PowerDMARC

Email Phishing and DMARC Statistics: 2025 Security Trends

Maitham Al Lawati
Dmarc statistics

Key Takeaways

  • Phishing has become the easiest way for attackers to break in, growing from hundreds of thousands of attacks in 2016 to millions of attacks every month by 2023–2025.
  • The average cost of a phishing-related breach was about $4.88 million in 2025.
  • DMARC adoption is crucial for organizations; however, 41% of banking institutions currently lack DMARC protection.
  • Human error remains a major factor in breaches, contributing to 74% of security incidents.
  • AI is shaping phishing tactics, enabling cybercriminals to generate sophisticated phishing emails in as little as 5 minutes.
  • Organizations need a multi-layered approach to strengthen defenses against phishing, combining DMARC with ongoing monitoring and employee education.

Phishing attacks are among the most common and costly cyber threats affecting anyone using the Internet. These attacks, often disguised as legitimate emails, trick people into sharing sensitive information or unknowingly downloading harmful software, with billions lost yearly.

To combat this, organizations are turning to DMARC (Domain-based Message Authentication, Reporting, and Conformance). DMARC is an email authentication protocol designed to prevent email spoofing, a tactic at the heart of most phishing schemes. Yet, despite its effectiveness, many companies have yet to adopt DMARC, resulting in billions of dollars lost each year. DMARC statistics consistently show that email spoofing remains one of the primary entry points for phishing campaigns.

To address this risk, we’ve highlighted the most common phishing tactics, the risks,  and how they exploit email vulnerabilities. We will also explain how DMARC can effectively protect your organization from email spoofing, a major contributor to phishing attacks.

Simplify Security with PowerDMARC!

Key Cybercrime Statistics

The global number of cyberattacks over recent years tells a clear trend: cyber threats continue to grow in scale and sophistication. Back in 2016, there were about 4.3 million reported attacks worldwide, but just five years later, that number had surged to more than 19 million (a spike largely driven by the massive shift to online activity during the pandemic). And the trend hasn’t slowed. In the first half of 2025 alone, more than 8,000 data breaches exposed roughly 345 million records, underscoring just how serious and persistent cyber threats remain.

Experian’s 2026 Data Breach Industry Forecast points to growing concern about the use of artificial intelligence in cybercrime. The report notes that AI is making attacks more advanced and harder to detect, allowing criminals to create convincing fake identities and automate attacks faster than traditional defenses can respond.

Top crime types

Investment fraud: The costliest category of cybercrime, with $6.5 billion in losses, primarily driven by scams like cryptocurrency “pig butchering” that combine social engineering with digital finance.

Business email compromise (BEC): A persistent threat targeting organizations’ financial processes, resulting in $2.9 billion in reported losses and highlighting how attackers exploit trusted communication channels.

Ransomware: While reported financial losses have risen over recent years, the true cost often stems from operational impacts; in 2025, organizations hit by these attacks were down for an average of 24 days, with lost productivity, stalled operations, and recovery expenses often far outweighing the ransom itself.

These trends show that as technology changes, cyberattacks change with it, and organizations that understand how these threats work are better positioned to protect themselves.

Phishing scams

Not all cyberattacks are created equal, and when we look at the data by type, some interesting patterns emerge.

Phishing attacks grew dramatically during the pandemic, rising from about 0.44 million in 2016 to nearly 9 million by 2023, as more people relied on digital communication. In 2025, phishing is still one of the biggest cyber threats, and it’s expensive. On average, a single phishing-related breach costs organizations around $4.88 million, showing how damaging these attacks can be.

Phishing has become one of the easiest ways for attackers to break in, steal login details, and trigger larger attacks, which is why stopping malicious emails remains a top cybersecurity priority.

Personal data breaches

Personal data breaches ranked second globally, with 1.66 million incidents reported worldwide. Personal data breaches occur when unauthorized parties gain access to sensitive information such as names, email addresses, login credentials, financial details, or medical records. This often shows up as hacked databases, exposed customer records, leaked employee details, or cloud storage that was left open or improperly secured.

Other major cybercrime categories followed:

These numbers make it clear that cybercrime is still largely about two things: exposing data and exploiting it for financial gain.

