Business phishing exercise underscores the impact of sustained security awareness training
KnowBe4, the global leader in digital workforce security, securing both AI agents and humans, is proud to support the second annual business phishing exercise, which was run by Singapore Business Federation (SBF), in partnership with Nexus, Ministry of Defence (MINDEF), and the Digital and Intelligence Service (DIS) as part of this year’s Exercise SG Ready (ESR).
Supported by KnowBe4 and Sekuro, the phishing exercise that was conducted from the 1st to the 5th of February 2026, tested the cyber resilience of nearly 140 businesses, including 25 returning participants from the previous year. Over 8,500 phishing emails simulating real-world threats were sent to employees across various sectors including retail, industrial, healthcare, and financial services. KnowBe4 supported the initiative by providing customized phishing simulation scenarios that reflected current attack tactics and common email security threats. The exercise tracked recipient responses including email open rates and click rates on phishing links.
Key Findings:
- Open and Click Rates: Approximately 37.5% of phishing emails were opened, similar to the previous year (about 30%). However, only 7.4% of recipients clicked the phishing link, a significant improvement from last year's 17% click rate.
- Device Usage: Desktop users accounted for the vast majority of clicks at 72.5%, while mobile users made up 22.4%.
- Internal Trust: Participants were most susceptible to prompts involving routine workplace collaboration. Phishing emails related to internal communications and file sharing saw the highest click rates of approximately 11%, compared to external alerts which saw around 8%.
Why this matters for Singapore Businesses
While the decline in click rates is encouraging, the results also underscore the need for ongoing human risk management, as threat tactics continue to evolve and continuous reinforcement is important to ensuring secure behaviour becomes second nature. According to KnowBe4’s Phishing Industry Benchmarking Report Asia 2025, organisations in Asia face an initial 28.6% likelihood of an employee clicking on a malicious link. However, after one year of frequent security awareness training, this risk drops by 81.8% to an average of just 5.2%. This significant reduction highlights that while human risk in the region is initially high, consistent training is the most effective way for businesses to build lasting cyber resilience.
“Cyber resilience is not just an IT responsibility - it is a business and national priority,” said Dr. Kawin Boonyapredee, CISO advisor at KnowBe4. “While technology provides essential safeguards, human judgment remains the final line of defence. Exercises like this help organisations identify behavioural risk patterns and strengthen them before real threats strike.”
“Phishing emails are getting far more realistic and this year’s results show that more can be done to increase employee’s vigilance,” said Mr Kok Ping Soon, chief executive of SBF. “Cyber threats are evolving quickly, and businesses cannot rely on once-a-year training. Continuous vigilance, regular refreshers, and a strong reporting culture are essential to staying ahead. SBF will keep working with MINDEF and our partners to strengthen the cyber resilience of Singapore’s business community.”
For more information on KnowBe4, visit knowbe4.com.
For more information on the Exercise SG Ready, visit https://go.gov.sg/exercisesgready