Official UK phishing statistics — how many organisations are attacked, how many scam emails the public reports, and how much money is lost to phishing-driven fraud, with every figure dated and traced to a primary source.
Phishing is the most common cyber attack experienced in the UK, by a wide margin, and it is measured better here than almost anywhere else in the world. This page brings together the key numbers from the four official sources that track it: the government's Cyber Security Breaches Survey (CSBS), the National Cyber Security Centre's Annual Review, the Office for National Statistics' Crime Survey for England and Wales (CSEW), and UK Finance's Annual Fraud Report. Every figure below states its data period, so you can cite it with confidence.
Key facts and figures
- 38% of UK businesses and 25% of charities experienced phishing attacks in the 12 months to the 2025/26 survey — the most common attack type (CSBS 2025/26).
- 93% of businesses that experienced a cyber crime said phishing was involved; for charities the figure was 95% (CSBS 2025/26).
- 10.9 million phishing reports were made to the NCSC's Suspicious Email Reporting Service in the year to the 2025 Annual Review.
- 45 million+ reports have been sent to SERS in total since it launched in April 2020 (NCSC, 2025).
- 412,000 malicious URLs have been removed by the NCSC since 2020 (NCSC Annual Review 2025).
- 4.2 million fraud incidents were estimated in England and Wales in the year ending March 2025 — up 31% year on year (ONS/CSEW).
- £1.28 billion was stolen through payment fraud in 2025, much of it driven by social engineering such as phishing (UK Finance, 2026).
- 69% of organisations that suffered a breach or attack rated phishing the most disruptive type they faced (CSBS 2025/26).
All figures on this page are the latest available as of July 2026; the main annual refresh is the Cyber Security Breaches Survey, published each spring — the 2025/26 edition appeared on 30 April 2026 — with the NCSC Annual Review following each autumn.
How common are phishing attacks in the UK?
38% of UK businesses and 25% of UK charities experienced phishing attacks in the 12 months before the Cyber Security Breaches Survey 2025/26 (fieldwork August–December 2025, published 30 April 2026). That makes phishing the most prevalent attack type by a distance. For context, 43% of businesses and 28% of charities identified any cyber breach or attack over the same period — equivalent to roughly 612,000 UK businesses and 57,000 charities — so where an organisation was attacked at all, phishing was almost always part of the picture.
The pattern is even starker among incidents serious enough to count as crimes. Of the organisations that experienced a cyber crime, phishing was involved for 93% of businesses and 95% of charities (CSBS 2025/26). Across the whole economy, 18% of all UK businesses and 13% of all charities experienced a phishing-based cyber crime in the last 12 months.
Phishing is not just the most common attack — it is also the one organisations struggle with most. 69% of businesses and charities that experienced a breach or attack rated phishing the most disruptive type (CSBS 2025/26).
The trend offers modest comfort. Business phishing prevalence in 2025/26 was unchanged on the year before, but significantly down from the 42% recorded two years earlier in the 2023/24 survey. Phishing also shows up prominently as a cause of personal data breaches reported to the ICO's quarterly incident dataset — the full cause-by-cause breakdown, including how phishing compares with misdirected emails and other human errors, lives on our human error data breach statistics page.
How many phishing emails are reported in the UK?
Over 10.9 million reports were made to the NCSC's Suspicious Email Reporting Service (SERS) in the year covered by the NCSC Annual Review 2025 (published autumn 2025) — around 30,000 suspicious emails forwarded by the public every day. That took the total since the service launched in April 2020 past 45 million reports.
An earlier joint Action Fraud and NCSC announcement (3 June 2025, covering data to April 2025) put the running total at 41 million and set out what all that reporting achieves: 217,000 scams removed across 393,395 web pages, plus more than 27,000 scam text messages taken down after being forwarded to the free 7726 reporting number. The jump from 41 million reports in spring 2025 to more than 45 million by the autumn review shows the reporting habit is still accelerating.
How many phishing sites does the NCSC take down?
412,000 malicious URLs have been removed by the NCSC since 2020, according to the Active Cyber Defence chapter of the NCSC Annual Review 2025. Over the same period its takedown service removed 1.2 million cyber-enabled commodity campaigns — the mass-produced scam infrastructure behind most phishing emails.
Government itself is a constant target. The NCSC reports that more than 26,000 phishing campaigns aimed at UK government departments were disrupted in the year to the 2025 Annual Review, with 79% resolved within 24 hours of detection.
These takedown volumes are the supply-side view of the same problem the CSBS measures from the victim side: phishing operates at industrial scale, and the majority of campaigns are commodity kits rather than bespoke attacks.
How many people fall victim to fraud and hacking?
4.2 million fraud incidents were estimated by the Crime Survey for England and Wales in the year ending March 2025 — a 31% rise on the previous year (ONS crime bulletin). The next annual update, covering the year ending March 2026, is due in late July 2026.
Computer misuse — the offence category covering hacking and unauthorised access — moved the other way: the CSEW estimated 692,000 incidents in the year ending March 2025, down 32% year on year. Recorded-crime data tells a different story, though: computer misuse offences referred by Action Fraud to the National Fraud Intelligence Bureau rose 36% to 55,576, driven partly by social media and email hacking (ONS, year ending March 2025).
