Email Hacking Statistics 2026: Phishing and 2030 Predictions

1. Research Scope: Email Account Compromise, Breaches, and Phishing Trends

This report is built on the latest available 2026 data drawn from the most trusted and reputable sources in the global cybersecurity landscape — including the Verizon Data Breach Investigations Report (DBIR), Microsoft Digital Defense Report, Proofpoint State of the Phish, FBI Internet Crime Complaint Center (IC3), SpyCloud Annual Identity Exposure Report, Anti-Phishing Working Group (APWG), ENISA Threat Landscape, Abnormal AI, Kasada, eSentire, SpyCloud, Cloudflare, Surfshark, Have I Been Pwned, Keepnet Labs, and Hoxhunt, among others.

It goes measurably deeper than standard breach and phishing benchmark reports by combining raw statistics, cross-source validation, credential-exposure analysis, email-account risk interpretation, and phishing-trend segmentation. Where individual vendor reports provide isolated data points, this report synthesizes and triangulates across sources to surface patterns that no single dataset can reveal in isolation.

This report includes a unique forward-looking forecast for 2026–2030 based on historical breach indicators, phishing activity trends, credential exposure patterns, AI-enabled attack evolution, and scenario analysis. The forecasts presented are not guesses, but modeled projections with clearly stated assumptions, explicit scenario boundaries, and transparent acknowledgment of limitations. They are grounded in multi-year trajectory data and expert indicators, and they distinguish between evidence-based projections and original reasoned estimates.

The report contains extensive original visuals — including charts mapping email-related breach and credential exposure trends, phishing volume trajectories, the quishing (QR-code phishing) surge, account compromise growth curves, BEC loss trends, an email compromise flow diagram, and a 2030 scenario forecast table — designed to make complex email security data immediately comprehensible for security professionals, analysts, content marketers, and technical researchers alike.

All insights are grounded in verifiable, cited data sources, with full transparency around methodology, source quality, and data gaps. Where exact 2026 data has not yet been published, the most current available data is used, clearly labeled with its vintage year and source.

Report scope: This report focuses exclusively on email-related security exposure: how email addresses, email credentials, email accounts, and email-based attacks are involved in data breaches, account compromise, phishing campaigns, credential stuffing, and identity theft. Non-email cybersecurity data is included only where it directly explains how email accounts or email credentials are compromised.

2. Executive Summary

The email credential threat landscape has entered a new phase of scale and sophistication. The following findings represent the most critical cross-validated insights from 2024–2026 data.

Credential and breach exposure:

Since 2004, approximately 23.7 billion accounts have been breached globally, and around 7.9 billion unique email addresses are confirmed as exposed — meaning nearly every active email user on the planet may have at least one email address in a breach database.
In 2025 alone, more than 500 million email addresses were exposed, with nine out of ten breach incidents confirmed to contain email addresses as the primary exposed data field.
The February 2025 ALIEN TXTBASE dataset published on Telegram contained over 2 billion unique email addresses and 1.3 billion unique passwords extracted from infostealer malware logs — the largest single credential dataset ever indexed by Have I Been Pwned.
SpyCloud's 2025 Annual Identity Exposure Report catalogued 3.1 billion exposed passwords in 2024 alone, a 125% increase from the prior year.

Phishing attack volume:

The APWG recorded 4.8 million phishing attacks in 2024, the highest annual total since the organization began tracking in 2003. Q1 2025 reached 1,003,924 phishing attacks, the largest quarterly total since Q4 2023.
Email was identified as the attack vector in 27% of breaches in 2025, second only to web applications (Verizon 2025 DBIR).
Gmail blocks approximately 100 million phishing emails daily, while Cloudflare reports that over 5% of all analyzed emails are malicious.

AI-generated phishing:

Between September 2024 and February 2025, 82.6% of all phishing emails detected used AI in some form — representing a 53.5% year-over-year increase. By December 2025, Hoxhunt analysts identified a 14x surge in AI-generated phishing attacks bypassing email filters, with AI-generated attacks rising from 4% to 56% of all reported attacks in a single month.
AI-generated phishing achieves 54–60% click-through rates, compared to approximately 12% for traditionally crafted campaigns.

QR-code phishing (quishing):

QR-code phishing attacks surged fivefold in H2 2025, growing from approximately 47,000 detections in August to over 249,000 in November. Quishing now accounts for 12% of all phishing attacks, up from 0.8% in 2021.

Account takeover:

Account takeover (ATO) attacks increased 250% in 2024 and surged a further 389% year-over-year in 2025 (eSentire). Credential theft accounted for 74–75% of all observed cyber threats in 2025.
An estimated 29% of US adults — approximately 77 million people — experienced an account takeover in 2024.

Business email compromise:

The FBI IC3 reported $2.77 billion in BEC losses across 21,442 incidents in 2024, with cumulative global losses since 2015 exceeding $55.5 billion.

