The 2025 Verizon Data Breach Investigations Report (DBIR) is one of the most respected and widely cited sources on cybersecurity incidents.
Each year, its analysis shapes how organizations and security leaders understand the threat landscape.
At first glance, the 2025 report shows phishing falling behind: it ranks phishing as the third most common initial access vector. But a closer reading of the DBIR’s data, analysis, and clarifying statements tells a different story.
Below we unpack the Verizon report’s numbers, supplemented by insights and findings from IBM’s 2025 X-Force Threat Intelligence Index and the Identity Theft Resource Center’s 2024 Data Breach Report, to reveal phishing’s role as the leading initial access vector behind breaches, whether used directly by threat actors or earlier in the chain by access brokers.
The Official Ranking: Phishing Comes in Third
According to the DBIR:
- Use of stolen credentials is the #1 initial access vector (22%)
- Exploitation of vulnerabilities is #2 (20%)
- Phishing comes in at #3 (16%)
(2025 DBIR, p. 10, Figure 5)
The report’s authors note, however, as they have in previous reports, that “there is always some hidden correspondence or transfer between our numbers in credential abuse and Phishing. Sometimes incident responders cannot find the original source of the credential that was used to get the initial access, and there is always the possibility it came from a previous Phishing incident that was unnoticed or took place outside the purview of the organization’s visibility.”
(2025 DBIR, p. 20)
They further comment: “If we add up the numbers with Phishing, which will frequently lead to credential abuse in the following step, non vulnerability vectors are still the norm.”
(2025 DBIR, p. 21)
In light of this interrelationship between phishing and stolen credentials, phishing is likely to have played a much larger, though hidden role in breaches, than what the official rankings suggest. Here we seek to gauge the probable extent of phishing’s impact based on its frequent connection to other vectors.
A Closer Look: The Human Element Breakdown
To see the bigger picture, it’s important to examine how the DBIR breaks down human involvement in breaches. That’s where phishing’s role becomes far more apparent.
The report’s authors state:
“We see the human involvement in breaches at 60% this year.”
(2025 DBIR, p. 20)
Figure 15 on the same page breaks this 60% down further:
- Credential abuse: 32%
- Social actions (phishing, pretexting): 23%
- Malware interaction: 7%
Excluding breaches caused by human error, these percentages reflect the most common ways human behavior contributed to breaches. One of these is phishing, while the other two are often its downstream effects.
- Credential abuse often begins with phishing or infostealers deployed via phishing that harvest login details.
- Social actions include phishing and pretexting directly.
- Malware interaction in these cases usually depends on the victim being tricked into opening or installing malicious content—another hallmark of phishing.
Even though the report categorizes “credential abuse” separately from phishing, the authors make clear that phishing is often what makes credential abuse possible:
“There is a non-trivial overlap between social actions (where Phishing or Pretexting might steal a credential) and the subsequent credential abuse.”
“There is always some hidden correspondence… sometimes incident responders cannot find the original source of the credential… and there is always the possibility it came from a previous Phishing incident.”
(2025 DBIR, p. 20)
Additionally, the DBIR provides analysis of infostealer malware and its role in enabling credential compromise and ransomware attacks:
“With regard to stolen credentials, analysis performed on information stealer malware (infostealer) credential logs revealed that 30% of the compromised systems can be identified as enterprise-licensed devices. However, 46% of those compromised systems that had corporate logins in their compromised data were non-managed and were hosting both personal and business credentials. These are most likely attributable to a BYOD program or are enterprise-owned devices being used outside of the permissible policy.”
“By correlating infostealer logs and marketplace postings with the internet domains of victims that were disclosed by ransomware actors in 2024, we saw that 54% of those victims had their domains show up in the credential dumps… and 40% of the victims had corporate email addresses as part of the compromised credentials. This suggests these credentials could have been leveraged for those ransomware breaches, pointing to potential access broker involvement as a source of initial access vectors.”