The ONS's nature-of-fraud analysis (year ending March 2025, released 26 March 2026) shows how victims are reached. Where fraud victims were contacted, first contact came by phone in 39% of incidents, online — for example via social media — in 32%, and by email in 13%. In hacking incidents, offenders got in through the victim's social media or messenger account 26% of the time and through email 16% of the time.
How much money is lost to phishing-driven fraud?
£1.28 billion was stolen through payment fraud in 2025, up 4% on 2024, according to the UK Finance Annual Fraud Report 2026. An important caveat: no UK body publishes a single "phishing losses" figure. UK Finance measures payment fraud, much of which is driven by social engineering — phishing emails, scam texts and fraudulent calls — but its totals should never be quoted as phishing losses alone.
Within that total, authorised push payment (APP) fraud — where victims are manipulated into sending money themselves — rose 19% to £576.4 million across 248,070 cases in 2025, and UK Finance reports that two-thirds of APP fraud originated online. Unauthorised fraud (payments made without the account holder's involvement) fell 5% to £703.4 million, though case volumes rose 11% to 3.81 million — more, smaller thefts.
| Measure | 2025 figure | Change on 2024 |
|---|---|---|
| Total payment fraud losses | £1.28 billion | +4% |
| APP fraud losses | £576.4 million | +19% |
| APP fraud cases | 248,070 | — |
| Unauthorised fraud losses | £703.4 million | −5% |
| Unauthorised fraud cases | 3.81 million | +11% |
Source: UK Finance Annual Fraud Report 2026, covering calendar year 2025. The report is published annually, typically in July.
How do I report a phishing email or text in the UK?
The official routes are free and genuinely effective — the 217,000 scams removed so far all started with a member of the public forwarding something suspicious.
- Suspicious emails — forward them to [email protected], the NCSC's Suspicious Email Reporting Service.
- Suspicious texts — forward them to 7726, the free scam-text reporting number; more than 27,000 scam texts have been removed this way (Action Fraud/NCSC, June 2025).
- If you have lost money — report it to Action Fraud (or to Police Scotland if you live in Scotland).
Reports feed the NCSC's takedown pipeline directly: reported URLs are analysed, confirmed malicious sites are removed, and the same intelligence helps block campaigns before they reach other inboxes.
Frequently asked questions
How common are phishing attacks in the UK?
Very. Phishing was the most prevalent attack type in the Cyber Security Breaches Survey 2025/26, experienced by 38% of UK businesses and 25% of charities in the previous 12 months. Among organisations that suffered a cyber crime, phishing was involved in 93% of business cases and 95% of charity cases.
How many phishing emails are reported in the UK each year?
The NCSC's Suspicious Email Reporting Service received over 10.9 million reports in the year to its 2025 Annual Review — roughly 30,000 a day — and has received more than 45 million in total since launching in April 2020.
How much money is lost to phishing and online fraud in the UK?
There is no official "phishing-only" loss figure. The closest measure is UK Finance's payment fraud total: £1.28 billion stolen in 2025, including £576.4 million of APP fraud — two-thirds of which originated online. The Crime Survey for England and Wales separately estimated 4.2 million fraud incidents in the year ending March 2025.
How do I report a phishing email or text in the UK?
Forward suspicious emails to [email protected] (the NCSC's SERS) and suspicious texts to 7726. If you have actually lost money, report the crime to Action Fraud, or to Police Scotland if you live in Scotland.
Are phishing attacks increasing or decreasing?
The picture is mixed. Phishing prevalence among UK businesses fell from 42% in the 2023/24 survey to 38% in 2025/26 (unchanged on the year before), but public reports to SERS keep climbing — over 10.9 million in the latest year — and CSEW fraud incidents rose 31% in the year ending March 2025.
Are there separate spear phishing statistics for the UK?
No official UK source publishes a standalone spear-phishing prevalence figure. The Cyber Security Breaches Survey reports phishing as a single category covering both mass and targeted campaigns, so UK spear-phishing claims you see elsewhere are usually vendor estimates rather than official statistics.
Related guides
- Human error data breach statistics UK
- Ransomware statistics UK
- Data breach statistics UK
- Cyber security skills gap statistics UK
- GDPR data breach: what to do in the first 72 hours
- GDPR fines and penalties in the UK
Sources & references
- DSIT & Home Office — Cyber Security Breaches Survey 2025/26 (published 30 April 2026)
- NCSC Annual Review 2025 — Active Cyber Defence chapter (SERS and takedown data)
- ONS — Crime in England and Wales, year ending March 2025 (fraud and computer misuse)
- ONS — Nature of fraud and computer misuse in England and Wales, year ending March 2025 (released 26 March 2026)
- UK Finance — Annual Fraud Report 2026 (covering calendar year 2025)
- Action Fraud & NCSC — "Don't get hooked" SERS press release, 3 June 2025 (via Wired-Gov)
- ICO — Data security incident trends dataset (quarterly)
Phishing is the most common cyber attack UK organisations face — and it succeeds when people click without thinking. Train your team to spot suspicious emails and handle personal data safely.
Explore the GDPR & Data Protection Course →