33 Phishing Statistics in 2025 Every MSP Should Know About

Welcome to the new reality of AI-generated phishing and social engineering attacks. 

Small business owners and MSPs alike must provide their clients with a line of defense against advanced phishing attacks and other email-related threats. 

Implementing outdated phishing simulations isn’t effective either. An employee might accidentally download a malicious file attachment that could result in a massive security breach.

If that isn’t bad enough, threat actors have begun leveraging AI-powered tools such as ChatGPT and other LLMs to produce more sophisticated phishing prompts. 

AI-generated phishing emails can bypass traditional filters and detection systems with striking accuracy. They can easily mimic the recipient’s writing style and language patterns and use personalized details that make the messages seem incredibly legitimate.

This looming thought gives MSPs and small business owners a lot to consider when it comes to safeguarding their inboxes and their clients’ inboxes from the latest phishing attack threats. 

Here are 33 alarming phishing statistics in 2025 that every MSP should know about.

Corporate Phishing Attacks Skyrocketing

• 94% of organizations experienced phishing attacks. – Email Security Risk Report 2024
• Microsoft remains the most imitated brand, with 43.1% of phishing attempts targeting it. – Zscaler ThreatLabz 2024 Phishing Report
• The median time for users to click on a phishing simulation link was just 21 seconds and 28 seconds to submit sensitive data. – Verizon’s 2024 Data Breach Investigations Report
• BEC attacks accounted for 14% of all impersonation attack activity in corporate inboxes. – Business Email Compromise (BEC) Trends Report
• On average, 3.4 billion phishing emails are sent every day. – 2024 Upfort Phishing Attack Report
• There was a 1,760% YoY increase in social engineering-based Business Email Compromise (BEC) attacks throughout 2023. – Perception Point 2024 Annual Report: Cybersecurity Trends & Insights
• 88% of organizations face spear phishing attempts in a single year – Norton
• 47% of employees cited distraction as the reason for falling for a phishing scam while working from home. – [Tessian Research] The Psychology of Human Error 
• URLs are 4x more likely than phishing attachments to reach users.- Avanan
• Malicious URLs were the most frequently used technique in phishing emails, representing 30.5% of cases. – Hornetsecurity Cyber Security Report 2024
• Over half (55%) of phishing emails contain obfuscation techniques to help cybercriminals avoid detection. – Egress’ Phishing Threat Trends Report
• HTML files were the most common type of attachment found in phishing emails, comprising 37.1% of cases. – Hornetsecurity Cyber Security Report 2024
• In the fourth quarter of 2023, the average top executive in the C-suite saw 42x more phishing attacks using QR codes (Quishing) compared to the average employee. – Dark Reading

Clickbait: Employees Failing Phishing Simulation Tests

• 33.2% of untrained end users will fail a phishing test. – KnowBe4’s State of Phishing Report 2023
• There was a 4% click-through rate on phishing simulation emails. – Fortra’s 2023 Gone Phishing Tournament
• Only 18.3% of emails sent as part of phishing simulations were properly reported by users. – Proofpoint’s 2024 State of the Phish Report
• Organizations with an employee count between 100 and 499 had the highest overall password submission rate (7.3%). – Fortra’s 2023 Gone Phishing Tournament

The Cost of Phishing Attacks

• The average cost of a data breach through a phishing attack is estimated at $4.91 million. – IBM’s Cost of a Data Breach Report 2023
• $17,700 lost every minute due to a phishing attack. – Email Security Best Practices: A Guide to Anti-Phishing Protection
• Losses due to Business Email Compromise (BEC) have hit a record high of $2.9 billion. – Proofpoint
• Phishing-as-a-service subscription prices are as little as $250 per month and provide support for around 200 phishing templates. – Dark Reading 

Phishing-Related Breaches and Email Attack Statistics 

• Phishing attacks accounted for 36% of all US data breaches in 2023. – Verizon’s 2023 Data Breach Report 
• Advanced email attacks have increased by 24% over the first two quarters of 2023 alone. – IRONSCALES Threat Index: Q3 2023 Edition
• 9 out of 10 data breaches in 2023 originated from phishing attacks targeting employees. – Cofense’s 2024 Annual State of Email Security Report
• Spear phishing campaigns make up only 0.1% of all email-based phishing attacks, but they are responsible for 66% of all breaches. – Barracuda’s 2023 Spear-Phishing Trends

A New Era of Cybercrime: AI-Generated Phishing Attacks

• ChatGPT created a phishing login page in less than 10 prompts. – Zscaler ThreatLabz 2024 Phishing Report
• 80% of organizations are concerned about new threats posed by AI – Mimecast’s 2024 State of Email & Collaboration Security
• A 60& YoY increase of nearly 60% in global phishing attacks, fueled in part by the proliferation of generative AI-driven schemes such as voice phishing (vishing) and deep fake phishing – Zscaler ThreatLabz 2024 Phishing Report
• AI detectors cannot tell whether a phishing email has been written by a chatbot or a human in three cases out of four (74%) – Egress’ Phishing Threat Trends Report 

Email Security Protocols Not Effectively Preventing Attacks

• Over 1.5 million malicious emails have evaded Secure Email Gateways (SEG) in 2023. – SC Media
• There was a 104.5% increase in the number of malicious emails bypassing Secure Email Gateways (SEGs). – Cofense’s 2024 Annual State of Email Security Report
• 12% of Fortune 500 companies have no DMARC protocols in place. – SendLayer
• Among the F500 companies that had DMARC records added, 40% had their policies set to ‘none’. – SendLayer

Prevent Phishing Attacks and Advanced Email Threats with Guardz  

Traditional email security methods and protocols just aren’t enough to futureproof your business from evolving phishing attacks. 

