Phishing maintains its position as the most common attack tactic, with escalating financial and operational impacts:

  • Primary Entry Point: Phishing is involved in about 36% of all data breaches, making it the most common attack type in many markets.
  • Daily Threat: Approximately 57% of organizations report facing phishing scams weekly or daily. The volume is staggering, with around 3.4 billion phishing emails sent daily worldwide.
  • The Human Element: Around 60% to 69% of security breaches involve a human element, such as stolen credentials or social engineering, with phishing being a primary factor. Speed of response is crucial: poorly trained employees amplify the cost of the incident.

The Prohibitive Cost of Phishing for Businesses

Phishing-related breaches are not just security incidents; they are financial disasters that demand the attention of Compliance and senior management:

  • Average Cost of a Breach: The average cost of a data breach originating from phishing has risen to $4.88 million USD.
  • Losses from BEC: Business Email Compromise (BEC)—a form of highly targeted phishing—caused approximately $2.7 billion in losses in the U.S. in 2024, standing out as one of the most destructive forms of financial cybercrime.
  • Annual Cost for Large Companies: Phishing attacks cost large organizations an average of $15 million annually, or more than $1,500 per employee.

The Threat Accelerated by AI

The proliferation of generative AI tools has changed the game, allowing attackers to create more convincing messages, at scale, and bypass security filters:

  • Exponential Increase: Overall phishing activity has increased by 49% since 2021, largely due to the use of AI-generated messages.
  • AI-Powered Attacks: An estimated 80% of phishing attacks are now AI-generated, signaling sophisticated and continuous automation.
  • Credentials at Risk: Credential phishing has increased by a stunning 1,265% since the launch of advanced AI tools like ChatGPT.
  • Enhanced BEC: Approximately 40% of BEC emails in the second quarter were confirmed as AI-generated.

New Vectors and Victim Profiles

Attackers are diversifying beyond traditional email, and the victim profile is also shifting:

  • Multi-Channel: About 40% of phishing campaigns now extend beyond email, exploiting platforms like Slack, Teams, and social media. There has been a 19% increase in smishing (SMS phishing) and 11% in vishing (voice phishing).
  • Most Vulnerable Generation: Gen Z and Millennials users are the most likely to fall victim to phishing attacks.
  • Remote Workers: 62% of information security professionals report that phishing attacks have increased more than any other type of threat since the shift to remote work.
  • Most Targeted Sectors: Globally, the most targeted sectors are Internet services (32.8%), telecommunications (20.7%), and financial services (18.8%).

The Compliance and Mitigation Imperative

For Compliance, these statistics are not just interesting data points; they are evidence that existing security and training programs are insufficient.

The risk of Compliance failures increases exponentially when human security fails, leading to regulatory fines and reputational damage.

Key Actions for Compliance:

  1. Continuous Anti-Phishing Training: Awareness training cannot be a one-time event. It must be continuous and based on realistic simulations, focusing on new attack vectors such as AI, QR codes, and messaging platforms.
  2. Robust MFA: Implement and audit the use of Multi-Factor Authentication (MFA) across all critical accounts. However, Compliance must be aware that even MFA is being bypassed in about 25% of campaigns that use QR codes or disguised links.
  3. Active BEC Monitoring: Prioritize the detection of anomalies in email communications, especially those involving financial transactions or sensitive data.

The 2025 phishing landscape requires an urgent reassessment of security and Compliance strategies. AI has armed the attackers, but knowledge of the tactics and employee education remain the most vital defenses.

  • We can help you become FADP compliant!

Expert Guidance, Affordable Solutions, and a Seamless Path to Compliance

Get in contact

What do you think?

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Insights

  • Related Articles
From Security to Surveillance: The Compliance Challenge of Documenting Life A to Z
The rise of high-definition cameras, coupled with powerful AI-driven analytics, has pushed video surveillance far
Trust Valley Day 2025
ComplianceRT will be exhibiting with our own booth and everyone is invited to join us
EPFL Investor Day 2025 at the SwissTech Convention Center in Lausanne
For us at ComplianceRT, events like this reinforce how critical strong ecosystems are