3. Key Statistics Table: Email Breach, Credential & Phishing Data (2024–2026)

Statistic	Value	Year	Source	Metric Type
Unique email addresses in breach databases (since 2004)	~7.9 billion	2025	Surfshark	Exposed email addresses
Email addresses exposed in 2025	500M+	2025	NordPass/Nord Security	Exposed email addresses
Breaches containing email addresses	9 in 10 (90%)	2025	NordPass research	Breach composition
ALIEN TXTBASE unique email addresses	2 billion+	Feb 2025	Have I Been Pwned / Troy Hunt	Stealer log exposure
Exposed passwords in 2024 (SpyCloud)	3.1 billion	2024	SpyCloud Identity Exposure 2025	Leaked credentials
SpyCloud total identity records	53.3 billion	2024	SpyCloud Identity Exposure 2025	Dark web exposure
Avg. corporate user stolen records	146 records	2024	SpyCloud Identity Exposure 2025	Identity exposure
Avg. consumer: credential pairs	141 pairs across 229 records	2024	SpyCloud Identity Exposure 2025	Identity exposure
Password reuse rate (Cybernews study)	94% of analyzed passwords	2025	Cybernews (19B passwords)	User behavior
Users reusing same password after 2+ breaches	74%	2024	SpyCloud	Credential reuse
APWG phishing attacks (annual 2024)	4.8 million (record)	2024	APWG Q4 2024 report	Phishing volume
APWG phishing attacks Q1 2025	1,003,924	Q1 2025	APWG Q1 2025 report	Phishing volume
APWG phishing Q2 2025 (spike)	1,130,393	Q2 2025	APWG / Stingrai	Phishing volume
APWG phishing Q4 2025	853,244	Q4 2025	APWG Q4 2025	Phishing volume
Email as breach attack vector (Verizon 2025)	27% of breaches	2025	Verizon DBIR 2025	Breach vector
Credential theft in breaches (Verizon 2025)	22% of breaches	2025	Verizon DBIR 2025	Breach cause
Phishing in breaches (Verizon 2025)	14% of breaches	2025	Verizon DBIR 2025	Breach cause
AI-generated phishing share	82.6%	Sep 2024–Feb 2025	Keepnet/VIPRE	AI phishing
AI phishing YoY increase	+53.5%	2024→2025	ENISA, Keepnet	AI phishing trend
AI phishing click-through rate	54–60%	2025	Securedintel, HBR 2024	Phishing efficacy
Traditional phishing click-through rate	~12%	2024	Securedintel	Phishing efficacy
14x surge in AI phishing (month-over-month)	4% → 56% of attacks	Dec 2025	Hoxhunt 2026	AI phishing surge
QR-code phishing share of all phishing	12%	2025	Keepnet, Venza	Quishing
QR-code phishing growth 2021→2024	0.8% → 12.4%	2021–2025	Keepnet	Quishing trend
Quishing fivefold surge H2 2025	46,969 → 249,723/month	Aug–Nov 2025	Keepnet / Expression Africa	Quishing surge
90% of QR-code attacks = credential phishing	90%	2024–2025	Venza	Quishing nature
Deepfakes in BEC (2026)	40% of BEC incidents	2026	Digital Applied	Deepfake phishing
ATO increase 2024	+250% year-over-year	2024	Kasada 2025 ATO report	Account takeover
ATO increase 2025	+389% year-over-year	2025	eSentire 2026 report	Account takeover
US adults experiencing ATO 2024	29% (~77M people)	2024	Security.org via AuthX	ATO prevalence
Consumer ATO victims 2025	24% of consumers	2025	Sift Q3 2025 Digital Trust	ATO prevalence
Organizations experiencing ATO 2024	74%	2024	SpyCloud	ATO – enterprise
BEC losses 2024 (FBI IC3)	$2.77 billion / 21,442 cases	2024	FBI IC3 2024 Annual Report	BEC financial impact
Cumulative global BEC losses (since 2015)	$55.5 billion	2015–2024	FBI IC3	BEC financial impact
Phishing-related breach avg. cost (IBM)	$4.76 million	2024	IBM Cost of Data Breach 2024	Financial cost
EvilProxy AiTM attacks per month	66 million	2023–2024	Proofpoint State of Phish 2024	MFA bypass
PhaaS kit share of account compromise	63% of incidents	2025	eSentire 2026 report	AiTM phishing
Password-based attacks blocked daily (Microsoft)	7,000/second	2024	Microsoft MDDR 2024	Identity attacks
Organizations targeted for ATO regularly	99%	2024	Proofpoint 2024	Account compromise

4. Methodology and Source Quality Notes

Primary Sources Used

This report draws exclusively on primary-source security reports, government cybercrime data, and peer-reviewed or independently audited research. All statistics are traced to their originating vendor, agency, or dataset rather than secondary blog summaries.

Tier 1 — Government/Regulatory Sources (Highest Authority): FBI IC3 Annual Crime Reports (direct cybercrime complaint data from US law enforcement); ENISA Threat Landscape (European Union incident data, 4,875+ verified incidents in 2025 edition); CISA advisories; FTC consumer reports.

Tier 2 — Independent Multi-Organization Reports: Verizon DBIR (2025 edition: 22,052 incidents across 139 countries); APWG Phishing Activity Trends Reports (direct phishing URL/domain reporting by APWG members); IBM Cost of a Data Breach Report (cross-industry, 604 organizations studied in 2024); Have I Been Pwned breach dataset (Troy Hunt, publicly disclosed breach archive).

Tier 3 — Vendor Research with Disclosed Methodology: SpyCloud Annual Identity Exposure Reports (dark web credential recapture with disclosed methodology); Proofpoint State of the Phish (survey of 7,500 users, 1,050 security professionals across 15 countries + 183M simulated phishing messages); Microsoft Digital Defense Report (78 trillion security signals daily); Cloudflare Threat Reports (global network telemetry); Kasada ATO Trends Report (infiltration of 22 credential stuffing groups); Hoxhunt Phishing Trends (50M+ data points from 4M+ users); eSentire Year in Review (2,000+ customer organizations); Abnormal AI Attack Landscape Report (800,000 email attacks, 4,600+ organizations); Surfshark data breach monitoring tool (20-year dataset); Keepnet Labs QR-code phishing statistics.

Known Limitations

Reporting bias: All phishing, BEC, and ATO statistics from FBI IC3 and similar agencies reflect only reported incidents. Actual attack volumes are universally estimated to be substantially higher.
Vendor bias: Commercial security vendors (Proofpoint, SpyCloud, Kasada, etc.) derive statistics from their own customer bases or product telemetry. Their datasets may skew toward enterprise users, specific geographies, or sectors overrepresented in their customer bases.
AI phishing measurement uncertainty: The "82.6% AI-generated phishing" figure derives from specific detection windows and product telemetry. Definitions of "AI-assisted" vary across vendors.
Quishing statistics: QR-code phishing data varies significantly across vendors depending on detection methods and the time windows analyzed.
Deepfake phishing: Hard quantitative data on deepfake-assisted phishing remains limited. The 40% BEC figure comes from a single source and should be treated as indicative rather than industry-validated.
Consumer vs. enterprise split: Many statistics aggregate consumer and enterprise email accounts without clear separation.

