Phishing attacks are down across most industries, yet researchers argue the phishing threat is higher today than ever, as the fewer attacks that are perpetrated are becoming more dangerous.
In its 2026 annual phishing report, Zscaler researchers framed the trend not as a drop but as a “rebalancing” — threat actors moving from wide spray-and-pray campaigns to more focused attacks with higher conversion rates.
Phishing Attacks Plummet
You’d be forgiven if you expected phishing attacks to rise with the widespread adoption of modern artificial intelligence (AI) tools.
Large language models (LLMs) let foreign-language hackers quickly write clean copy for lure emails. Phishing kits use AI components to generate impersonation paraphernalia — no artistic skills required — and automate entire campaigns. It once seemed a given that with these powerful, easy-to-use tools in hand, hackers would automate more, larger-scale phishing campaigns.
Zscaler did track a huge 58% rise in phishing activity in the year following the release of ChatGPT, either thanks to or irrespective of said chatbot. Ever since then, however, the trendline has only gone in the other direction. After the record high, phishing volume dropped 20% in 2024, and another 20% in 2025.
At the company’s Zenith Live event in Las Vegas this week, Brett Stone-Gross, Zscaler’s senior director of threat intelligence, told Dark Reading that the trend doesn’t necessarily have to do with AI, or even phishing for that matter. Instead, threat actors are becoming more selective.
“Instead of going en masse, they’re doing more targeted attacks. That requires more effort and resources, but the payoff is better,” he explains, adding that “I think a lot of it can actually be explained [in the same context as] other types of attacks.”
Stone-Gross pointed to ransomware actors as an example of this trend.
“In the beginning, they would go after everybody. They would deploy ransomware on someone’s computer, and it could be grandma and she wants pictures of her grandchildren, so she paid a $150 ransom,” he says. “They were getting lots and lots of small payments. And now everything is far more targeted. They’re going after businesses, they’re going after payouts of millions of dollars. Instead of $150 times a million people.”
The strategy appears to be working, too. In its 2025 Internet Crime Report, the FBI reported having received the same number of phishing complaints in 2024 and 2025, yet the total losses to victims tripled, from $70 million to $215 million. In 2023 — a year in which it received 50% more complaints than in 2024 and 2025 — losses to victims only added up to $18 million.
Phishers Embrace Cloud Hosting
Certain industries experienced major swings in 2025, with services sector phishing attacks rising 66% and government attacks rising 50%, in contrast to education falling 66%.
Many countries also made good progress in stemming attacks. Phishing activity plummeted 64% in Canada, 53% in Spain, and around 33% in Australia, Germany, India, and the UK. The US saw only a 13% drop.
Phishers are also changing where they’re hosting their infrastructure, with Brazilian hosting rising a whopping 2,522%, and Hong Kong falling dramatically by 90%. At a global scale, what stands out is how phishers are often turning to cloud services for hosting, and that they’re using one particular provider more than any other: Amazon Web Services (AWS). Of all the attacker IPs that hit Zscaler decoys, 76% came from AWS address space.
Stone-Gross could think of at least a couple of reasons why that might be. “I think one is cost — AWS instances are quite cheap,” he says. “And the other is: I think Amazon’s abuse department is probably overwhelmed. I have seen that across not just phishing, but other kinds of threats as well. There’s just a lot of malicious content that is hosted on AWS.”
For phishers, the benefits of using mainstream cloud services, rather than developing bespoke infrastructure from scratch, are obvious: “The quality is good. Great connectivity. You don’t have to worry about downtime,” Stone-Gross says. “The cost is low. It’s easy to spin up. And the other thing is that no company’s going to block AWS, so you could potentially evade network security.”
Asked whether IP blocklisting is useful to anyone anymore, Stone-Gross says “Yes and no. There are always cases where some criminal activity [is coming from] a dedicated IP.” At the same time, he adds, “It can cause a lot of issues if there’s shared hosting. And in general, it’s better to have more specific information, and obviously an IP address is not necessarily specific information.”

Comments are closed