CASE FILE // PC-2026-04
Status: Open


Filing 07.00.00Field 27 APR 2026Classification PublicStatus Open

Phishing Statistics Annex

The headline numbers, in one annex, with primary citations. Use these for board reporting; substitute your own where you have richer in-house telemetry.

Annex A

Headline figures

HEADLINE

$4.80M
Avg breach cost (phishing initial vector)
[IBM 2025]
$2.77B
US BEC losses, 2024
[FBI IC3 2024]
21,442
BEC complaints filed, 2024
[FBI IC3 2024]
254 days
Phishing-breach detection + containment (vs 241d all-vector)
[IBM 2025]
84%
Organisations hit by successful phishing in 2024
[Proofpoint 2025]
82.6%
Detected phishing using AI (Sep 2024-Feb 2025)
[KnowBe4 2025]
3.4B/day
Phishing emails sent globally (estimate)
[APWG aggregate]
$25B
Annualised global phishing losses
[Industry projection]
16%
Share of breaches with phishing as listed initial vector
[IBM 2025]
$3.31M
Avg breach cost, organisations under 500 employees
[IBM 2023, last org-size split]
60%
SMBs that close within 6 months of major incident
[NCSA]
<5%
Click rate after 12 months of monthly simulation
[SANS]
Annex B

Year-on-year trends

TREND

Metric2022202320242025
Average breach cost (global, all vectors)$4.35M$4.45M$4.88M$4.44M
BEC losses (US)$2.40B$2.70B$2.77BPending
Detection time (global)277 d277 d258 d241 d
AI-generated phishing share<5%29%67%82.6%
Vishing volume index1001806401733+
Quishing campaign count index100210415510+

Where 2025 is marked Pending, the source has not yet released its full-year figure. Quarterly indicators are tracking ahead of 2024. The vishing index reflects Keepnet's reported 1,633% deepfake-vishing surge in Q1 2025 versus Q4 2024; the AI-phishing-share row is anchored to KnowBe4's 82.6% (Sep 2024-Feb 2025).[IBM 2022-2025, IC3 2022-2024, KnowBe4 2025, Keepnet 2025]

Annex C

Source index

REFERENCES

SourceWhat it provides
IBM Cost of a Data Breach Report 2025Per-record cost, industry breakdown, mean detection. Annual.
Verizon Data Breach Investigations Report 2025Initial-vector taxonomy and industry vertical breakouts. Annual.
FBI IC3 Annual Report 2024BEC losses, complaint counts, recovery rates. Annual.
Anti-Phishing Working Group 2025Quarterly attack volume, brand-impersonation share.
Proofpoint State of the Phish 2025Click rates, training effectiveness, organisational impact.
KnowBe4 Threat Labs 2025AI-generated phishing share (82.6%, Sep 2024-Feb 2025).
Hoxhunt Phishing Trends Report 2026AI-vs-human red-team benchmarks, AI-phishing surge metrics.
Heiding et al., Harvard 2024 (arXiv 2412.00586)AI-automated vs human-expert vs control phishing click-through (54% / 54% / 12%).
Keepnet 2025 State of Vishing ReportDeepfake-vishing surge (1,633% Q1 2025 vs Q4 2024), quishing growth.
Microsoft Digital Defence Report 2025Token-theft, MFA effectiveness baseline.

All sources are publicly published. Where we cite a vendor (Proofpoint, KnowBe4, Hoxhunt, Keepnet), we use the descriptive findings, not the prescriptive product recommendations.

Updated 2026-04-27