5. Definitions

Term	Definition
Email account compromised	An email account where an unauthorized party has gained access to inbox contents, sent items, or settings — either through credential theft, phishing, AiTM interception, or brute force
Email security breach	A data breach event in which email addresses, email credentials, or inbox contents are exposed to unauthorized parties
Exposed email address	An email address included in a publicly disclosed or dark-web-distributed breach dataset, regardless of whether the corresponding account has been accessed
Leaked email credentials	A pairing of an email address with one or more associated passwords that has appeared in a breach dataset, infostealer log, or dark web marketplace
Credential stuffing	An automated attack that tests leaked email-password combinations across multiple websites and services to identify accounts where the same credentials are reused
Account takeover (ATO)	The successful unauthorized access to a user's account — email or otherwise — resulting from compromised credentials, phishing, or session-cookie theft
Phishing email	A malicious email designed to deceive the recipient into revealing credentials, clicking a malicious link, downloading malware, or taking a financially harmful action
AI-generated phishing	Phishing emails in which AI language models, generators, or automation tools are used to produce personalized, grammatically correct, contextually aware messages at scale
Quishing (QR-code phishing)	Phishing attacks that embed malicious URLs within QR codes included in emails, PDFs, or physical materials, bypassing traditional URL-based email filters
Deepfake-assisted phishing	Phishing attacks in which AI-synthesized voice, video, or image content is used to impersonate executives, colleagues, or trusted authorities — typically in the context of BEC or invoice fraud
Business email compromise (BEC)	An email-based attack targeting organizations — typically via account impersonation or account takeover — to redirect payments, steal data, or commit fraud

6. Detailed Analysis by Category

6.1 Email Addresses in Data Breaches

Email addresses have emerged as the single most consistently exposed data type in breach datasets. According to NordPass/Nord Security research into database leak trends from 2023 to 2025, nine out of ten breach incidents contain email addresses as an exposed field, making email the most reliably present identifier in stolen data. In 2025 alone, more than 500 million email addresses were exposed across publicly disclosed breach events.

Surfshark's two-decade breach monitoring dataset provides the broadest longitudinal perspective: since 2004, a total of 23.7 billion accounts have been breached globally, with approximately 7.9 billion unique email addresses represented — meaning that the average active email address has been breached approximately three times. On average, each leaked email address is bundled with three additional compromised data points such as passwords, phone numbers, or physical addresses.

The scale of individual breach events continues to grow. The April 2024 National Public Data breach exposed approximately 134 million unique email addresses in its HIBP-indexed data, though the actual scope of the underlying incident was estimated as affecting billions of records. Q1 2024 saw globally leaked accounts surge fivefold from 81 million (Q4 2023) to 435 million, equivalent to 3,353 accounts being leaked every sixty seconds — a 435% increase from Q4 2023 rates.

Key limitation: Exposed email addresses do not equate directly to compromised email accounts. Many breach records contain email addresses used as usernames on third-party services rather than the email accounts themselves.

6.2 Leaked Email Credentials and Password Pairs

The volume of email-password credential pairs circulating in criminal underground markets reached unprecedented scale in 2024–2025. SpyCloud's 2025 Annual Identity Exposure Report documented 3.1 billion exposed passwords recaptured from the darknet in 2024 — a 125% increase from the 1.38 billion recaptured in 2023. The total SpyCloud darknet collection grew 22% year-over-year, reaching 53.3 billion distinct identity records and over 750 billion total stolen assets.

The single largest credential event in recent history was the ALIEN TXTBASE release in February 2025, which contained 23 billion rows of data from stealer logs, including over 2 billion unique email addresses and 1.3 billion unique passwords — 625 million of which had never been seen in prior breach datasets. Troy Hunt (Have I Been Pwned) confirmed this as "the most extensive corpus of data we've ever processed, by a significant margin."

On the consumer side, the average exposed individual now carries 52 usernames and 141 credential pairs spread across 229 distinct exposure records — a profile rich enough to enable impersonation, fraud, and account takeover across multiple platforms. For corporate users, the situation is more severe: the average corporate identity now has 146 stolen records linked to it, a 12x increase from prior estimates, largely driven by the expansion of infostealer malware operations.

6.3 Compromised Email Accounts

Directly measuring the number of compromised email accounts — as distinct from exposed email addresses — is among the most difficult measurements in cybersecurity due to underreporting, delayed detection, and definitional ambiguity. However, multiple proxy indicators confirm the scale.

Proofpoint's 2024 State of the Phish found that 99% of organizations are regularly targeted for account takeovers, and 62% are actually impacted. eSentire's 2026 Threat Landscape Outlook reported a 389% year-over-year rise in account compromise in 2025, with account compromise accounting for 55% of all attacks observed in their dataset of 2,000+ customers. Microsoft 365 accounts were specifically identified as prime targets, with PhaaS (Phishing-as-a-Service) kits accounting for 63% of all account compromise incidents.

At the consumer level, Sift's Q3 2025 Digital Trust Index found that 24% of consumers were account takeover victims in 2025, up from 18% in 2024. A US-focused analysis found that 29% of US adults — approximately 77 million people — experienced an ATO incident in 2024.

The median time for an organization to detect a breach was 194 days (IBM/Ponemon 2024), meaning compromised email accounts often remain under attacker control for months before detection.

6.4 Credential Stuffing and Account Takeover

Credential stuffing — the automated testing of leaked email-password pairs against live login portals — has become one of the primary mechanisms through which exposed email credentials are weaponized into active account compromises.

Infostealers harvested an estimated 2.1 billion credentials in 2024, fueling credential stuffing campaigns at industrial scale. Kasada's 2025 ATO Trends Report, based on infiltration of 22 active credential stuffing groups, found that ATO attacks increased 250% in 2024, with attackers deliberately timing attacks around high-traffic periods such as Black Friday and holiday seasons. Of note: 85% of targeted companies already had bot detection in place yet still fell victim, with 65% of ATO attacks using sophisticated automation including CAPTCHA bypasses and residential proxies.

The password reuse crisis directly enables credential stuffing at scale. A 2025 Cybernews study analyzing 19 billion passwords exposed in breaches between April 2024 and April 2025 found that 94% of passwords are reused or duplicated across multiple accounts — with only 6% classified as unique. SpyCloud's parallel analysis found that 70% of users exposed in breaches reuse old, compromised passwords. Stolen credentials are involved in credential-based attacks accounting for 22% of all breaches (Verizon 2025 DBIR), making credential misuse the single top breach-initiation method.

Attack chain illustration: Once a credential stuffing campaign identifies a live email-password match, the attacker gains inbox access to: (a) harvest password reset emails from connected services, (b) search for financial, HR, and credentials data within the inbox, (c) set inbox rules to hide suspicious activity, and (d) launch outbound phishing using the trusted internal sender identity.

