A new report tracking sector-specific phishing vulnerability has revealed that, on average, a third of employees are likely to fall for phishing or social engineering attacks without prior training.
The Phishing by Industry Benchmarking Report 2025 measures an organisation’s Phish-prone Percentage (PPP)—the share of users who interact with simulated phishing attempts before undergoing security awareness training.
This year’s data shows a global baseline PPP of 33.1%, signalling widespread susceptibility to phishing across all regions and industries.
The data underscores the significant impact of SAT in mitigating risk. The rapid decline in the global PPP following the implementation of training—falling by 40% in just three months and by a total of 86% after 12 months—demonstrates that ongoing, effective training leads to lasting behavior change and a substantial reduction in vulnerability to cybersecurity threats.
As phishing can happen anywhere online, from emails to social media, the data highlights the critical role of continuous education in building a stronger security culture within organisations, even in as little a couple of months.
Cybersecurity platform KnowBe4 analysed 67.7 million phishing simulations globally, across 14.5 million users from 62.4 thousand organisations.
The baseline PPP (33.1%) reflects an organisation’s susceptibility to phishing before any training.
Read also: Victoria’s new AppConnect platform enhances user access and data protection
Employees then undergo security awareness training, and the PPP is recalculated after 90 days and again after one year-plus of ongoing training to quantify the program’s effectiveness.
Other key findings from the Phishing By Industry Benchmarking Report:
- Globally, the top three most at-risk industries with the highest baseline PPP were Healthcare & Pharmaceuticals (41.9%), Insurance (39.2%), and Retail & Wholesale (36.5%).
- Larger organisations faced a higher initial phishing risk, with those having 10,000+ employees showing a global baseline PPP of 40.5%, compared to 24.6% for organisations with 1-250 employees.
- In organisations of 1,000-9,999 employees, three sectors all achieved PPP improvement rates of 91% after 12 months of on-going training: Healthcare & Pharmaceuticals, Hospitality and Legal.
- Across the different regions, the highest baseline PPPs were found in South America (39.1%), North America (37.1%), and Australia and New Zealand (36.8%).
“The data speaks for itself—security awareness training truly makes a difference,” said Stu Sjouwerman, CEO of KnowBe4.
“From 2024 to 2025, the general trend has remained fairly consistent—around one-third of employees click on a simulated phishing link before taking part in training.”
“However, the data shows a slight improvement in 2025. Within a year, we’ve seen a 3.5% decrease in the global baseline PPP, highlighting a positive shift in overall security awareness worldwide.”
“However, there is still significant progress to be made in fully addressing phishing risks. By consistently prioritising relevant and engaging training, combined with simulated phishing, organisations can strengthen their human risk management strategies and better protect against phishing to improve overall security culture.”
Adrianne Saplagio is a Content Producer at Comms Room, where she combines her passion for storytelling with her expertise in multimedia content creation. With a keen eye for detail and a knack for engaging audiences, Adrianne has been instrumental in crafting compelling narratives that resonate across various digital platforms.
