Business Phishing: 2026 Statistics, Real-World Examples, and Solutions
91% of cyberattacks start with a phishing email. 2026 statistics, attack types, real-world examples from France, and solutions to protect your SMB.
In 2025, 91% of successful cyberattacks started with a simple phishing email (Verizon DBIR 2025). As staggering as that number is, it no longer surprises cybersecurity professionals. What is more surprising is the speed at which these attacks are improving - and how slowly businesses are adapting.
In France, the situation is particularly concerning for small and medium-sized businesses. 43% of French SMBs were targeted by at least one phishing attempt in 2025 (ANSSI - France's national cybersecurity agency). Among them, a large proportion had no detection tools, no training program, and no incident response protocol in place.
This article is the definitive guide to business phishing in 2026. You will find the latest statistics, seven types of attacks targeting organizations, real-world examples from France, and above all how to build an effective defense combining technical detection, phishing simulation, and ongoing training. The data cited comes from the Verizon DBIR 2025, IBM Cost of a Data Breach 2025, Proofpoint State of the Phish 2025, the CESIN barometer (France's top IT security professionals' association), and publications from ANSSI (France's national cybersecurity agency).
Whether you are a business owner, IT manager, or CISO of an SMB, this guide will give you the keys to understand the threat and take concrete action.
Business Phishing: Key Figures for 2026
Business phishing statistics confirm the same trend year after year: the threat is massive, growing, and increasingly costly. Here are the most striking data points from leading reports.
| Indicator | Figure | Source |
|---|---|---|
| Share of cyberattacks starting with phishing | 91% | Verizon DBIR 2025 |
| SMBs reporting a viability-threatening impact | 1 in 3 | Hiscox Cyber Readiness Report 2025 |
| Employees clicking a phishing link without training | 1 in 3 | Proofpoint State of the Phish 2025 |
| Average cost of a phishing-related data breach | $4.88M | IBM Cost of a Data Breach 2025 |
| Phishing emails sent daily worldwide | 3.4 billion | Barracuda Networks 2025 |
| Year-over-year increase in phishing attacks | +58% | Zscaler ThreatLabz 2025 |
| Average time to detect a phishing compromise | 207 days | IBM Cost of a Data Breach 2025 |
According to the IBM Cost of a Data Breach 2025 report, phishing is both the most common initial attack vector and one of the most expensive. The $4.88 million average cost includes detection, incident response, lost revenue, and regulatory fines. For a French SMB with annual revenue between 2 and 50 million euros, a single successful attack can pose an existential threat. For a detailed cost breakdown: How Much Does a Cyberattack Cost an SMB of 50 Employees.
The Hiscox Cyber Readiness Report 2025 found that one-third of affected businesses suffered an impact severe enough to threaten their financial health. Loss of customer trust, operational paralysis, remediation costs - the damages compound and weaken the business over time.
Finally, one in three employees clicks a phishing link when they have received no specific training (Proofpoint State of the Phish 2025). That rate drops below 5% after a structured awareness program - proof that the human factor is both the weakest link and the strongest defense against phishing.
Test your team's click rate - first simulation in 15 minutes.
The 7 Types of Phishing Targeting Businesses
Business phishing is no longer limited to poorly written emails riddled with typos. Attackers have diversified their methods and channels. Here are the seven attack types every organization needs to know.
1. Standard Email Phishing
Definition: Mass sending of emails impersonating trusted brands or institutions (banks, cloud services, government agencies) to steal credentials or install malware.
How it works: The attacker faithfully replicates the visual identity of a well-known brand - logo, layout, tone - and sends the email to thousands of recipients. The message contains a link to a fake login page or a booby-trapped attachment.
Example: An email claiming to be from Microsoft 365 warns the user that their password expires in 24 hours and invites them to click a link to renew it. The landing page is a perfect copy of the Microsoft login page, hosted on a domain like microsft-365-login.com.
Detection difficulty: Medium. Modern email filters block most of these attempts, but the most sophisticated campaigns use newly registered domains and evasion techniques that bypass standard protections.
2. Spear Phishing (Targeted Phishing)
Definition: A personalized phishing attack aimed at a specific individual, using information gathered from social media, the company website, or compromised databases.
How it works: The attacker researches the target on LinkedIn, the company website, and social media. They craft a highly personalized email mentioning the recipient's name, job title, a current project, or a real colleague. The level of personalization makes the email far more convincing.