6.5 Email Phishing Statistics

Phishing remains the most high-volume and most consequential email-based attack vector. The APWG recorded approximately 4.8 million phishing attacks in 2024 — the highest annual total since its founding in 2003, representing a 20% increase over 2023. Phishing attack volume rebounded in Q1 2025 to 1,003,924 quarterly attacks, the highest quarterly figure since Q4 2023's 1.07 million, before spiking further to 1,130,393 in Q2 2025.

The APWG Q4 2025 report noted that wire transfer BEC attacks in Q4 2025 increased 136% compared to Q3 2025, and that scam impersonations increased on every social media platform throughout 2025. Phishing remains the dominant initial access vector in EU incidents, accounting for 60% of all initial intrusion observations in ENISA's 2025 Threat Landscape analysis of 4,875 incidents.

The velocity of phishing attacks is notable. Verizon 2024 DBIR found the median time to click a phishing link once the email is opened is 21 seconds, with credential entry occurring just 28 seconds later — making the entire credential theft transaction approximately under 60 seconds. This window is far shorter than most alert and response timelines.

SaaS/Webmail platforms — representing email service providers including Microsoft 365 and Google Workspace — were the most-attacked sector in Q1 2025, targeted in 17.6% of all phishing campaigns. Financial institutions and online payment platforms combined for an additional 30.9% of attacks in the same period.

6.6 Phishing as a Driver of Email Credential Theft

Phishing is not merely one attack type among many — it is the principal pipeline through which email credentials are stolen at scale. Proofpoint's telemetry from its 2024 State of the Phish report covers 2.8 trillion scanned emails across 230,000 organizations worldwide, with results showing that 76% of organizations experienced credential and/or account compromise as a result of successful phishing in the 2023 reporting year. Financial penalties from phishing-driven incidents rose 144% year-over-year, and reputational damage increased 50%.

Cloudflare's 2023 Phishing Threats Report — drawn from analysis of 13 billion emails — found that 35.6% of all email threat indicators involve deceptive links designed to harvest credentials, and that 89% of malicious emails successfully pass SPF, DKIM, or DMARC authentication checks, demonstrating the limitations of protocol-based defenses.

Proofpoint's 2025 Human Factor Vol. 2 report found URLs are used 4x more often than attachments in malicious emails, and at least 55% of smishing messages contained malicious credential-harvesting URLs. From Hornetsecurity's analysis of 70+ billion emails in 2025, phishing increased 21% year-over-year and malicious URLs accounted for 22.7% of all email threats.

6.7 Business Email Compromise

Business email compromise is the most financially damaging form of email-based attack and the clearest illustration of how compromised email accounts translate into direct financial harm. The FBI IC3's 2024 Annual Report records $2.77 billion in BEC losses across 21,442 reported incidents in 2024 — approximately $130,000 average loss per incident. Since BEC's first inclusion in the IC3 report in 2015, cumulative global losses have exceeded $55.5 billion, representing a 1,025% increase in a decade.

BEC attacks increasingly exploit email account takeover rather than mere spoofing. Microsoft's Digital Defense Report 2024 highlighted inbox rule manipulation as a favored post-compromise technique: once in control of a mailbox, attackers create rules that redirect emails containing financial keywords to Spam, Deleted Items, or Conversation History — hiding the fraud from the legitimate user. The Verizon 2025 DBIR noted that 88% of basic web application attacks involved stolen credentials, often targeting email authentication portals first.

The geography of BEC attacks is evolving. Abnormal AI's 2026 Attack Landscape Report — analyzing 800,000 email attacks across 4,600+ organizations between July and December 2025 — found that 61% of BEC is now vendor-related, with attackers impersonating suppliers, contractors, and partners rather than internal executives, exploiting trusted third-party relationships that employees are less likely to scrutinize.

6.8 Consumer Email Account Compromise

Consumer email account compromise — affecting personal Gmail, Outlook, Yahoo, and similar accounts — is widely underreported relative to enterprise incidents, but its scale is substantial. Sift's Q3 2025 Digital Trust Index found 24% of consumers fell victim to ATO in 2025, up from 18% in 2024, suggesting an accelerating consumer-facing ATO trend. Four out of five consumers who experienced ATO reported they would stop using the affected service — indicating significant reputational and economic consequences for email providers and connected platforms.

Consumer accounts are particularly vulnerable due to lower MFA adoption rates, higher rates of password reuse, and their use as recovery addresses for financial, health, and government accounts. The SpyCloud data showing that the average exposed consumer has 141 credential pairs and 229 records tied to their identity underscores that consumer email compromise rarely stays isolated to a single account.

6.9 AI-Generated Phishing Trends

AI-generated phishing represents the most rapidly escalating qualitative shift in the email threat landscape. Between September 2024 and February 2025, security researchers at Keepnet and VIPRE identified AI usage in 82.6% of all detected phishing emails — a 53.5% year-over-year increase, driven by the widespread availability of large language model tools that allow attackers to generate personalized, grammatically flawless, context-aware emails at near-zero marginal cost.

The performance differential is stark. AI-generated phishing achieves 54–60% click-through rates compared to approximately 12% for traditional phishing, due to the removal of classic warning signs: poor grammar, awkward phrasing, and generic templates. AI campaign costs have simultaneously dropped by 95%+, making highly personalized spear-phishing economically viable at previously impossible scale.

ENISA's 2025 Threat Landscape confirmed that "over 80% of all phishing emails identified between September 2024 and February 2025 used AI to some extent," with attackers exploiting commercial LLMs as well as jailbroken models including WormGPT, EscapeGPT, and FraudGPT. IBM's 2025 analysis found that 37% of breaches now involve AI-generated phishing as the primary attack method.

The Hoxhunt 2026 Phishing Trends Report — built from 50 million data points across 4 million users — provides the sharpest near-term indicator: in December 2025, AI-generated phishing attacks that successfully bypassed email filters surged 14x in a single month, with their share of all detected attacks rising from 4% to 56%. This suggests AI-enabled phishing transitioned from an emerging threat to a dominant attack modality within weeks, driven by campaigns coordinated over the holiday period when security team attention is reduced.

6.10 QR-Code Phishing (Quishing) Trends

Quishing — the embedding of malicious URLs within QR codes included in phishing emails — has evolved from an experimental technique to a mainstream attack vector. QR-code phishing's share of all phishing payloads has grown from 0.8% in 2021 to approximately 12% in 2024–2025, a near-15-fold increase in payload adoption. Cofense tracked a 331% year-over-year increase in QR-code phishing campaigns, and a separate 2023 spike saw quishing incidents rise by 587% in a single year.

