Phishing Attack Volume Down 20%, but Risk Still Rising - Dark Reading

CYBERSECURITY ANALYTICS ENDPOINT SECURITY THREAT INTELLIGENCE CYBER RISK NEWS Phishing Attack Volume Down 20%, but Risk Still Rising Hackers are valuing quality over quantity, using AI to upgrade their phishing attacks rather than multiply them. Nate Nelson,Contributing Writer June 11, 2026 4 Min Read SOURCE: ZSCALER Phishing attacks are down across most industries, yet researchers argue the phishing threat is higher today than ever, as the fewer attacks that are perpetrated are becoming more dangerous. In its 2026 annual phishing report, Zscaler researchers framed the trend not as a drop but as a "rebalancing" — threat actors moving from wide spray-and-pray campaigns to more focused attacks with higher conversion rates. Phishing Attacks Plummet You'd be forgiven if you expected phishing attacks to rise with the widespread adoption of modern artificial intelligence (AI) tools. Large language models (LLMs) let foreign-language hackers quickly write clean copy for lure emails. Phishing kits use AI components to generate impersonation paraphernalia — no artistic skills required — and automate entire campaigns. It once seemed a given that with these powerful, easy-to-use tools in hand, hackers would automate more, larger-scale phishing campaigns. Related:Nordic CISOs Handle Rising Cyber Threats Remarkably Well Zscaler did track a huge 58% rise in phishing activity in the year following the release of ChatGPT, either thanks to or irrespective of said chatbot. Ever since then, however, the trendline has only gone in the other direction. After the record high, phishing volume dropped 20% in 2024, and another 20% in 2025. At the company's Zenith Live event in Las Vegas this week, Brett Stone-Gross, Zscaler's senior director of threat intelligence, told Dark Reading that the trend doesn't necessarily have to do with AI, or even phishing for that matter. Instead, threat actors are becoming more selective. "Instead of going en masse, they're doing more targeted attacks. That requires more effort and resources, but the payoff is better," he explains, adding that "I think a lot of it can actually be explained [in the same context as] other types of attacks." Stone-Gross pointed to ransomware actors as an example of this trend. "In the beginning, they would go after everybody. They would deploy ransomware on someone's computer, and it could be grandma and she wants pictures of her grandchildren, so she paid a $150 ransom," he says. "They were getting lots and lots of small payments. And now everything is far more targeted. They're going after businesses, they're going after payouts of millions of dollars. Instead of $150 times a million people." The strategy appears to be working, too. In its 2025 Internet Crime Report, the FBI reported having received the same number of phishing complaints in 2024 and 2025, yet the total losses to victims tripled, from $70 million to $215 million. In 2023 — a year in which it received 50% more complaints than in 2024 and 2025 — losses to victims only added up to $18 million. Related:Cyber Pros Can't Decide If AI Is a Good or a Bad Thing Phishers Embrace Cloud Hosting Certain industries experienced major swings in 2025, with services sector phishing attacks rising 66% and government attacks rising 50%, in contrast to education falling 66%. Many countries also made good progress in stemming attacks. Phishing activity plummeted 64% in Canada, 53% in Spain, and around 33% in Australia, Germany, India, and the UK. The US saw only a 13% drop. Phishers are also changing where they're hosting their infrastructure, with Brazilian hosting rising a whopping 2,522%, and Hong Kong falling dramatically by 90%. At a global scale, what stands out is how phishers are often turning to cloud services for hosting, and that they're using one particular provider more than any other: Amazon Web Services (AWS). Of all the attacker IPs that hit Zscaler decoys, 76% came from AWS address space. Stone-Gross could think of at least a couple of reasons why that might be. "I think one is cost — AWS instances are quite cheap," he says. "And the other is: I think Amazon's abuse department is probably overwhelmed. I have seen that across not just phishing, but other kinds of threats as well. There's just a lot of malicious content that is hosted on AWS." Related:What Will Make AI BOMs Real? For phishers, the benefits of using mainstream cloud services, rather than developing bespoke infrastructure from scratch, are obvious: "The quality is good. Great connectivity. You don't have to worry about downtime," Stone-Gross says. "The cost is low. It's easy to spin up. And the other thing is that no company's going to block AWS, so you could potentially evade network security." Asked whether IP blocklisting is useful to anyone anymore, Stone-Gross says "Yes and no. There are always cases where some criminal activity [is coming from] a dedicated IP." At the same time, he adds, "It can cause a lot of issues if there's shared hosting. And in general, it's better to have more specific information, and obviously an IP address is not necessarily specific information." About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and award-winning scriptwriter. In addition to Dark Reading he writes for Darknet Diaries, the most popular show in cybersecurity across all media. He began his career as a freelancer, ghostwriting Forbes and CNBC op-eds for executives in tech and finance. Then he transitioned to journalism at Threatpost, where he covered cybersecurity news and trends. Throughout those years he co-created a cybersecurity podcast, Malicious Life, which in its day climbed into the Top 20 technology podcasts charts on Apple Podcasts and Spotify. He holds degrees from New York University and Bard College. As a born and bred New Yorker, he enjoys a superiority complex, but is polite enough to keep it to himself. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars Advanced Persistent Threats: A Practical Guide to Detection and Response The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack Defending in the Shadow Era: When the CVE Feed Goes Dark Building SecOps That Make the Most of Every Dollar More Webinars You May Also Like CYBERSECURITY ANALYTICS In Cybersecurity, Claude Leaves Other LLMs in the Dust by Nate Nelson, Contributing Writer DEC 17, 2025 CYBERSECURITY ANALYTICS How Agentic AI Can Boost Cyber Defense by Jeffrey Schwartz DEC 04, 2025 CYBERSECURITY ANALYTICS Mideast, African Hackers Target Gov'ts, Banks, Small Retailers by Nate Nelson, Contributing Writer OCT 23, 2025 CYBERSECURITY ANALYTICS Commentary Section Launches New, More Opinionated Era by Becky Bracken OCT 10, 2025 Editor's Choice CYBERSECURITY OPERATIONS 20 Leaders Who Built the CISO Era: 2 Decades of Change byDark Reading Editorial Team MAY 12, 2026 41 MIN READ APPLICATION SECURITY It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight byJai Vijayan MAY 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Instructure Breach Exposes Schools' Vendor Dependence byAlexander Culafi MAY 6, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Advanced Persistent Threats: A Practical Guide to Detection and Response TUESDAY, JUNE 30, 2026 @ 1:00 PM EASTERN DAYLIGHT TIME The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed TUESDAY, JUNE 23, 2026 1:00 PM EDT Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack THURS, JUNE 25, 2026, AT 1PM EST Defending in the Shadow Era: When the CVE Feed Goes Dark TUES, JUNE 16, 2026 AT 1PM EST Building SecOps That Make the Most of Every Dollar THURS, JULY 9, 2026 AT 1PM EST More Webinars AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS The premier cybersecurity event returns. GET YOUR PASS ANATOMY OF A DATA BREACH This comprehensive virtual event examines the main vulnerabilities and exploits that lead to enterprise data breaches, plus the latest tools and best practices for conducting incident response. BEAT HACKERS TO IT