Example: An accountant receives an email apparently sent by the CFO, mentioning a specific invoice from a regular supplier and requesting an urgent wire transfer to new bank details.
Detection difficulty: High. The personalization makes these emails hard to distinguish from legitimate communications, even for experienced employees.
3. Whaling / CEO Fraud
Definition: A variant of spear phishing targeting exclusively senior executives (CEO, CFO, Managing Director) or impersonating them to their teams.
How it works: The attacker impersonates the CEO or a member of the executive committee to send an urgent, confidential request to an employee with financial access. The hierarchical pressure and the supposedly confidential nature of the request suppress the employee's verification instincts.
Example: The classic "CEO fraud" in France: an email apparently from the CEO asks the accounting department to wire 500,000 euros for a "confidential acquisition in progress." The email insists on absolute secrecy and urgency.
Detection difficulty: Very high. These attacks exploit deference to authority and urgency to bypass control procedures.
4. Business Email Compromise (BEC)
Definition: The actual compromise of a professional email account, which is then used to send fraudulent messages from a legitimate address.
How it works: Unlike spear phishing, which impersonates a sender, BEC uses the actual email account of an employee. The attacker gains access to the account (often through an initial phishing attack), monitors ongoing conversations, then intervenes at the right moment - for example, to change bank details in an email thread with a supplier.
Example: An attacker compromises the email account of a procurement manager at an industrial company. They monitor exchanges with a key supplier for two weeks, then reply to the latest billing email with new bank details. The supplier, communicating with the usual email address, wires the payment to the fraudulent account.
Detection difficulty: Very high. The email comes from a legitimate address, within an existing conversation, making detection nearly impossible without advanced behavioral analysis.
5. Smishing (SMS Phishing)
Definition: Phishing attacks delivered by SMS, exploiting the greater trust users place in text messages compared to emails.
How it works: The attacker sends an SMS appearing to come from a recognized institution (bank, delivery service, government agency) with a link to a fraudulent website. SMS messages have a 98% open rate compared to 20% for emails, and shortened URLs hide the real destination.
Example: An SMS claiming to be from the French national health insurance (Assurance Maladie) tells the recipient they must urgently update their health card via a link. The website mimics the official Ameli.fr portal and collects social security numbers, login credentials, and bank details.
Detection difficulty: High. Anti-spam filters for SMS are less mature than for email, and users are less suspicious of text messages. According to Proofpoint, smishing attacks have increased by +300% since 2023.
6. Vishing (Voice Phishing)
Definition: Phone-based attacks using social engineering, increasingly enhanced by AI-powered voice cloning.
How it works: The attacker calls the target posing as an IT technician, banker, or colleague. With AI voice synthesis tools, they can now faithfully reproduce a real person's voice from just a few seconds of audio (conference talk, YouTube video, voicemail).
Example: A CFO receives a call from what he believes to be the CEO, asking him to authorize an urgent wire transfer. The voice, cloned from a public speech by the CEO, is perfectly recognizable. This scenario, documented by several cybersecurity firms, has caused losses exceeding one million euros at European companies.
Detection difficulty: Very high. AI voice cloning represents a technological breakthrough that renders traditional safeguards ("verify by phone") obsolete.
7. QR Phishing (Quishing)
Definition: Use of malicious QR codes in emails, printed documents, or posters to redirect victims to phishing websites.
How it works: The attacker inserts a QR code into a professional email (under the pretext of two-factor authentication, a shared document) or into physical media (fake parking tickets, posters in public places). The QR code redirects to a phishing site. QR codes bypass traditional email filters that do not analyze images.
Example: Fake parking tickets placed on windshields in several French cities. The ticket invites drivers to scan a QR code to "dispute or pay the fine online." The website collects bank card details.
Detection difficulty: High. QR codes inherently hide the destination URL, preventing visual verification of the link. Traditional email security solutions do not scan QR codes embedded in images.
For an in-depth analysis of quishing, vishing, and smishing with specific defense strategies: New Forms of Phishing in 2026.
Real-World Phishing Attacks in France
Beyond statistics, concrete examples illustrate the reality of the threat for French businesses. Here are four representative cases of attacks that have struck in France.
Phishing Attack on a French University Hospital (2024)
What happened: A hospital employee received an email mimicking a notification from the shift scheduling system. By clicking the link and entering their credentials, they gave the attackers a foothold in the hospital's network. Within hours, ransomware spread through the infrastructure, encrypting patient records and crippling prescription systems.
