Phishing Statistics
Phishing complaint volumes and attack trends from FBI IC3 and the Anti-Phishing Working Group (APWG) official reports.
Last reviewed: 1 June 2026
Phishing — using deceptive messages to steal credentials, personal information, or money — is consistently the most frequently reported cybercrime by complaint volume. The FBI's Internet Crime Complaint Center and the Anti-Phishing Working Group (APWG) both publish regular official data on phishing activity.
While phishing generates fewer dollar losses than investment fraud or BEC, it is the entry point for many more serious attacks. Financial loss figures for phishing alone are lower than for other categories partly because phishing often facilitates other fraud types (such as account takeover or BEC) that are then recorded under different categories. Figures vary significantly between sources and years.
Key figures
193,407 complaints in 2024 — the most reported crime type
Phishing/spoofing complaints (US, FBI IC3)
Source: FBI IC3 2024 Annual Internet Crime Report (2024)
Approximately $70 million in 2024 — nearly four times the 2023 figure
Reported financial losses attributed to phishing/spoofing (US, FBI IC3)
Source: FBI IC3 2024 Annual Internet Crime Report (2024)
963,994 unique phishing attacks in Q1 2024 — the lowest quarterly total since Q4 2021
Phishing attacks observed globally (Q1 2024)
Source: APWG Phishing Activity Trends Report Q1 2024 (2024)
SaaS/Webmail — 23.3% of all phishing attacks in Q4 2024
Most targeted sector by phishing attacks (Q4 2024)
Source: APWG Phishing Activity Trends Report Q4 2024 (2024)
Key takeaways
- Phishing was the single most frequently reported internet crime to the FBI IC3 in 2024, with 193,407 complaints.
- Reported direct financial losses from phishing to the FBI IC3 nearly quadrupled in 2024 to approximately $70 million — though phishing also enables higher-loss crimes recorded elsewhere.
- According to the APWG, phishing attack volumes declined in the first half of 2024 before trending upward again in the second half.
- SaaS and webmail services were the most targeted sector by phishing attacks in Q4 2024, according to APWG data.
Frequently asked questions
Why are phishing loss figures so much lower than complaint volumes suggest?
Many phishing attacks are used to steal credentials that are then used in other crimes — account takeover, BEC, or fraud — rather than extracting money directly. The downstream financial damage may be recorded under a different fraud category, making phishing-specific loss figures an undercount of its total economic impact.
What types of phishing are most common?
Email phishing remains the most reported, but smishing (SMS-based) and vishing (voice call) phishing have grown. Spear phishing — highly personalised attacks on specific individuals or organisations — tends to cause the largest individual losses.
Why do phishing figures vary between sources?
The FBI IC3 counts consumer complaints in the US. The APWG counts unique attack URLs reported to its members globally. These measure different things and are not directly comparable. A single phishing campaign can generate many unique URLs but result in relatively few reports to the IC3.
What should I do if I receive a phishing message?
Do not click any links or provide any information. Report it to your email provider, and in the US you can forward phishing emails to [email protected] or report to the FTC at ReportFraud.ftc.gov. If you have already clicked a link or provided credentials, change your passwords immediately.