Phishing Statistics, Techniques, and AI-Driven Trends

Phishing remains involved in the large majority of reported security incidents, and it continues to evolve faster than most organisations’ training programmes can keep pace with. The technique itself is simple: trick a person into clicking a malicious link, opening a malicious attachment, or handing over credentials by impersonating someone or something they trust. What has changed is the sophistication of the impersonation, not the underlying mechanism.

This page covers how phishing is categorised, what current loss data shows, and how AI and adversary-in-the-middle techniques have changed the threat in the past two years.

Types of Phishing and Why AI Changed the Game

Phishing is a category, not a single technique. Mass phishing sends generic messages to large numbers of recipients, relying on volume. Spear phishing targets specific individuals using research about that person or organisation, and achieves significantly higher success rates as a direct result. Whaling is spear phishing aimed specifically at senior executives.

Generative AI has narrowed the quality gap between targeted spear phishing and cheap, mass-produced attacks. Verizon collaborated directly with Anthropic’s Safeguards Team for the 2026 DBIR, analysing 793 threat actors flagged for AI misuse. The median actor used AI across 15 distinct MITRE ATT&CK techniques. Of AI-assisted initial access specifically, 44% mapped to phishing and 32% to vulnerability exploitation. The finding: AI is a force multiplier on known methods, not a fundamentally new attack surface.

Source: Verizon 2026 Data Breach Investigations Report, conducted in collaboration with the Anthropic Safeguards Team.

Adversary-in-the-Middle Phishing and Phishing-as-a-Service

Adversary-in-the-middle (AiTM) phishing is a technical evolution that defeats standard multi-factor authentication. Rather than just stealing a password, an AiTM proxy sits between the victim and the legitimate login page in real time, capturing the session cookie and authentication token generated after the victim completes MFA. The attacker then replays that session, fully authenticated, without ever needing the original password again.

This technique has been industrialised through named phishing-as-a-service platforms including Tycoon 2FA, FlowerStorm, and Darcula, which package AiTM capability into a rentable kit and significantly lower the technical skill required to run this style of attack at scale.

Beyond email, vishing (voice phishing) and smishing (SMS phishing) extend the same social engineering logic to phone calls and text messages — see our dedicated Social Engineering Research page for the human-manipulation side of these attacks in depth.

Phishing is a social engineering technique where an attacker impersonates a trusted person, brand, or system to trick a victim into clicking a malicious link, opening a malicious attachment, or disclosing credentials. It is typically delivered by email but increasingly also by text message and phone call.

Phishing is broad-based, sending generic messages to large numbers of recipients. Spear phishing targets specific individuals with messages tailored using research about that person or their organisation, achieving significantly higher success rates as a result.

Generative AI drafts grammatically flawless, contextually appropriate phishing content at near-zero cost, narrowing the quality gap between mass phishing and targeted spear phishing. A Verizon-Anthropic joint 2026 analysis found 44% of AI-assisted initial access mapped specifically to phishing.

AiTM phishing uses a real-time proxy positioned between the victim and a legitimate login page to capture the session cookie and authentication token generated after MFA completes, letting the attacker reuse an already-authenticated session without needing the original password.

Verizon's 2026 DBIR found mobile-based phishing simulations produced 40% higher engagement rates than email simulations. Security awareness training has historically focused on spotting suspicious emails, leaving text messages and phone calls comparatively unprotected.