Impact: The hospital reverted to paper-based processes for several weeks, non-urgent surgeries were postponed, remediation costs were estimated at several million euros by ANSSI (France's national cybersecurity agency), and there was a direct risk to patient safety. ANSSI has documented this type of incident repeatedly in its annual threat reports.
How it could have been prevented: Regular training of staff on phishing warning signs, combined with a suspicious email verification tool, would have enabled employees to have the message analyzed before clicking.
BEC Targeting a Mid-Sized Industrial Company: 800,000 Euro Fraudulent Wire Transfer
What happened: Attackers compromised the email account of a procurement manager at a mid-sized industrial company. After two weeks of silently monitoring exchanges with a key supplier, they intercepted a pending invoice and replaced the bank details with those of an offshore account.
Impact: 800,000 euros wired to a fraudulent account, unrecoverable despite the bank's rapid intervention. The compromise was only discovered when the real supplier followed up on the unpaid invoice - three weeks after the wire transfer.
How it could have been prevented: A dual-verification protocol for any change in bank details (phone call to the usual number, not the one provided in the email), and a behavioral detection solution for abnormal email access patterns.
Smishing Campaign Impersonating the National Health Insurance
What happened: A massive campaign of fraudulent SMS messages targeted hundreds of thousands of French citizens, posing as the national health insurance (Assurance Maladie). The message stated that their new health card was ready and invited them to order it via a link. The website, a near-perfect copy of Ameli.fr, requested social security numbers, FranceConnect credentials, and bank details (under the pretext of a 1.90 euro shipping fee).
Impact: Thousands of victims shared their personal and financial data. The collected information was resold on the dark web and used for identity theft. The national health insurance and Cybermalveillance.gouv.fr (France's government-backed cybersecurity assistance platform) issued public alerts.
How it could have been prevented: Regular employee awareness training on smishing techniques, including SMS phishing simulations, would have greatly reduced the click-through rate.
QR Phishing Through Fake Parking Tickets
What happened: In several major French cities, fake parking tickets were placed on vehicle windshields. The document, faithfully replicating the official format, included a QR code inviting drivers to "pay or dispute the fine online." The destination website collected bank card details.
Impact: Difficult to quantify due to the number of unreported victims, but law enforcement received hundreds of complaints. The attack is particularly insidious because it exploits a physical medium - paper - that most people do not perceive as a cyberattack vector.
How it could have been prevented: Employee training must include non-digital vectors like quishing. A thorough awareness program covers all attack channels, not just email.
Launch a multi-channel simulation - email, QR code, and SMS included.
Why SMBs Are Prime Targets
While large corporations and public institutions make the headlines when they fall victim to cyberattacks, SMBs are in reality the most frequent and most vulnerable targets. Several structural factors explain this disproportionate exposure.
Limited cybersecurity budgets. According to the CESIN 2025 barometer (France's top IT security professionals' association), French SMBs allocate on average less than 5% of their IT budget to cybersecurity, compared to 10–15% for large enterprises. This underinvestment results in outdated or missing protection tools and an inability to deploy advanced detection solutions.
No dedicated security team. Most SMBs have neither a SOC (Security Operations Center) nor a full-time CISO (Chief Information Security Officer). IT security is often handled by a generalist IT manager - or even by the business owner - on top of their other responsibilities.
Less employee training. In a large company, cybersecurity awareness is part of the onboarding process and mandatory annual training. In an SMB, this training is often nonexistent or limited to an occasional warning email. Yet the human factor is precisely what phishing exploits.
Gateway to large corporations (supply chain attacks). SMBs that serve as subcontractors or suppliers to large enterprises become strategic targets. Compromising a supplier's network allows attackers to reach the large client company by pivoting through the supply chain - a technique documented in numerous attacks in recent years.
Falling behind on regulatory compliance. The enforcement of NIS2 (the European directive on network and information system security) and DORA (Digital Operational Resilience Act) introduces new obligations for SMBs in critical sectors. However, according to ANSSI, a majority of affected SMBs have not yet begun their compliance efforts. To learn more about these obligations, see our NIS2 guide for SMBs and our dedicated page on SOC2 and ISO 27001 compliance.