The technical appeal of QR-codes to attackers is clear: QR images bypass conventional URL-based email security filters, which cannot extract and evaluate the URL embedded within an image. Venza's 2025 analysis found 22% of phishing emails now use QR codes, with 56% impersonating Microsoft's two-factor authentication reset notifications specifically — a design choice that exploits the very security mechanisms intended to protect email accounts. Credential phishing dominates 89.3–90% of all quishing campaigns, with C-level executives found to be 40 times more likely to fall victim than average employees.

The H2 2025 surge was particularly dramatic. Keepnet Labs data shows QR-code phishing detections growing from 46,969 in August 2025 to 249,723 in November 2025 — a more than fivefold increase in four months, with the APWG simultaneously recording a notable quishing spike in Q1 2025 out of its 1,003,924 total quarterly phishing detections.

Approximately 68% of quishing attacks specifically target mobile users, exploiting the lower security posture of personal devices used to scan QR codes. The average business loss from a successful quishing attack exceeds $1 million per incident according to industry estimates, reflecting the credential and financial access that follows successful inbox compromise.

6.11 Deepfake-Assisted Phishing Trends

Deepfake-assisted phishing — where AI-synthesized audio, video, or image content is used to impersonate trusted individuals — sits at the intersection of BEC and advanced social engineering. When email is the delivery mechanism or target, deepfake phishing directly impacts email account compromise and credential theft.

The most widely cited incident is the February 2024 attack on Arup, a global engineering firm, in which a finance employee was deceived into transferring $25 million after attending a video call in which every participant — including the company's CFO — was a real-time AI deepfake created from publicly available footage. This incident established deepfake-assisted BEC as a credible enterprise-scale threat.

By early 2026, AI deepfakes were identified in approximately 40% of all BEC incidents, up from under 5% in 2023. The barrier to entry has collapsed: commodity tools available on dark-web markets can clone a voice from three seconds of audio for under $20. The dark web trade in deepfake tools specifically rose 223% between Q1 2023 and Q1 2024.

The CISA- and Cloudflare-validated survey finding that 55% of CISOs identify deepfakes as a moderate-to-significant threat suggests broad awareness but still-limited deployment of countermeasures. Deepfakes as a share of all fraud attacks reached 6.5% in 2025, representing a 2,137% increase from 2022.

Important note: The 40% BEC deepfake figure should be treated with caution; it derives from a single source without a disclosed sample size. Cross-source validation data is limited. Deepfake-assisted phishing is a confirmed and growing threat vector but its precise share in email compromise remains difficult to measure industry-wide.

6.12 MFA Bypass and Session Theft in Email Account Compromise

Multi-factor authentication is no longer a reliable guarantee of email account security against sophisticated phishing operations. Adversary-in-the-Middle (AiTM) phishing kits — which position a reverse proxy between the victim and the legitimate email authentication portal — intercept live session cookies after MFA completes, rendering SMS OTP and TOTP codes ineffective against these attacks.

Proofpoint's 2024 State of the Phish telemetry found that 66 million attacks are launched monthly using the EvilProxy AiTM framework — yet 89% of security professionals still believe MFA provides complete protection against account takeover. eSentire's 2025 data identified PhaaS kits (Tycoon 2FA, FlowerStorm, EvilProxy) as responsible for 63% of all account compromise incidents, with Microsoft Defender for Office 365 blocking over 13 million malicious emails tied to Tycoon 2FA in October 2025 alone.

Sekoia's threat research identified 11 distinct AiTM phishing kits in active commercial operation between January and April 2025, with Tycoon 2FA leading at a 4.8/5 prevalence score. The Canadian Centre for Cyber Security analyzed more than 100 AiTM campaigns targeting Microsoft Entra ID accounts between 2023 and early 2025, finding that by August 2024 nearly 100% of observed campaigns had migrated from traditional credential harvesting to proxy-based session interception, and that 91% of post-compromise activity was BEC.

The only effective defenses against AiTM are FIDO2 hardware keys and passkeys, which cryptographically bind authentication to the legitimate domain, breaking the proxy interception step entirely. The Canadian Centre data shows full-session compromises dropped from approximately 20% in Q3 2023 to 6–7% in Q2 2025 in tenants that adopted phishing-resistant MFA with registered-device conditional access.

7. Email Breach Exposure Model

The following flow model describes how a single breach event can cascade from an exposed email address into full identity and financial compromise. This model synthesizes the empirical attack chain documented across Verizon DBIR, SpyCloud, Kasada, Proofpoint, Canadian Centre for Cyber Security, and eSentire research.Stage 1 — Email Address Appears in a Breach An organization suffers a data breach. The attacker or a secondary buyer extracts the breach dataset, which includes email addresses as user identifiers. The email address enters criminal underground circulation on dark web marketplaces or Telegram channels.

Stage 2 — Email-Password Pair Leaked If the breached database includes password hashes, attackers crack them using GPU-accelerated tools. If the site stored passwords in plaintext, the pair is immediately exploitable. SpyCloud finds 44 exposed credentials per infostealer infection on average.

Stage 3 — Password Reuse Amplifies Risk With 74–94% of users reusing passwords across accounts, a single leaked credential effectively keys multiple accounts. Automated credential stuffing bots test the email-password pair against email providers (Microsoft 365, Gmail, Yahoo), banking portals, and SaaS platforms at rates of thousands of attempts per minute.

Stage 4 — Phishing or Stuffing Targets the User If credential stuffing fails (due to password diversity or rate limiting), attackers pivot to phishing. AI-generated spear-phishing emails using the victim's name, employer, and known services are sent, achieving 54–60% click-through rates in 2025. QR-codes may replace links to bypass email security filters.

Stage 5 — Email Account Is Accessed or Taken Over If MFA is absent or bypassed via AiTM: the attacker gains inbox access. Post-compromise inbox rules are set to redirect security alerts to hidden folders. The attacker uses the inbox to reset passwords on connected accounts, harvest sensitive communications, and identify financial relationships.

Stage 6 — Inbox Contents, Connected Accounts, and Reset Links Exposed The inbox becomes the master key to the victim's digital identity. Reset emails for banking, healthcare, government services, and workplace SaaS flow through the compromised address. Internal BEC campaigns launch from the trusted email identity, with 91% of AiTM post-compromise activities resulting in BEC.