Cybercrime in the U.S.

In the United States, phishing and spoofing were the most frequently reported cybercrime categories in 2024, according to the FBI’s Internet Crime Complaint Center (IC3). This mirrors global trends, reinforcing phishing as the most widespread and persistent cyber threat, given its low barrier to entry and reliance on human trust.

Other types of cybercrime were still common, even if they showed up less often overall:

Personal data breaches: Continued to impact tens of thousands of individuals, involving unauthorized access to sensitive personal or financial information.

Tech support fraud: A common scam type in which attackers pose as legitimate technical support to extract payments or remote access from victims.

Non-payment/non-delivery scams: Still widely reported, particularly in online marketplaces, where victims pay for goods or services that are never delivered.

Extortion: Reports remained steady, including threats tied to data exposure, account compromise, or known ransomware tactics.

Cybercrime worldwide

Globally, cybercrime has impacted a significant share of adults, with some types more common than others. For instance, 41% of online adults report experiencing viruses or malware on their devices. Phishing scams are also common, affecting about 30% of users, while mobile/SMS scams have impacted 35%.

The cost of cybercrime

Cyberattacks have become increasingly sophisticated and, with that, increasingly costly. In 2018, global cybercrime costs were estimated at $860 billion. By 2024, that figure had risen to an estimated $9.22 trillion, and projections for 2025 place global cybercrime costs at approximately $10.5 trillion annually, reflecting nearly a tenfold increase in just a few years. 

Recent major incidents

The first quarter of 2025 brought another wave of high-profile cyberattacks and data breaches, affecting millions of individuals and organizations around the world. Attackers took advantage of everything from software vulnerabilities to weak third-party security, showing just how many entry points still remain exposed.

Similar breaches continue to target both large global enterprises and critical third-party systems, resulting in wide-ranging impacts on privacy, trust, and operational continuity.

Phishing Statistics

Phishing activity continued to rise sharply in 2025, with over 1 million phishing attacks reported in Q1 alone, according to APWG data. This shows that phishing remains popular because it easily exploits trust and everyday online habits.
Scammers relied heavily on attention-grabbing words like “Urgent,” “Sign,” “Password,” “Document,” and “Delivery” to lure people in, along with financial terms like “Payment,” “Wire transfer,” “BACS,” “Credit,” and “Purchase.”

These words were strategically chosen to prompt people to act without second-guessing, a reminder of how sophisticated phishing tactics have become in their pursuit of personal and financial information.

Email phishing statistics

Data from the APWG Phishing Activity Trends Reports shows a steady and accelerating rise in phishing attacks over the past several years, with email remaining the primary delivery method.

Phishing is no longer cyclical or temporary. It has become a permanent, high-volume threat that organizations must actively manage year after year.

Phishing site trends track the number of unique websites created specifically to host phishing pages, giving insight into how actively attackers are building infrastructure to support scams. These sites are often short-lived, frequently taken down and replaced, which makes their volume a useful indicator of phishing activity over time.

The number of unique phishing sites has fluctuated over the years, with a notable peak in 2022 and early 2023, when more than one million sites were detected per quarter. After this surge, activity declined steadily from Q3 2023 through Q2 2024, dropping to around 877,536 unique sites, suggesting a temporary slowdown in new site creation.

However, this decline did not last. According to the APWG Q2 2025 report, over one million unique phishing websites were detected again in Q2 2025, signaling a renewed increase in phishing infrastructure. This increase shows that attackers adapt quickly, creating new sites as defenses improve, which keeps phishing an ongoing threat.

Phishing attacks by industry

Phishing remains one of the most widely used attack methods across industries, largely because it targets people rather than systems. In 2025, attackers increasingly rely on AI-driven phishing tactics, including highly personalized emails, realistic brand impersonation, and messages generated at scale that closely mimic internal communication styles. These techniques have made phishing harder to spot and more effective as an entry point for broader attacks.

Phishing continues to affect nearly every sector, though its role and frequency vary by industry:

To reduce phishing risk, organizations across all industries benefit from a layered approach. This includes employee awareness training tailored to real attack patterns, strong email authentication and filtering, regular testing through simulated phishing, and clear internal reporting processes. As phishing tactics continue to evolve with AI, prevention depends as much on informed users as it does on technical controls.

