One single click in an email can break your business. And while we may not think about it often, opening an email and clicking on an apparently innocent link can open the door to the dreaded ransomware or grant access to third parties to our business accounts and sensitive data. In fact, 90% of cyberattacks use email phishing as a vector of attack.
The data doesn’t lie, and given the circumstances, incorporating an email security solution has become an authentic necessity at the business level. Emails are not only the main means for introducing malware into a business’s endpoints. They also constitute 52% of the cyber threats received on a quarterly basis. That is why more than half of businesses globally have already subscribed to a security and anti-phishing service for their inboxes.
Main Email Security Statistics (2025)
- 90% of cyberattacks use email phishing. (CISA)
- In 2024, 94% of companies were victims of phishing. (Cyfox)
- In 2024, 64% of businesses were victims of a BEC attack, resulting in losses of $150,000 per incident. (Hoxhunt)
- 41% of banks worldwide lack DMARC protection. (SendLayer)
- The email security market is valued at $5.17 billion in 2025 and is expected to reach $10.68 billion by 2032. (Fortune Business Insights)
Cyber Threat and Email Phishing Statistics
Phishing is the most common practice among cybercriminals to obtain our data. It consists of tricking the victim by impersonating a trusted entity or business, so that they share sensitive information such as personal data, passwords, or credit card numbers.
It is estimated that 3.4 billion phishing emails are sent every day
According to a report by Valimail, 3.4 billion phishing emails are sent daily in search of new victims. Looking at this data in perspective, it means that more than 1% of all sent emails are an attempt to phishing to obtain our data.
90% of cyberattacks are phishing via email
Email phishing is the most popular attack vector among criminals. Sources like CISA echo that 90% of cyberattacks worldwide are of this kind. The most commonly used is known as Spear Phishing, in which personalized information about the victim (such as name, address, etc.) is added to lend credibility to the malicious email and gain the victim’s trust.
94% of companies have been victims of phishing in 2024
The evolution and scope of email phishing seem relentless. The cybersecurity firm Cyfox has recently announced that 94% of companies have been victims of phishing throughout 2024. This data is complemented by information from Norton, where we can see how 88% of companies are victims of spear phishing every year. This reveals that daily, businesses around the world receive 1 or more phishing attacks via email.
20% of companies suffer unauthorized access to their accounts (ATO) every month due to phishing
One of the direct consequences of phishing is the theft or unauthorized access to accounts, known as Account Takeover or simply ATO. A report 2025 Email Threats Report created by the cybersecurity firm Barracuda shows us that an alarming 20% of companies globally suffer account theft each month due to email phishing.
Among the main actions by cybercriminals upon accessing a business account, we find:
- Changes to business rules and configurations: 27%
- Sending spam and malicious emails: 17%
- Other business risks: 56%
Microsoft is the most impersonated brand in email phishing attacks
One of the most commonly used phishing tactics by cybercriminals is impersonating a trusted brand. According to the 2024 State of Phish* *report by Proofpoint, Microsoft is the entity that has been most often impersonated, with over 68 million fake emails sent impersonating this brand. In second and third places are Adobe, with 9.4 million emails sent, and DHL, with 8.8 million.
Next, we present the data collected by Proofpoint:
Brand impersonation via phishing (in millions of emails sent)
- Microsoft: 68 million emails.
- Adobe: 9.4 million emails.
- DHL: 8.8 million emails.
- Google: 6.1 million emails.
- AOL: 4.4 million emails.
- DocuSign: 3.5 million emails.
- Amazon: 3.1 million emails.
Almost 50% of email threats target credential theft
A recent study published by Proofpoint shows us that out of more than 2 million email threats, the target is credential theft.
Next, we detail the results of this report:
| OBJECTIVE | NUMBER OF EMAIL THREATS (in millions) |
|---|---|
| Credential theft | 930.707 |
| Malware | 52.646 |
| Bank fraud | 15.700 |
| Botnet | 2.735 |
| Remote Access Trojan (RAT) | 4.531 |
| Malware downloader | 3.513 |
| Stealer | 2.779 |
| MalSpam | 6.161 |
| Keylogger | 2.170 |
| Backdoor | 74 |
| Ransomware | 167 |
| Telephone spoofing and fraud | 54 |
| Payment fraud | 4 |
| Others | 876.773 |
The approximate cost of each security breach due to phishing is $4.88 million
A malicious email attack has an immediate consequence of a security breach. Each of these breaches has immediate, devastating implications, ranging from considerable financial loss to the permanent closure of a business. According to a report published by IBM, the average cost of a security breach is approximately $4.88 million, increasing by 10% annually.
Statistics on Business Email Compromise (BEC) Attacks
Now that we have seen the most important and general data regarding phishing, it’s time to delve into its specific version for businesses: BEC attacks. This specific type of phishing targets employees of businesses of all sizes, aiming to persuade them to share confidential information or conduct monetary transactions with a fraudulent entity.
