Phishing attacks are evolving at an alarming rate. Cybercriminals are using AI-driven tactics to craft more convincing scams, bypass traditional defenses, and exploit untrained employees. Without the right training, your users are the weakest link. With it, they become your strongest defense.

KnowBe4’s 2025 Phishing By Industry Benchmark Report is the definitive resource for measuring and improving your organization's cybersecurity posture. Analyzing data from 14.5 million users across 62,400 organizations and 67.7 million simulated phishing tests, this report provides eye-opening insights into phishing susceptibility by industry and region.

Download the report now to uncover:

• Phishing benchmark data for 19 industries and 7 geographical regions
• The biggest cybersecurity threats impacting different regions
• Which industries and company sizes are most at risk—and how to mitigate the danger
• Proven strategies to strengthen your human firewall and reduce phishing risk

Which Industries Are Most at Risk?

With an industry-wide baseline Phish-prone Percentage (PPP) of 33.1%, a third of employees are susceptible to phishing and social engineering attacks. But there’s good news: organizations that implement security awareness training (SAT) see a dramatic reduction in phishing risk—over 40% in just 90 days, and up to 86% within a year.

According to this year’s phishing report, the top three most vulnerable industries are:

• Healthcare & Pharmaceuticals: 41.9%
• Insurance: 39.2%
• Retail & Wholesale: 36.5%

The Rise of AI-Powered Phishing Attacks

Phishing threats are not just increasing in volume—they’re becoming more sophisticated. The latest KnowBe4 Phishing Report highlights:

• A 17.3% increase in phishing emails
• A 47% rise in attacks evading Microsoft’s native defenses and secure email gateways (SEGs)
• 82.6% of phishing emails now leveraging AI-generated content

AI is making phishing attacks more convincing and harder to detect, even for seasoned security professionals. In the next two years, some traditional detection mechanisms may become obsolete. Your organization needs personalized, adaptive and ongoing security awareness training to stay ahead.

How Security Awareness Training Can Protect Your Organization

Many companies rely solely on traditional security tools, but technical defenses alone are no longer enough. AI-driven phishing attacks are designed to exploit human vulnerabilities, making employees your last line of defense. This is where comprehensive, ongoing SAT can make all the difference.

Security awareness training helps employees:

• Recognize and report phishing attempts before they cause damage
• Develop critical thinking skills to identify social engineering tactics
• Build a security-first mindset, reducing risk across all levels of the organization

Organizations that implement a strong security awareness program see a significant drop in phishing susceptibility. Just 90 days of training can reduce risk by over 40%, and after a full year, that number drops by an incredible 86% to just 4.1%.

How Prepared Is Your Workforce?

The numbers don’t lie: your employees are cybercriminals’ primary target. But with the right training, they can become your best defense.

The cyber threat landscape is evolving faster than ever, and phishing remains one of the most effective attack vectors for bad actors. Use this benchmark report before your organization becomes the next statistic. Equip your employees with the knowledge and tools they need to recognize and stop phishing attacks before they succeed.