A false sense of security. Many SMB owners still believe their company is "too small to interest hackers." This belief is dangerous: phishing attacks are massively automated and do not discriminate by size. A phishing email sent to 100,000 addresses hits CAC 40 companies and 5-person micro-businesses alike.
How to Spot a Phishing Email: 8 Warning Signs
Before deploying technical solutions, every employee must know how to recognize a phishing email. Here are the eight warning signs to check systematically.
1. Suspicious sender. Check the full email address - not just the display name. An email from support@micros0ft-365.com (with a zero) is not a Microsoft email. Attackers use domains that visually resemble legitimate ones (typosquatting).
2. Artificial urgency. "Your account will be suspended in 24 hours," "Immediate action required," "Final warning before closure." Urgency is the most common manipulation technique in phishing - it is designed to prevent the recipient from thinking clearly. To understand the cognitive mechanisms behind these techniques: The Psychology of Phishing and Cognitive Biases.
3. Hidden links. Hover over (without clicking) every link in the email. The URL displayed in the text does not always match the actual destination URL. A link displaying www.mybank.com could point to www.mybank-secure.xyz.
4. Unexpected attachments. Be wary of unsolicited attachments, especially .exe, .zip, .iso files and Office documents containing macros (.docm, .xlsm). Never enable macros on a document received by email.
5. Spelling and grammar mistakes. Although the most sophisticated attacks are now written flawlessly (thanks to generative AI), the presence of errors in a supposedly official email remains a red flag. Note, however, that the absence of errors does not guarantee legitimacy.
6. Requests for sensitive information. No legitimate organization asks for a password, credit card number, validation code, or social security number by email. Any such request should be treated as suspicious by default.
7. Lack of personalization. An email beginning with "Dear customer," "Dear user," or a generic greeting when the sender supposedly knows you is suspicious. However, spear phishing attacks use your real name - so this criterion alone is not sufficient.
8. Sloppy design. Pixelated or distorted logos, broken layouts on mobile, slightly off-brand colors, incomplete footers. These visual clues often betray a phishing attempt, even though the copies are becoming increasingly faithful.
This checklist is a first line of defense, but it is not enough against the most sophisticated attacks. That is why the combination of technical detection + simulation + training remains necessary. Discover the full feature set of the nophi.sh platform for end-to-end protection.
Solutions to Protect Your Business Against Phishing
An effective defense against business phishing relies on the complementarity of three approaches. None is sufficient on its own - it is their combination that creates a solid security posture.
Pillar 1: Technical Detection
The first line of defense is technological. Its goal is to prevent malicious emails from reaching inboxes.
Email authentication (SPF, DKIM, DMARC). These three protocols form the foundation of email security. SPF verifies that the sending server is authorized to send on behalf of the domain. DKIM adds a cryptographic signature that guarantees message integrity. DMARC coordinates the two and defines the handling policy for non-compliant messages. According to the Verizon DBIR 2025 report, organizations that have deployed DMARC in reject mode reduce domain spoofing attempts by 75%.
AI-powered detection. Filters based on signatures and blocklists fall short against new attacks. AI-powered detection solutions analyze content, context, metadata, and behaviors in real time to identify previously unseen threats (zero-day phishing). Learn how nophi.sh's AI phishing detection works.
URL and attachment analysis. Sandboxing (execution in an isolated environment) and dynamic analysis of links and attached files detect malicious content that static filters miss.
Pillar 2: Simulation and Testing
Technical detection, no matter how effective, will never block 100% of threats. The human factor remains the last line of defense - and it must be trained.
Regular simulated phishing campaigns. Phishing simulation involves sending fake phishing emails to employees to measure and improve their alertness. According to the SANS Institute, organizations that run monthly simulations reduce their click rate by 60% within six months.
Department-level benchmarking. Not all departments are equally exposed. Finance, HR, and executive teams are the primary targets. Simulations help identify the most vulnerable departments and tailor training accordingly. For industry-specific benchmark data: Phishing Click Rates: Industry Benchmarks.
Learning through experience. An employee who clicks on a simulated phishing email and lands on an awareness page retains the lesson far more effectively than after a classroom-style training session. This is the "teachable moment" principle.
To set up a structured simulation program, see our complete guide to business phishing simulation and explore nophi.sh simulation campaigns.
Pillar 3: Ongoing Training
Training should not be a one-time event but a continuous process adapted to each employee's risk level.