64% of companies have fallen victim to a BEC attack in 2024
According to a recent report by Hoxhunt, 64% of companies worldwide have been victims of a BEC attack in the past year. Each of these attacks cost the affected companies an average of $150,000 in total. But that’s not all; according to data collected by IBM, BEC attacks cost a total of $4.67 million annually.
In the United States alone, 21,489 companies were victims of a BEC attack in the same year
The magnitude of BEC attacks is, like other types of phishing, colossal. As noted by Statista, in 2023 alone, 21,489 companies in the U.S. fell victim to this type of email attack. This represents a nearly 11% increase in BEC attacks over just 3 years.
Below, we detail the results for the number of BEC victims by year:
- 2020: 19,369 affected companies.
- 2021: 19,954 affected companies.
- 2022: 21,832 affected companies.
- 2023: 21,489 affected companies.
The amount requested through a BEC attack has increased by 60% in just 1 month
The cybersecurity giant Fortra has compiled highly relevant data in its BEC Global Insights Report* *on the evolution of business email attacks. One of the most notable findings is that the amount requested by criminals increased by 60% from January 2025 to February of the same year.
Statistics on the Use of Artificial Intelligence (AI) in Email Attacks
The arrival of generative AI has led to an exponential increase in email attacks. By using it, hackers and criminals can create hyper-personalized emails, solving problems like spelling errors and mimicking the language of executives to imitate a company’s identity.
83% of phishing attacks have been written using artificial intelligence
A recent study by KnowBe4 analyzed data from more than 13.2 million users across 31,000 organizations worldwide. In it, we can see how 83% of emails written between September 2024 and February 2025 used generative artificial intelligence for their drafting. When comparing this data with that of the previous year, KnowBe4 indicates a 54% increase in the use of AI to create malicious emails.
91% of polymorphic emails have been written by AI
Polymorphic emails consist of a series of similar emails but with small differences that make them undetectable by most security software and platforms. By the end of 2024, 74.3% of phishing emails contained some type of polymorphic element. As pointed out by Know4be, 90.9% of these emails were written by Artificial Intelligence.
Email phishing generated by AI has a 54% click-through rate
The use of generative artificial intelligence has exponentially increased the success of phishing attacks via email. In fact, as noted in a study by Outthink.io, 54% of phishing emails generated by AI are successful, compared to 17.8% of those written by a human.
Email Security Measures Adoption Statistics
Email is the primary entry point for cyberattacks such as phishing, but… how are companies protecting their inboxes? Below, we will provide the most relevant statistics regarding the adoption of security measures in email.
The adoption of the DMARC protocol has increased by 20% since 2023
One of the basic functions for protecting companies’ and institutions’ domains is to adopt the DMARC (Domain-based Message Authentication, Reporting, and Conformance) protocol to prevent phishing from entering email.
According to a recent report by EasyDMARC, the adoption of the DMARC protocol has risen by 20% from 2023 to 2025. However, the data is far from reassuring. In fact, 52.2% of internet domains lack this protocol, and only 47.7% of them have a valid DMARC record.
| 2023 | 2025 |
|---|---|
| Adoption | 27.2% |
| Domains without DMARC | 70.9% |
| Valid DMARC Record | 29.1% |
Only 41% of banks have adopted the DMARC protocol in their domains
Next, we provide detailed results of this study:
DMARC Protocol Implementation:
- Banks: 41%
- Insurance: 50%
- Law Firms: 50%
- Aviation: 45%
- Software: 45%
- Financial Services: 45%
- Graphic Design: 9%
(Source: Sendlayer)
56.5% of domains have an SPF record
Another security measure capable of protecting inboxes is the adoption of the SPF (Sender Policy Framework) protocol. According to a recent report by the University of Berlin, only 56.5% of domains currently have an SPF record. However, moderate adoption is not the most relevant issue. Indeed, of this percentage, 2.9% have configuration errors, making them ineffective.
The email security market is expected to reach $10.68 trillion by 2032
Currently, the email security market is valued at $5.17 trillion. However, due to the rise in digital threats (largely driven by the boom generated by AI), it is expected that growth will continue, reaching $10.68 trillion by 2032.
Next, we present the results of the Fortune Business Insights study, which reveals that this sector is expected to experience an annual growth rate (CAGR) of 10.9%.
- 2024: $4.68 trillion.
- 2025: $5.17 trillion.
- 2032: $10.68 trillion.
Conclusion
Email security is the foundation of cybersecurity for any business. The exponential increase in email attacks, driven by the use of generative artificial intelligence, has made phishing the dominant tactic for data theft and security breaches. What’s the result? Million-dollar losses and irreparable damage to the reputation of any business.
Undoubtedly, the email security market is expected to grow exponentially in the coming years. However, this will be accompanied by new digital threats that could compromise our security. That is why it is crucial to adopt preventive measures now to ensure the continuity of our business in an increasingly hostile digital environment.