Stage 7 — Downstream Identity, Financial, and Workplace Risks Personal data breach losses reported to FBI IC3 in 2024 reached $1.45 billion across 64,882 reports. BEC incidents cause an average direct loss of $130,000 per incident. The median detection window of 194 days means that accounts can remain compromised for months.

8. Trend Analysis

8.1 What Changed: 2022–2026

The email threat landscape has undergone three structural shifts between 2022 and 2026:

Shift 1 — Scale of credential exposure accelerated dramatically. SpyCloud's annual recaptured password volumes grew from 760 million (2022) to 1.38 billion (2023) to 3.1 billion (2024) — a 307% three-year increase. Infostealer malware replaced opportunistic data breaches as the primary mechanism for fresh credential harvesting, with 61% of 2024 breaches now malware-related.

Shift 2 — AI transformed phishing from volume to precision. Traditional phishing competed on volume (billions of generic emails); AI-generated phishing competes on conversion (fewer, more targeted, higher-click-rate emails). The click-rate gap — 12% traditional vs. 54–60% AI-generated — confirms that AI-assisted campaigns are qualitatively different. ENISA's confirmation that over 80% of phishing emails use AI marks the end of the pre-AI phishing era.

Shift 3 — MFA defeat became mainstream. AiTM phishing kits democratized session-cookie theft, enabling attacks against MFA-protected accounts at commercial scale. EvilProxy's 66 million monthly attacks and Tycoon 2FA's 13 million monthly email blocks indicate the post-MFA phishing era is already underway.

8.2 Is Email Account Compromise Increasing?

All available indicators point to a sustained increase in both the volume and severity of email account compromise:

ATO attacks grew 250% in 2024 and 389% year-over-year in 2025
Credential theft's share of all cyber threats rose from 37% to 55% of total incidents in eSentire's dataset
Phishing volume, after a 2024 slight dip from the 2023 record, rebounded to record quarterly highs in Q1 and Q2 2025
The proportion of organizations reporting successful phishing-driven account compromise remains near 62%

Complicating factor: Better detection tools (Microsoft Defender, behavioral analytics, PhaaS kit identifiers) are simultaneously improving detection rates, meaning some portion of measured growth reflects improved visibility rather than purely new attack volume.

8.3 How Phishing Tactics Are Evolving

The most significant tactical evolution is the shift from link-based to multi-modal phishing:

AI lures replaced template-based phishing, eliminating grammar and formatting tells
QR-codes bypassed URL-scanning layers, pushing the attack to mobile devices where defenses are weaker
ClickFix scams (fake browser dialogs prompting credential entry) jumped 500% in H1 2025 per Mimecast
Conversational AI lures — emails that open a dialogue rather than delivering a direct link — now account for 18% of malicious email classified as conversational AI-based(Cofense 2025)
File-sharing platform abuse (Google Drive, Dropbox) allows phishers to deliver credential-harvesting pages via trusted domains

Learn more about How Spammers Use Multiple Domains.

8.4 Regional and Industry Exposure

Where data is available:

Geographically, the US accounts for the largest absolute volume of breached accounts since 2004 (3+ billion), followed by Russia (2.4 billion) and China (1.1 billion). In 2025, US accounts represented 33%+ of all globally breached accounts (142.9 million of 425.7 million). ENISA notes the EU is characterized by concentrated attacks on public administration, which received 38% of all ransomware and breach incidents in 2025.

By sector, the Verizon 2024 DBIR showed that in the education sector 86% of breaches involve compromised credentials, and the professional/technical services sector had the highest confirmed data disclosures. In the APAC region, phishing against organizations grew 30.5% year-over-year in 2024, with Japan and Singapore seeing 37% spikes.

9. 2026–2030 Forecast

9.1 Methodology

The following forecasts are derived from:

Multi-year trajectory data for each metric (2020–2025 trend lines)
AI adoption rates in phishing (technology diffusion modeling)
QR-code usage growth and attacker ROI signals
MFA and passkey adoption forecasts from Microsoft and FIDO Alliance
Historical BEC loss compounding rates from FBI IC3 data
Expert projections from ENISA, Abnormal AI, and Hoxhunt

These are modeled projections, not guaranteed outcomes. Each scenario represents a distinct bundle of assumptions described below.

9.2 Scenario Assumptions

Conservative Scenario (Best Case for Defenders):

Passkey adoption accelerates; FIDO2 adoption reaches 40%+ of enterprise accounts by 2030
AI-based email filtering (Microsoft Copilot, Google AI defenses) neutralizes most AI-generated phishing
Regulatory frameworks (EU NIS2, US SEC disclosure rules) force faster breach remediation
MFA bypass kits are partially defeated by phishing-resistant credential standards
Result: slower ATO growth, some stabilization in BEC losses, but exposed email addresses continue to accumulate

Moderate Scenario (Persistence with Adaptation):

AI phishing adoption reaches near-saturation, but defenders adopt AI-based detection at comparable pace
Passkey adoption remains patchy; consumer accounts remain vulnerable
Quishing expands but is eventually addressed by QR-aware email security tools
BEC losses grow moderately, consistent with pre-AI compounding rates
Credential stuffing remains at high volume due to 20+ years of accumulated breach data

Aggressive Scenario (Adversary Advantage):

AI-generated deepfake phishing reaches 70%+ of BEC incidents
Quishing evolves to use AI-personalized QR-code campaigns at scale
Passkey adoption stalls; AiTM kits advance to defeat even FIDO2-lite implementations
A "mega-breach" exposes 500M+ unique credential pairs in a single event
ATO attacks against consumer accounts triple due to weak protections on legacy email platforms

9.3 2030 Prediction Table

Metric
AI phishing share of all phishing
QR-code phishing share
Annual phishing attack volume
Annual BEC losses (USD)
ATO incident rate growth vs 2024
% email breaches containing AI-generated lure
Deepfake share of BEC
Unique email addresses in global breach databases
Share of phishing bypassing email auth (SPF/DKIM/DMARC)
Consumer ATO victim rate