Targeted online industry sectors

In Q2 2025, phishing attacks most frequently targeted financial institutions (18.3%), closely followed by SaaS/Webmail platforms (18.2%). E-commerce and retail accounted for 14.8% of attacks, while payment services represented 12.1%, and social media platforms 11.3%. These sectors continue to attract attackers because they support high volumes of digital transactions, store valuable credentials, and provide direct paths to financial fraud and account takeover.

Most targeted countries

In 2025, the countries most frequently targeted by cyberattacks are led by the United States, followed by Ukraine, Israel, Japan, and the United Kingdom. Other countries consistently appearing among the most targeted include Saudi Arabia, Brazil, India, Germany, and Poland. 

This ranking reflects overall attack volume and risk concentration rather than the share of individual users who were phished, and it’s tied to factors such as large digital economies, high-value industries, and conflict-driven spikes in malicious activity.

Top domains used in phishing

Phishing sites continue to rely on familiar top-level domains to appear legitimate, but abuse is increasingly concentrated in a mix of legacy and newer TLDs. Between February and April 2025, “.com” remained the most abused TLD by volume, with more than 142,000 phishing domains reported, reflecting its massive global footprint. However, alternative and newer TLDs now account for a disproportionate share of phishing activity, including “.top,” with over 70,000 phishing domains, as well as “.xyz,” “.bond,” and “.vip,” which show significantly higher phishing density relative to their size. 

This shows how attackers are pairing user trust in common domains with the low cost and weaker oversight often associated with newer or niche TLDs.

Most targeted brands

Phishing campaigns increasingly rely on brand impersonation to build credibility and increase success rates. Rather than targeting a broader range of brands, recent activity shows a concentration around a smaller set of globally trusted platforms that anchor users’ digital lives.

By Q2 2025, attackers overwhelmingly focused on technology, communication, and consumer platforms with massive daily user bases. This suggests less emphasis on expanding the number of brands targeted, and more focus on high-impact impersonation of brands that grant access to email, cloud services, payments, and personal data.

Most impersonated brands in online phishing (Q2 2025)

Attackers continue to prioritize brands with global reach and habitual user interaction. In Q2 2025, the most impersonated brands were:

Microsoft – 25%

Google – 11%

Apple – 9%

Spotify – 6%

Adobe – 4%

LinkedIn – 3%

Amazon – 2%

Booking.com – 2%

WhatsApp – 2%

Facebook – 2%

This shows a clear change from earlier years, when retail brands were the main phishing targets. Today, attackers focus more on account-based platforms, aiming to steal logins, take over accounts, and use them for further fraud.

Notable brand phishing campaigns in Q2 2025

Spotify phishing returned to the top rankings for the first time since 2019, with attackers replicating official login pages and routing victims through fake payment flows to harvest both credentials and card details. The campaign demonstrated how convincingly entertainment brands can be weaponized when users expect regular billing or account alerts.

Booking.com impersonation surged sharply, with researchers identifying more than 700 newly registered domains designed to mimic booking confirmation pages. These scams stood out for their use of personalized victim data, which heightened urgency and believability, especially for travelers expecting legitimate confirmation emails.

Countries of origin for phishing attacks

According to the latest figures, China is the largest source of global cyberattack traffic, accounting for over 40% of observed activity. Russia follows at around 15%, and the United States accounts for about 10%, largely because compromised U.S.-based systems are often hijacked and used to launch attacks.

Other notable sources include India (about 5% of global phishing and malware activity), Brazil (the leading source within Latin America, representing around 30% of regional attacks), and Vietnam, which is described as a fast-rising origin point for cyberattack activity.

Phishing attacks using AI

According to a study, 95% of IT leaders say cyberattacks are now more sophisticated than ever, and AI-powered attacks have increased by 51% in recent years. This shift has left many IT leaders feeling exposed, with 35% saying they’re worried about their ability to stop these attacks effectively.