Stay ahead of the latest phishing scams and email threats with Guardz AI Multilayered Phishing Protection. Secure all inbound emails and web browsing from a unified cybersecurity platform. The Guardz generative AI-powered model is continuously trained and updated with the latest real-world phishing attack data. 

Instantly remove malicious emails once they have reached your employees’ or clients’ inboxes with one-click remediation capabilities. Keep malicious emails out of your inbox and give your clients peace of mind with Guardz.

Get a demo today to learn more.

FAQ’s about Phishing

What are the most common types of phishing attacks in 2025?

Phishing has become a shape-shifting industry. In 2025, AI-crafted phishing emails accounted for nearly 82% of campaigns, according to Security Today. These messages are so realistic that traditional filters miss them entirely. Spear phishing remains a close second, especially in finance and MSP environments, where attackers impersonate executives or vendors to initiate transfers. Business Email Compromise (BEC) continues to drive financial losses, with the average fraudulent wire request now exceeding $83,000 per incident. Meanwhile, QR code (“quishing”) and collaboration-app phishing (via Slack, Teams, or Zoom) are the fastest-growing variants. In short, phishing is no longer about fake princes and PayPal alerts; it’s precision crime on a large scale.

How is AI changing the landscape of phishing and email security?

AI has completely redefined phishing. Attackers are using large language models to produce context-aware, typo-free, and perfectly localized messages in seconds. A 2025 report found nearly 9 in 10 phishing attempts now involve AI-generated or AI-assisted content. Deepfake voice and video impersonations are also growing, with attackers spoofing executives or IT staff to pressure employees into urgent actions. Defenders are responding with AI of their own, utilizing machine learning models that track tone, sender behavior, and communication patterns, rather than just keywords. The result is an escalating cyber arms race where whoever adapts faster wins. Unfortunately, most SMBs aren’t keeping pace, leaving their inboxes wide open.

Why are SMBs primary targets for phishing attacks?

Small and midsize businesses are attractive because they sit in the sweet spot between access and vulnerability. They handle valuable data, customer records, payment info, and vendor accounts, but often lack enterprise-grade security teams or budgets. According to Verizon’s 2025 Data Breach Report, nearly 70% of phishing-related breaches now hit SMBs. Attackers know these organizations rely on email for operations and trust digital invoices or messages from familiar vendors without question. They also exploit the “it won’t happen to us” mindset that leaves many SMBs under-protected. For criminals, SMBs offer a low-effort, high-reward target where one convincing email can lead to major financial gain.

What steps can MSPs take to protect clients from phishing emails?

MSPs can drastically cut risk by combining smart technology with consistent human defense. Start with SPF, DKIM, and DMARC enforcement to block spoofed domains. Use AI-powered phishing detection that evaluates language intent, not just known malicious links. Deploy multi-factor authentication (MFA) for every privileged account and implement Zero Trust access controls to minimize damage from compromised credentials. Regular phishing simulations can reduce click rates by up to 60% when combined with micro-learning. MSPs should also monitor client environments continuously and offer unified visibility across endpoints, email, and identities, like the Guardz platform offers. The MSPs that thrive are the ones who turn security from a product into an ongoing partnership.

How effective are phishing simulations in preventing real attacks?

Phishing simulations work best when they’re realistic, continuous, and backed by data and Guardz delivers that in one integrated platform. MSPs can launch automated phishing simulations directly from Guardz, targeting specific users or roles across all client environments. Each simulation mimics real-world tactics attackers use today, from AI-generated emails to QR code phishing, giving users authentic exposure without real risk.

What are the financial impacts of phishing attacks on small businesses?

Phishing can devastate an SMB’s bottom line. IBM’s 2025 Cost of a Data Breach Report estimates the average phishing-related breach costs $4.88 million globally, factoring in recovery, downtime, and legal fees. For SMBs, that figure may be smaller in scale but larger in proportion to annual revenue, often enough to force layoffs or closure. The National Cybersecurity Alliance reports that 60% of small businesses hit by a serious cyber incident close within six months. Even smaller attacks erode customer trust, disrupt operations, and raise insurance premiums. For SMBs, phishing protection isn’t just IT hygiene; it’s financial survival.

What is the difference between phishing, spear phishing, and business email compromise (BEC)?

Phishing: Broad, automated campaigns sent to thousands of recipients, hoping someone clicks a malicious link or downloads malware.

Spear Phishing: Personalized and targeted, often using publicly available information to trick a specific person or team.

Business Email Compromise (BEC): High-stakes fraud where attackers impersonate executives or vendors to trick employees into wiring money or sharing sensitive data.
Think of it this way: phishing casts a wide net, spear phishing aims for one fish, and BEC convinces the fish to hand over the keys to the boat.

Are traditional Secure Email Gateways (SEGs) still effective against modern phishing attacks?

SEGs still serve a purpose, but their limits are showing. They’re effective at filtering spam and known malicious links, but modern phishing often uses clean infrastructure, delayed payloads, or AI-crafted language that evades signature-based detection. In 2025, nearly half of phishing emails bypassed traditional SEGs by exploiting trust signals like shared domains or collaboration tools. The best defense today is behavioral and contextual analysis, where AI learns each user’s communication patterns and flags anomalies in tone, timing, or sender context. SEGs are the lock on the door; modern AI detection is the motion sensor behind it.