(2025 DBIR, p. 12)
These figures strongly suggest infostealers are a key driver of breaches tied to credential compromise, whether they are deployed by an access broker or by the attacker targeting the company directly. In either case, infostealers are commonly deployed through phishing. As noted in IBM’s 2025 X-Force Threat Intelligence Index:
“While it can be difficult to prove, most compromised credentials came from infostealers and credential harvesting campaigns, of which an increasing amount is delivered via phishing.”
(IBM X-Force Threat Intelligence Index 2025)
While the Verizon report certainly points to the use of infostealers by access brokers, infostealer deployment may also be part of a deliberate and premeditated attack chain — even if it’s hard to trace afterward. As IBM notes:
“It is likely that, for many valid accounts incidents, the actual infection vector was a premeditated credential phishing or infostealer malware campaign…”
(IBM X-Force Threat Intelligence Index 2025)
Regardless of the source of the infostealer, the breach chain begins with phishing, proceeds through malware (infostealer) execution, leads to credential theft or account takeover, and culminates in ransomware deployment or broader system compromise. Since phishing frequently drives both malware execution and credential abuse, this provides a reasonable basis for estimating how many total breaches likely involved phishing or phishing-delivered malware.
Phishing in the Bigger Picture
If we consider credential abuse (32%) and malware interaction (7%) as likely stemming from phishing or phishing-related activity, and add those to the 23% involving social engineering, phishing or phishing-delivered malware probably played a role in as many as 62% of human-element breaches.
Since human-element breaches make up 60% of all breaches, we calculate:
0.62 × 0.60 = 37.2%
That means phishing or phishing-delivered malware was likely the initial source of compromise in as many as 37% of all breaches in the DBIR dataset—more than any other single access vector.
Even when phishing isn’t named as the initial access vector, it’s frequently the first vector of compromise—whether used by the attackers themselves or earlier in the chain by an access broker harvesting credentials for later sale or use.
In short: phishing may not top the chart at first glance, but the essential part it plays in infostealer/malware deployment and credential harvesting suggests it is likely involved in over a third of all breaches—making it the most consequential vector in the threat landscape.
This analysis aligns with the Identity Theft Resource Center’s 2024 Data Breach Report, which found that phishing, smishing, and business email compromise—grouped as a single category—were the most commonly reported attack vectors, particularly among the 93% of breached organizations that were private companies. Credential stuffing led among public companies, who represented the remaining 7%, but as already noted, those credentials are often harvested through phishing or phishing-delivered malware.
Proactive Measures to Mitigate Phishing and Credential-Based Attacks
Companies should continue to regard phishing as the attack vector to be reckoned with, and should implement proactive measures to reduce their risk of a breach.
These measures include:
Personal data removal to deny attackers the information they need to craft phishing lures, hit their targets, or crack passwords
Minimizing online exposure of employee and organizational information to disrupt attacker recon and prevent targeting
Phishing awareness training to help employees recognize and report suspicious messages before they cause harm
Endpoint protection and browser hardening to prevent infostealers from being installed and exfiltrating credentials
Employing password managers to prevent password reuse and ensure credentials aren’t easily guessed or cracked from breach dumps
Enabling Multi-Factor Authentication (MFA) and, where possible, using FIDO2-compliant hardware tokens to prevent access even if a password is stolen or phished
Establish a policy to verify sensitive requests—such as wire transfers or login resets—through a second, trusted channel
Setting up and monitoring canary accounts to detect early signs of targeting
Enforcing least-privilege access and segmenting internal networks to reduce the impact of credential theft or lateral movement.
Deploying UEBA tools to detect anomalies in user behavior, such as unusual login times or access locations, that may indicate credential misuse
Implementing email authentication protocols (DMARC, SPF, and DKIM) to protect against spoofing and impersonation
Subscribing to trusted threat intelligence feeds to stay informed about emerging phishing tactics, malware variants (including infostealers), and indicators of compromise that can be blocked or monitored proactively
As today’s most common initial source of organizational compromise—whether direct or concealed—phishing remains the dominant threat and demands continuous, layered defenses from organizations of every size.