That concern lines up with what newer trend reporting is seeing: deepfake impersonations increased by 15% over the last year, and these incidents often go after high-value individuals, especially in finance and HR, where access and approvals can unlock money, payroll changes, or sensitive records. 

Time-saving advances with AI-generated phishing

Manually writing a convincing phishing email takes around 16 hours on average. With AI tools, a convincing message can be produced in as little as 5 minutes, saving cybercriminals almost two full days per email.

That time advantage makes it easier to run large campaigns, test different versions of the same lure, personalize messages faster, and scale attacks across email plus other channels without spending much effort per target.

Phishing and QR codes

QR code phishing is a technique where attackers hide malicious links inside QR codes and distribute them through emails, documents, flyers, or invoices. When a user scans the code with a phone, they are redirected to a phishing site or a page that prompts them to enter credentials or payment details. Because QR codes are images rather than readable URLs, users cannot easily see where the link leads before scanning, and many email security tools struggle to inspect them effectively.

Creating a QR code requires little effort or expertise. Publicly available QR code generators allow anyone to turn a URL into a scannable image in seconds. These tools are widely used for legitimate purposes such as payments, event access, and marketing, but attackers exploit the same services to disguise phishing links. Some generators also allow the destination link to be changed after the QR code is created, making it easier to rotate phishing pages and evade detection.

Recent industry reporting shows how quickly this tactic has scaled. During Q2 2025, security researchers recorded over 635,000 unique malicious QR codes embedded in phishing emails. Looking at a broader window, more than 1.7 million unique malicious QR codes were observed over the six-month period spanning Q4 2024 and Q1 2025. These figures demonstrate that QR codes are no longer a niche phishing technique, but a widely used delivery method as attackers shift toward mobile-first and image-based deception.

DMARC Statistics

As phishing and domain spoofing continue to evolve, managed DMARC solutions have become an important part of modern email security. They allow organizations to monitor authentication results, identify unauthorized sending sources, and ensure legitimate messages are delivered without unnecessary disruption.

Updated email authentication standards were introduced in early 2024 by Google and Yahoo. Under these rules, any organization sending more than 5,000 emails per day to Gmail or Yahoo Mail users is required to implement DMARC. Enforcement hasn’t been a sudden, all-or-nothing shift; mailbox providers have been tightening compliance gradually instead of blocking everything on day one.

Since these updates rolled out, providers have reported a 65% reduction in unauthenticated email reaching Gmail inboxes—a clear sign of how quickly stronger authentication requirements can reshape what actually gets delivered.

These rules extend beyond basic SPF, DKIM, and DMARC alignment. Bulk senders must also keep spam complaint rates below 0.3% and support one-click unsubscribe functionality. Senders that fail to meet these standards risk having messages throttled, rejected, or routed directly to spam folders, even if authentication is technically in place. This shift signals a move from simple identity verification toward broader sender behavior and hygiene enforcement.

Despite this momentum, adoption remains uneven. Deliverability data shows DMARC usage continued to grow, but coverage is far from universal. Q2 2025 analysis indicates that only about 18% of the world’s 10 million most-visited domains publish a valid DMARC record, and just around 4% fully enforce a reject policy. This leaves the vast majority of domains still vulnerable to spoofing and brand impersonation.

As enforcement continues to tighten across major mailbox providers, these requirements are expected to affect all organizations that rely on email, not just high-volume marketers. Companies that delay implementing and enforcing SPF, DKIM, and DMARC risk increasing delivery issues, higher phishing exposure, and reduced trust in their domains as authentication standards continue to mature.

DMARC adoption by country

DMARC adoption continues to vary widely by region, with only a small number of countries showing both broad coverage and meaningful enforcement.

Among the countries analyzed, Sweden stands out for consistently higher DMARC adoption and stronger use of enforcement policies, particularly when compared with peers. Norway also shows relatively strong enforcement in key sectors, especially finance and healthcare, though gaps remain elsewhere.

By contrast, the Netherlands demonstrates high awareness but uneven implementation, with a large share of domains still lacking DMARC and limited enforcement across several sectors.

Even in the most advanced markets, no country has achieved the level of universal coverage and enforcement required to fully prevent large-scale spoofing and brand impersonation, emphasizing that coordinated policy, sustained awareness, and consistent enforcement are still works in progress rather than finished outcomes.