Post-failure micro-learning. When an employee fails a phishing simulation, they immediately receive a short training module (3 to 5 minutes) focused on the type of attack they missed. This "just-in-time" format is 4 times more effective than traditional annual training, according to the Gartner Security & Risk Management 2025 report.
Adaptive learning paths based on risk level. Employees do not all start from the same baseline. An adaptive training path adjusts difficulty and content based on simulation results. High-risk profiles receive more attention.
A culture of security. Beyond individual training, the goal is to build a culture where reporting a suspicious email is rewarded - not punished. The most mature organizations in cybersecurity celebrate reports and turn every incident into a collective learning opportunity.
For a structured approach to training, see our cybersecurity training guide for SMBs.
Frequently Asked Questions About Business Phishing
What is the difference between phishing and spear phishing?
Standard phishing is a mass attack: the same email is sent to thousands or even millions of recipients with no personalization. Spear phishing is a targeted attack: the email is specifically crafted for an individual or small group, using personal information (name, job title, current projects) to appear legitimate. According to the Verizon DBIR 2025 report, spear phishing is used in 65% of targeted attacks against businesses. It is significantly harder to detect because the email does not match any known pattern.
How much does a phishing attack cost an SMB?
The cost varies widely depending on the nature of the attack. According to IBM Cost of a Data Breach 2025, the average global cost is $4.88 million, but that figure includes large enterprises. For a French SMB, estimates from CESIN (France's top IT security professionals' association) place the median cost between 15,000 and 300,000 euros, including technical remediation, lost productivity, legal fees, and reputational damage. In the case of a BEC with a fraudulent wire transfer, the direct loss can reach several hundred thousand euros. Not to mention potential GDPR fines in the event of a personal data breach (up to 4% of annual revenue).
How do I report a phishing email?
Internally, forward the suspicious email to your IT department or use the report button built into your email client (if your company has deployed one). Do not click any links or open any attachments. Externally, you can report phishing attempts on the Cybermalveillance.gouv.fr platform (France's government-backed cybersecurity assistance platform) and forward fraudulent emails to signal-spam@signal-spam.fr. For SMS, forward the message to 33700. Reporting is essential - it feeds the databases that protect everyone. See also: What to Do in Case of Phishing: Complete Guide.
Do antivirus programs protect against phishing?
Partially. Modern antivirus software includes anti-phishing features (malicious URL detection, attachment scanning), but it does not provide full protection. According to Proofpoint State of the Phish 2025, antivirus solutions alone detect less than 40% of recent phishing attacks, especially those using newly created phishing sites (zero-day) or malware-free techniques (credential theft via a fake login page). Effective protection requires additional layers: advanced email filtering, AI-powered detection, user training, and regular simulation.
How often should employees be trained on phishing?
Recommendations from leading organizations - ANSSI (France's national cybersecurity agency), NIST, and the SANS Institute - all point the same way: initial training during onboarding, phishing simulations at least monthly, and micro-learning modules triggered by simulation failures. The Proofpoint State of the Phish 2025 study shows that the effect of a one-time training session fades within 4 to 6 months. Only a continuous program maintains a high level of alertness over time. The ideal approach combines scheduled training with contextual learning moments (after clicking on a simulated phishing email).
Is phishing simulation legal in France?
Yes, phishing simulation is legal in France as part of employee awareness programs, provided certain conditions are met. The employer must inform employee representative bodies (CSE - works council) about the program. Individual results must be treated confidentially and cannot be used for disciplinary action. Data processing is governed by GDPR: legitimate interest as the legal basis, informing data subjects, and limited retention periods. The CNIL (France's data protection authority) recommends transparency about the program's existence while preserving the element of surprise needed for its effectiveness. See our compliance page for more details on the regulatory framework.
Conclusion
Business phishing is the daily reality of millions of organizations worldwide, and French SMBs are among the most exposed targets. One untrained employee in three clicks a malicious link, and one-third of affected SMBs report a viability-threatening impact.
Facing this threat, the response cannot be technology alone. Technical detection, phishing simulation, and ongoing training work together: the first filters known threats, the second measures the real-world alertness of your teams, and the third anchors the right reflexes over time.
Every day without an awareness program is another day of vulnerability. The good news: solutions exist, they are accessible to SMBs, and their results are measurable within the first few weeks.
Test your team's alertness - first simulation in 15 minutes, measurable results immediately.