Introduction

Introduction

People are still incredibly quick to click. The Verizon Data Breach Investigations Report (DBIR) revealed that the median time to click on a malicious link in a phishing email is just 21 seconds. 

This means you have less than half a minute for an employee to realize what they’re about to do.

The Verizon DBIR also found that when data input is needed (e.g., for credential theft), employees spend an average of another 28 seconds. So even for attacks that require a response from the target, you have just 49 seconds to influence the outcome.  

Phishing Attacks are Increasing in Scale and Sophistication

The latest KnowBe4 Phishing Threat Trends Report highlighted two notable increases: an overall bump of 17.3% in the quantity of phishing emails and a 47% increase in attacks successfully evading native defenses and secure email gateways (SEGs). In other words, more attacks are being sent and traditional defenses are becoming less effective against them.

Artificial intelligence (AI) is the primary driver in the increase of advanced phishing attacks that evade certain technical detection measures and also appear more plausible to the target. In fact, KnowBe4's Threat Research team observed that 82.6% of phishing emails sent in a six-month period utilized some form of AI. They also believe the continued use of AI in phishing campaigns will render some detection mechanisms (such as grouping malicious emails) obsolete in the next two years. 

Other factors driving increased risk globally include Business Email Compromise (BEC), particularly within the supply chain; rapid, and often uneven, digital transformation creating new vulnerabilities; and the ever-present “human factor” that leaves us exposed to social engineering.

Shining a Light on Human Risk and Reducing Phishing Click Rates in 2025

Reducing phishing risk is central to effective human risk management (HRM). 

Every successful phishing attack is reliant on a trusted person to carry out a specific action, such as clicking on a hyperlink. If a phishing email gets through technical defenses, it will still fail if the recipient subsequently reports, deletes or does not engage with it.

While enhancing their technical defenses with an AI-powered anti-phishing product, organizations can also significantly reduce their phishing risk through best-practice security awareness training (SAT). 

The first step to any effective risk mitigation strategy is to understand your organization’s risk profile and how it compares against others of the same industry, organizational size and geographical region. Next, identify how susceptible your organization actually is to phishing risk — and, in particular, who might interact with a phishing email. These insights will enable you to deliver timely and personalized security, such as bespoke training programs and real-time coaching. 

Our annual Phishing By Industry Benchmarking Report provides the initial step in this strategy. For this year’s report, we analyzed a total of 67,718,305 phishing simulations across 14,508,441 users in 62,460 organizations over a three-year period to show the Phish-prone Percentage (PPP) for organizations across 19 industries and seven geographical regions.