Recent country-level DMARC research (PowerDMARC)

Recent country-specific research by PowerDMARC highlights how cyber risk profiles and existing email-security maturity shape DMARC adoption and enforcement outcomes:

Norway

Morocco

Tunisia

Netherlands

Sweden

Peru

Belgium

New Zealand

Italy

Germany

One pattern shows up consistently across the data: when countries move beyond simple monitoring and actually enforce DMARC policies, the security gains are real and measurable. Domains with strict DMARC enforcement see fewer successful spoofing attempts, stronger sender reputations, and better inbox placement for legitimate email — clear proof that enforcement, not just adoption, is what makes the difference. By contrast, regions where DMARC remains in “monitor only” mode continue to see high levels of brand abuse despite having SPF and DKIM in place.

The takeaway is clear. Adoption alone is not enough. The countries making real progress are those that pair existing email authentication with active DMARC enforcement, setting a practical example for others still vulnerable to email-based attacks.

DMARC coverage by industry

DMARC adoption has improved across several industries, but coverage and enforcement remain uneven, even in high-risk sectors like banking.

While banking remains one of the strongest sectors relative to others, current protection levels still fall short of what is required to reliably safeguard sensitive financial interactions at scale.

Other industries continue to lag behind:

Overall, adoption alone is no longer the core issue. The persistent gap lies in moving from presence to enforcement, particularly in industries where email trust directly translates into financial, operational, or public-safety risk.

Regarding the DMARC implementation, most domains lack strict enforcement, limiting its full security benefits. A majority (68.2%) use a none” DMARC policy, allowing emails that fail DMARC checks to be delivered without restriction. Only 12.1% use “quarantine” to send suspicious emails to spam, and just 19.6% have a strict “reject” policy to block non-compliant emails.

Although adopting stricter policies like p=quarantine or p=reject is essential for enforcement, many companies remain hesitant to make the shift:

 

AI and Phishing Attacks

According to a 2024 study, 95% of IT leaders report that cyberattacks are now more sophisticated than ever. The study highlights that AI-powered attacks have been increasing with a 51% rise over recent years. This shift has left many IT leaders feeling vulnerable, with 35% expressing concern about their ability to counteract such attacks effectively.

Time-saving advances with AI-generated phishing

Manually crafted phishing emails take an average of 16 hours to produce. However, with AI, a deceptive phishing email can be generated in as little as 5 minutes—saving cybercriminals nearly two days per email. This efficiency leap opens up large-scale attacks with minimal time investment.

Cybercrime Awareness and Prevention

The median time it takes for users to fall for phishing emails is alarmingly quick, often less than 60 seconds.

According to studies, human error is a critical vulnerability, playing a role in 74% of all breaches. Despite security training, people are still likely to click on phishing links due to ingrained habits or well-crafted social engineering tactics.

Only 1 in 4 employees feel that their organizations are fully prepared for phishing threats across channels. Compounding the issue, only 29% of phishing emails are accurately reported by employees, emphasizing gaps in both awareness and detection skills.

Prevent phishing attacks

Although complete cybersecurity protection is impossible, quick detection and response can dramatically reduce the impact of breaches on organizations and their customers. Luckily, DMARC offers an essential solution to the problem. 

Recent DMARC statistics bring to life the impact of DMARC on email security. Since implementing new sender requirements, Gmail has witnessed a 65% reduction in unauthenticated messages delivered. This substantial decline demonstrates the effectiveness of DMARC in reducing fraudulent emails. 

But it does not stop there! 50% more bulk senders have started adhering to best security practices, signaling a broader industry-wide adoption of DMARC and related protocols. Perhaps the most striking is the scale of change DMARC has brought to the global email ecosystem, with 265 billion fewer unauthenticated messages sent in 2024. This lower volume has been sustained and continues to face downward pressure, suggesting that DMARC enforcement is delivering a lasting structural reduction in unauthenticated email traffic.

Enhance email security

While DMARC plays a crucial role in email authentication, its effectiveness is significantly enhanced when combined with additional protocols like MTA-STS (Mail Transfer Agent Strict Transport Security) and BIMI (Brand Indicators for Message Identification). 

