2025 International Phishing Benchmarks
South America
By Rafael Da Silva and Bex Bailey
At 39.1%, the initial PPP across our South American customer base was higher than in any other region. Without taking part in best-practice cybersecurity training, almost two in five employees will automatically click on phishing links.
”At 39.1%, the initial PPP across our South American customer base was higher than in any other region.
The good news: once training and phishing simulations are implemented, this click rate falls well in line with the global average — dropping to 18.2% after 90 days and 4.5% after one year.
Initial PPPs were extremely high in Consumer Services organizations at 59.9%, followed by Insurance (48.6%), Energy & Utilities (48.3%), Financial Services (47.9%), and Retail & Wholesale (42.7%). All of these sectors experienced dramatic risk reduction following one year of training and simulations, especially in Consumer Services, where the average PPP decreased to 1.9%. In other sectors, the PPPs dropped to 5.2% in Insurance, 4.4% in Energy & Utilities, 3.6% in Financial Services and 4.1% in Retail & Wholesale.
When we analyze the data by organization size, we see that larger organizations of 1,000+ employees experience the greatest risk at the start of their SAT program, similar to the global trend. This makes sense: more people equals a larger human risk surface to secure, so it’s more likely that an unsuspecting employee will click on a phishing link.
Unlike the global trend, however, smaller organizations of 1-249 employees in South America experienced a higher level of risk versus organizations of the same size in other regions. The global average PPP for these companies was 24.6%, whereas the South American average stood at 30.2%. Again, there’s good news here, too. These organizations achieved the lowest regional click rate after one year of best-practice training and simulations, with the PPP dropping to just 3.4% — marginally lower than the global average of 3.6%.
Factors Increasing Human Risk in South America
In its Risk in Focus 2025: Latin America Board Briefing, the Global Foundation for Internal Audit highlights cybersecurity as the top risk in 2025 and predicts it will remain in this position for at least the next three years. Numerous factors are driving this risk across the region, particularly as people interact with new technologies and are targeted by emerging threats.
Digital Transformation and Disruption
South America has experienced rapid but uneven adoption of new technologies, impacting every area of life from banking to education and healthcare. While digitalization brings a variety of benefits, it also creates new risks that must be addressed. In its Cybersecurity Economics for Emerging Markets report, the World Bank Group highlights how Latin America and the Caribbean’s digital transformation has outpaced the region’s cybersecurity capacity.
Additionally, the uneven pace of adoption has created a “digital divide” across regions and socioeconomic groups. This presents unique challenges to overcome, such as the complexity of increasing cybersecurity awareness across numerous segments of the population.
This combination of digital transformation creating new avenues for attack and differing levels of cybersecurity maturity makes South American organizations attractive targets for cybercriminals.
In particular, “cybersecurity inequity” appears to have opened the door for increased ransomware attacks. In LatAm Cyber Summit 2024 Annual Report, Cyber Series highlights that Latin American companies experience the highest percentage of ransomware use in attacks on organizations (79% vs. the global average of 53%).
”Without best-practice training, almost two in five employees (39%) will automatically click on phishing links
Let's Not Forget About AI
AI-powered technologies play a significant role in digital disruption globally and in South America. As reported by the UNDP for Latin America and the Caribbean, AI is forecasted to contribute up to 5.4% of Latin America’s GDP by 2030, equivalent to $0.5 trillion USD.
Again, this presents a double-edged sword. While people can reap the benefits of AI both at home and at work, the security of AI is a global concern, with attackers finding new entry points into systems and even manipulating the data models themselves. As with other regions, South America is also vulnerable to the increased scale and sophistication of cyberattacks that can be generated using AI, such as advanced phishing campaigns and malware payloads, including ransomware.
People Will Always Create Risk - Especially When Interacting with Newer Technologies
Human risk is a factor that all organizations must contend with. People are our greatest asset, but mistakes will be made and risks taken. The unevenness — perhaps immaturity — of security awareness levels among employees in South America can be demonstrated by this study, with the region having the highest initial PPP globally.
Unfortunately, this lack of general awareness is underpinned by a cybersecurity skill shortage. In Building a Skilled Cyber Security Workforce in Latin America, the Organisation for Economic Co-operation and Development (OECD) notes that cybersecurity is the fastest-growing category for job postings in the region, but the high bar for skills requirements means that many organizations may struggle to find the talent they’re looking for among the candidate pool.
Key Takeaways
In South America, organizations face unique cybersecurity challenges, including high baseline phishing risks and rapid digitalization. South America’s high initial PPP highlights an urgent need for robust security awareness programs. Ongoing training and proactive risk management can significantly diminish phishing threats. By fostering a culture of cybersecurity, organizations remain resilient in a rapidly evolving digital landscape.
- Highest global initial PPP (39.1%) drops to 4.5% with sustained security training
- Consumer Services leads baseline PPP (59.9%) yet improves dramatically to 1.9%
- Larger organizations face greater human risk initially; smaller firms also exceed global averages
- Rapid AI adoption and skill shortages amplify threats and vulnerabilities
- Ongoing awareness training remains key to reducing human risk across all sectors