2024–2025 Baseline	2030 Conservative	2030 Moderate	2030 Aggressive	Reasoning
82.6% (Sep 2024–Feb 2025)	~87%	~93%	~97%	AI is already dominant; saturation is near. Conservative = defenses slow growth; aggressive = near-total AI generation
12% (2025)	~10% (detection improves)	~18%	~28%	Conservative: QR-aware filters reduce adoption; aggressive: attackers evolve QR to dynamic codes and SVG embeds
~4.1–4.8M (APWG)	~4.5M	~6M	~9M	AI automation lowers marginal cost, increasing volume; conservative reflects partial containment
$2.77B (2024, FBI IC3)	~$2.5B (slight decline with defenses)	~$4.5B	~$7.5B	Moderate: AI-BEC grows; conservative: law enforcement and regulation contain losses; aggressive: deepfake BEC scales
Baseline	+20%	+100%	+250%	Conservative: passkeys contain growth; moderate: persistent credential reuse; aggressive: AI-automated ATO at consumer scale
~37% (IBM 2025)	~50%	~70%	~90%	IBM trend already at 37%; aggressive = near-universal AI phishing for email-specific attacks
~40% (2026, indicative)	~35% (detection improves)	~55%	~75%	Conservative: deepfake detection tools mature; aggressive: voice/video cloning becomes trivially cheap
~7.9B (2025, Surfshark)	~8.5B	~9.5B	~11B	Steady accumulation continues; aggressive = mega-breach events accelerate exposure
89% (Cloudflare 2023)	~80% (protocols improve)	~85%	~90%	Protocol improvements exist but are slow to deploy globally; aggressive = attackers adapt faster
24% of consumers (2025)	~22% (passkeys reduce)	~30%	~45%	Conservative: consumer passkey adoption grows; aggressive: AI-automated consumer ATO campaigns proliferate

9.4 Forecast Narrative

The most robust prediction across all three scenarios is the continued dominance and quality improvement of AI-generated phishing. Even in the conservative scenario, AI phishing share approaches near-saturation. The variable is not whether AI phishing dominates, but whether defense-side AI can match offensive AI. Early data suggests offensive AI is ahead: AI phishing achieves 54–60% click rates even against organizations with active training programs.

The quishing trajectory may be the most scenario-sensitive prediction. QR-code phishing grew explosively (0.8% to 12% of payloads) precisely because email security stacks were not designed to evaluate image-embedded URLs. If major email providers update their scanning to evaluate QR code content — as some are beginning to do — the attack's core advantage is neutralized and volume may stabilize or decline even in the conservative case. However, in the aggressive scenario, attackers evolve to dynamic QR codes, SVG-embedded vectors, or QR codes in PDF attachments, staying ahead of detection.

BEC losses are likely to grow in real terms but may be partially contained by the combination of international law enforcement actions, increased mandatory reporting (reducing underreporting), and AI-based anomaly detection in financial workflows. The aggressive scenario assumes deepfake-BEC scales to mid-market organizations, where audio/video calls are less expected to be authenticated.

The accumulated email address exposure base of ~7.9–11 billion unique addresses by 2030 means that for practical purposes, nearly every email user can assume their address is circulating in criminal databases. The relevant risk variable shifts from whether an email address is exposed to how quickly associated credential pairs and session tokens are exploited.

10. Practical Implications

For Regular Email Users

Assume your email address has already been exposed in at least one breach — check
Have I Been Pwned or Privacy Monitor
to confirm specific incidents.
Enable passkeys or hardware MFA (FIDO2/WebAuthn) on your primary email account. SMS-based 2FA is vulnerable to AiTM attacks and SIM swapping.
Never reuse your primary email account password. With 94% of passwords being reused, a single breach exposure cascades across all accounts using the same credentials.
Treat QR codes in unexpected emails with the same skepticism as suspicious links. The credential-harvesting destination is identical; only the delivery mechanism differs.
Check email account login history and inbox rules periodically for unauthorized access — a key indicator of AiTM-driven compromise.

For Employees and Remote Workers

Recognize that AI-generated phishing emails now closely mimic internal communications, eliminating grammar and format tells. Verify unexpected requests for credential input or fund transfers through a secondary channel.
Understand that MFA alone is insufficient if it relies on SMS/OTP. The EvilProxy and Tycoon 2FA kits process 66 million+ attacks per month specifically designed to defeat standard MFA.
Be specifically vigilant of QR-codes in emails impersonating Microsoft 365 MFA notifications — 56% of quishing attacks specifically impersonate Microsoft authentication workflows.
Remote workers on personal devices are at heightened risk: 46% of infostealer-compromised devices with corporate credentials are non-managed.

For IT and Security Teams

Phishing-resistant MFA (FIDO2 passkeys) must be the priority for privileged accounts and executive email. AiTM attacks fully neutralize SMS and TOTP in high-value targets.
Behavioral anomaly detection for inbox rule creation is a critical post-compromise indicator — attackers consistently create rules to hide breach activity.
Treat infostealer exposure as a high-priority signal: SpyCloud data showing average of 44 credentials per infection means a single device compromise cascades to dozens of enterprise application accounts.
Implement Conditional Access with registered-device requirements. Canadian Centre data shows this reduces full-session compromise from ~20% to ~6–7%.
Monitor QR-code scanning patterns on corporate-connected devices; commercial email gateways are beginning to offer QR-content URL scanning.
The 194-day average breach detection time (IBM 2024) must be reduced through continuous credential monitoring and dark web alerting integrations.

For Email Providers

Email authentication standards (SPF, DKIM, DMARC) are necessary but insufficient: 89% of malicious emails pass these checks.
Investment in image/QR-code content analysis within email scanning engines is critical to addressing the quishing vector.
AI-generated content detection at the inbox level — behavioral and linguistic analysis — will be the core defensive battleground for 2026–2030.
Session context and device binding for email logins directly reduces AiTM attack efficacy.

For Password Managers and Identity Protection Tools

Automated breach credential monitoring against live dark-web data (not just notification of historical breaches) is the key differentiator. SpyCloud's model of continuous recapture from fresh stealer logs represents the operational standard.
Passkey creation and management is the strategic product direction — password managers that facilitate FIDO2 passkey enrollment can directly reduce credential stuffing exposure.
Cross-account credential overlap detection (identifying when two accounts share a password) provides users with actionable remediation priority.

