2025 International Phishing Benchmarks
Asia
By Caroline Soo and Bex Bailey
Organizations in Asia that invest in best-practice security awareness training and phishing simulations reduce their click rate by an impressive 81.8%. This is a welcome trend in a region that experiences a higher rate and cost of breaches. In its 2024 Breach Benchmarks By Region report, Forrester highlights that organizations in Asia Pacific (APAC) experienced an average of 3.5 breaches within a 12-month period versus a global average of 2.8. They also experienced a cumulative cost of US$2.8 million against the global mean of US$2.7 million.
As phishing is so often the gateway for cybercriminals, driving down this risk is key to organizational security.
”With cybersecurity training, organizations can reduce their phishing click rates by an impressive 81.8%
Before taking part in security training, 28.6% of employees in Asia clicked on a simulated phishing link. In keeping with the global trend, this risk increased based on organizational size. Those with 1-249 employees had the lowest risk (24.3%), which increased to 27.6% for 250-999 employees and 29% for 1,000+ employees.
After 90 days of training, this risk reduces considerably — dropping to an average of 17.9%. Larger organizations see the greatest improvement at this stage, with those having 1,000+ employees obtaining an average click rate of 17.6%. After one year of training, this risk hits its lowest level at an average 5.4%.
Insurance organizations experience the highest initial click rate in the region at 43.6% — 15% above the regional average. Other sectors with elevated risk include Banking (39.1%), Education (37.9%), Hospitality (36.7%) and Nonprofits (33%).
Of these industries, Hospitality experiences the most significant risk reduction after one year of best-practice training, with click rates decreasing by 94.8%. The decrease in risk is similarly impressive for the other sectors: Nonprofits (88.5%), Education (82.8%), Banking (79.8%) and Insurance (63.8%).
Cyber Trends That Impact Human Risk in Asia
Asia has a complex map of digitalization. The World Economic Forum describes the Association of Southeast Asian Nations (ASEAN) as “the fastest growing Internet market in the world” and predicts the growth in its digital economy will add an estimated US$1 trillion to regional GDP in the next 10 years.
Elsewhere, both China and Japan have large digital footprints. In particular, Japan has a highly connected infrastructure and advanced technology landscape and is increasingly focusing on its security. Its new Active Cyber Defense Bill, for example, provides greater governmental powers to stop cyberattacks before they escalate.
Throughout the region, this combination of rapid digital transformation and mature technology ecosystems opens people and their employers to a wide array of threats. Let’s take a look at some of the factors influencing human risk across the region.
”People and infrastructure in Asia are more likely to be targeted by novel and emerging threats as cybercriminals look to scale attacks globally
"Ground Zero" for Cybercrime
The United Nations Office on Drugs and Crime (UNODC) reports that cyber-enabled fraud in Southeast Asia has continued to intensify, with a predominant proportion of losses attributed to cybercriminal gangs located in the region. The UNODC states that these countries, particularly those in the Mekong, are a “key testing ground” for transnational criminal networks looking to diversify, labeling it “ground zero for the scamming industry.”
People and infrastructure in Asia are more likely to be targeted by novel and emerging threats as cybercriminals look to scale attacks globally.
Rapid Digitalization in the Supply Chain
PriceWaterhouseCoopers (PWC) reveals that 63% organizations in APAC believe they have an overreliance on third-party suppliers, which can increase their risk exposure from related threats.
This is further amplified by the rapid and uneven pace of digital transformation, aging infrastructure in some countries and sectors, and new implementations. PWC’s report confirms the top cybersecurity concerns directly correlate to third-party ecosystems, including software security, exploiting zero-day vulnerabilities and breaches of the suppliers themselves.
GenAI Enables Cybercriminals to Localize Phishing Campaigns
Before the GenAI revolution, English was the predominant language for global phishing campaigns. As a study published by USENIX demonstrates, non-native English speakers are more skeptical of the emails they receive that are written in English and more likely to ignore any instructions they contain.
Previously, the expertise required to create or translate phishing emails in local languages was a high barrier for scaling successful attacks internationally. However, as with other regions globally, large language models (LLMs) have enabled the rapid and highly accurate creation of phishing emails in local languages, with further applications for AI found in the personalization and automation of attacks.
Key Takeways
- Asia sits at the epicenter of cybercrime, with individuals and organizations forming a test bed for attacks
- Organizations in APAC are breached more frequently versus the global average, signaling an elevated need to stop initial attacks, which are so often delivered by phishing emails
- GenAI has increased phishing risk, making it easier to target people in their local languages and increasing the likelihood that they will interact with these threats
- With cybersecurity training, organizations can reduce their phishing click rates by 81.8%, demonstrating the value that best-practice programs can deliver