MTA-STS works by enforcing strict security policies for email transmission, ensuring that emails are transmitted over secure, encrypted channels. This eliminates the risk of emails being intercepted or tampered with during transit, adding another layer of protection.

On the other hand, BIMI helps brands improve both email security and visibility by displaying their logo next to authenticated emails in the inbox. This gives recipients a clear visual signal that the message is legitimate, making it easier to recognize trusted communications and build customer confidence.

The challenges of manual implementation

While DMARC, MTA-STS, and BIMI offer clear benefits, manual implementation of these protocols can be complex and error-prone. 

Setting up these protocols requires deep technical knowledge, especially when it comes to configuring DNS records and analyzing feedback reports. Without expert oversight, organizations risk exposing their email systems to potential threats.

Given the complexities involved, manual implementation is no longer viable for most businesses. This is where automated and managed email authentication services, such as PowerDMARC, come into play. 

PowerDMARC offers streamlined solutions for setting up and maintaining DMARC, MTA-STS, and BIMI, allowing you to fully leverage these protocols without the technical burden. PowerDMARC not only simplifies deployment but also provides continuous monitoring, real-time insights, and expert support, ensuring that email security remains robust and up to date.

What makes PowerDMARC stand out?

With numerous awards, glowing testimonials, and a proven track record of success, PowerDMARC is trusted by 10,000+ customers worldwide looking to enhance their email security.

G2 has recognized PowerDMARC as a leader in DMARC software for Fall 2024, highlighting our dedication to delivering top-tier email authentication solutions.

Get in touch to make the switch to PowerDMARC today and take control of your email domain. Protect your business, build trust, and ensure your communications remain secure.

What clients are saying

Came for the aggregated DMARC reporting, stayed because of all the other features included!
Drew Saum (CEO of ADI Cyber Services)

Most comprehensive and excellent support!
Ben Fielding, Fractional CTO

PowerDMARC has been a game-changer for our IT team!
Sebastián Valero Márquez, IT Manager at HispaColex Tech Consulting

Since implementing PowerDMARC for all of our clients, it’s created a much easier process for both onboarding, monitoring, and making changes, even if we aren’t in control of the DNS services.”
Joe Burns, Co-founder and CEO of Reformed IT

Read more reviews

Final Thoughts

Phishing is a serious and costly threat, and attacks are becoming more sophisticated, especially with AI. Unfortunately, many organizations are still not fully prepared, lagging behind on essential defenses like advanced email filters, regular employee training, and secure login protocols, leaving them vulnerable to these attacks.

One powerful step companies can take is implementing DMARC (Domain-based Message Authentication, Reporting, and Conformance). DMARC helps verify that incoming emails genuinely come from the claimed sender, blocking many phishing attempts before they reach inboxes. 

However, to truly stay ahead of increasingly sophisticated tactics, organizations need to adopt a multi-layered approach, combining DMARC with vigilant monitoring, ongoing threat education, and a range of security tools. A single phishing email that slips through the cracks can lead to severe consequences, so it’s critical for companies to stay alert and continuously strengthen their defenses.

Frequently Asked Questions

How to view DMARC reports?

DMARC reports are sent to the email address specified in your DMARC record and arrive as XML files, usually daily.

How to know if DMARC is working?

DMARC is working if reports show emails passing SPF or DKIM alignment, and unauthenticated messages are being quarantined or rejected according to your policy.

What tool is used to read DMARC reports?

DMARC reports are read using a DMARC report analyzer, which converts raw XML files into clear, human-readable dashboards and summaries.

What is the difference between DKIM and DMARC?

DKIM verifies that an email hasn’t been altered in transit, while DMARC builds on DKIM (and SPF) to tell receiving servers what to do when authentication fails and to send reports back to the domain owner.

Sources

IBM

Experian

Cybercrime Magazine

IC3

APWG 1st Quarter Report

APWG Trends Reports

APWG 2nd Quarter Report

Cybercrime Information Center

 

Latest posts by Maitham Al Lawati (see all)
Exit mobile version