For SaaS Products Helping Users Manage and Secure Email

Products like Clean Email and similar inbox management tools can play a meaningful role in post-compromise recovery and ongoing risk reduction:

Automated inbox audit features that detect unusual inbox rules (hidden folder redirects, external forwarding) enable rapid detection of AiTM post-compromise activity.
Connected-account review and revocation tools help users identify and remove third-party app access that persists after credential compromise.
Dark web and breach exposure monitoring integrations allow users to receive real-time alerts when their email addresses appear in new breach datasets.
Phishing email reporting and quarantine workflows that surface AI-generated email characteristics can supplement gateway-level filtering.

For Content Marketers Covering Email Security

The key audience differentiation is between email address exposure (passive — email in a database) and email account compromise (active — unauthorized access to the inbox). Many users conflate the two; editorial clarity here significantly improves reader comprehension.
The AI phishing transformation is the most compelling narrative for 2026: the shift from detectable mass phishing to undetectable precision targeting represents a qualitative change in user risk that most mainstream coverage has not adequately characterized.
The quishing surge (5x growth in four months in H2 2025) is a visually striking trend that connects directly to everyday QR-code behavior, making it highly accessible for non-technical audiences.
Credential reuse (94% of passwords reused, 70% of breach victims reusing compromised passwords) is the most consistently underestimated risk factor in consumer security communication.

11. Data Gaps and Research Limitations

The following represent the most significant gaps in publicly available data on email-related breach and compromise:

Compromised email account counts: No authoritative global estimate of how many email accounts are actively compromised at any given time exists. Proxy metrics (ATO reports, breach counts) underestimate the actual figure significantly due to the 194-day average detection lag.
Consumer vs. enterprise separation: Most phishing, BEC, and ATO statistics combine consumer and enterprise data without sector-specific breakdown. Research separating Gmail/personal account compromise from Microsoft 365/corporate compromise would significantly improve risk modeling.
AI phishing measurement standardization: The "82.6% AI-generated phishing" figure is based on specific detection windows and a specific vendor's product telemetry. There is no industry-standard definition of "AI-generated" phishing, and measurement methodologies vary significantly across vendors.
Deepfake phishing validation: The 40% BEC deepfake figure comes from a single source. Cross-validated, multi-organization data on deepfake-assisted phishing volume does not yet exist at a statistically robust scale.
Non-US/non-EU data: The vast majority of quantified phishing, BEC, and ATO data derives from US, EU, and global enterprise sources. Consumer-facing data for Asia-Pacific, Latin America, Middle East, and Africa is sparse.
Quishing success rates: Available data addresses quishing volume and attack frequency but not verified success rates (completed credential captures leading to account access). This limits ROI analysis for defenders.
MFA bypass adoption rates: While kit prevalence is well-documented, the proportion of targeted phishing campaigns that specifically deploy AiTM techniques vs. standard credential harvesting is not uniformly measured.
2026 annual data: At the time of this report's compilation (April 2026), Q1 2026 APWG and FBI IC3 annual data is not yet fully published. The most recent annual data cited is FBI IC3 2024 and APWG Q4 2025.

Source List

#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

Source	Report/Dataset	Year	URL/Reference
Verizon	2025 Data Breach Investigations Report	2025	verizon.com /business/resources/reports/dbir
Verizon	2024 Data Breach Investigations Report	2024	verizon.com /business/resources/reports/dbir
Microsoft	Digital Defense Report 2024	2024	microsoft.com/security/security-insider
Proofpoint	State of the Phish 2024	2024	proofpoint.com/resources/threat-reports/state-of-phish
Proofpoint	Human Factor Report 2025 Vol. 2	2025	proofpoint.com
FBI	IC3 Internet Crime Report 2024	2025	ic3.gov/AnnualReport
APWG	Phishing Activity Trends Report Q4 2024	2025	apwg.org/trendreports
APWG	Phishing Activity Trends Report Q1 2025	2025	apwg.org/trendreports
APWG	Phishing Activity Trends Report Q4 2025	2025	apwg.org/trendreports
ENISA	Threat Landscape 2025	2025	enisa.europa.eu/publications/enisa-threat-landscape-2025
SpyCloud	Annual Identity Exposure Report 2025	2025	spycloud.com/resource/report/spycloud-annual-identity-exposure-report-2025
SpyCloud	Annual Identity Exposure Report 2024	2024	spycloud.com
IBM	Cost of a Data Breach Report 2024	2024	ibm.com/reports/data-breach
Kasada	2025 Account Takeover Attack Trends Report	2025	kasada.io
eSentire	2025 Year in Review & 2026 Threat Outlook	2026	esentire.com
Abnormal AI	2026 Attack Landscape Report	2026	abnormal.ai
Hoxhunt	2026 Phishing Trends Report	2026	hoxhunt.com/guide/phishing-trends-report
Surfshark	Global Data Breach Monitoring Tool	2025	surfshark.com/research/data-breach-monitoring
Keepnet Labs	QR Code Phishing Statistics 2026	2026	keepnetlabs.com/blog/qr-code-phishing-trends
Cloudflare	Phishing Threats Report 2023	2023	cloudflare.com
Cloudflare	Radar 2025 Year in Review	2025	blog.cloudflare.com/radar-2025-year-in-review
Have I Been Pwned	ALIEN TXTBASE breach entry	2025	haveibeenpwned.com
Cybernews	Password study: 19B passwords analyzed	2025	cinchops.com (citing Cybernews)
NordPass / Nord Security	Database leak trends 2023–2025	2026	nordpass.com
Canadian Centre for Cyber Security	AiTM Campaign Analysis	2025	cyber.gc.ca
Sekoia	AiTM Phishing Kit Threat Research 2025	2025	sekoia.io
Venza / Barracuda	Quishing attack statistics 2024–2025	2025	venza.io
Cofense	Q4 2024 Phishing Intelligence Trends	2024	cofense.com
Troy Hunt / Have I Been Pwned	Blog: 2B email addresses indexed	Nov 2025	troyhunt.com
DeepStrike / Digital Applied	Deepfake phishing statistics 2025–2026	2026	deepstrike.io, digitalapplied.com
Bitwarden / LastPass	Password reuse survey data	2023–2025	bitwarden.com
Sift	Q3 2025 Digital Trust Index	2025	sift.com
Startupdefense / Proofpoint	AiTM / EvilProxy analysis	2025–2026	startupdefense.io, proofpoint.com
Mimecast	Global Threat Intelligence Report commentary 2025	2025	mimecast.com
VIPRE	BEC email statistics 2024	2024	vipre.com