Cybersecurity professionals face an increasingly aggressive phishing threat landscape, and the 2025 KnowBe4 Phishing By Industry Benchmarking Report makes one thing crystal clear: transforming your largest attack surface - your workforce - into your biggest security asset is critical.
49 Seconds to Disaster
According to the Verizon Data Breach Investigations Report (DBIR), the median time it takes someone to click a malicious link is a staggering 21 seconds. And if that phishing email requires the employee to enter data — like credentials — the whole process takes just 49 seconds.
That means security teams have less than a minute to prevent a potentially catastrophic error once a phishing email is opened.
This urgency is compounded by the rise in phishing volume and sophistication. KnowBe4’s Phishing Threat Trends Report found a 17.3% increase in phishing email volume, while the number of attacks bypassing secure email gateways (SEGs) and native security rose by 47%. Traditional defenses are struggling, and attackers are getting better at slipping through the cracks.
AI Is Changing the Game
Unsurprisingly, artificial intelligence (AI) is driving this shift. In fact, 82.6% of phishing emails analyzed by KnowBe4’s Threat Research team used some form of AI. These emails are more convincing, harder to detect, and faster to produce. With the ability to adapt tone, impersonate individuals, and evade pattern-based detection, AI-generated phishing emails are pushing some existing email defenses toward obsolescence.
Beyond AI, other factors contributing to phishing risk include the growing threat of Business Email Compromise (BEC), especially within supply chains, and the uneven nature of digital transformation that leaves organizations exposed. But the most consistent factor remains unchanged: human behavior.
One in Three Click — Before Training
KnowBe4’s analysis of Phish-prone Percentage (PPP) — the percentage of users likely to fall for a phishing email — shows a concerning trend. Across all organizations, the average PPP before any training is a whopping 33.1%. That’s one in three employees clicking on potentially dangerous links.
Some industries fare far worse. Healthcare & Pharmaceuticals tops the list with a 41.9% PPP, followed by Insurance at 39.2% and Retail & Wholesale at 36.5%. On the other end of the spectrum, a few industries — like Government (28.2%), Legal (28.5%), and Transportation (29.9%) — have slightly better rates, but even they hover dangerously close to the one-in-three mark.
The Larger the Organization, the Higher the Risk
Company size plays a big role in phishing vulnerability. Larger organizations not only have more mailboxes to target, but also face greater challenges in creating consistent awareness among thousands of employees. Unsurprisingly, companies with more than 10,000 employees showed the highest baseline PPP at 40.5%. That number drops to 33.7% for organizations with 1,000–9,999 employees, 28.7% for those with 250–999, and just 24.6% for the smallest organizations (1–249 employees).
Despite the elevated risk, the data reveals a silver lining: targeted security awareness training (SAT) works — and works exceptionally well.
Training Works: Global PPP Drops Dramatically
After just 90 days of best-practice training, the global PPP dropped by 40%, down to 19.8%. But the real magic happens with long-term commitment. After one year of continuous training, the average PPP plummeted by 86%, reaching just 4.1%. With two and three years of ongoing reinforcement, the numbers improved even further, down to 3.7% and 3.6%, respectively.
This isn’t a fluke or a one-industry wonder — every industry saw meaningful, sustained improvement.
Enterprises (10,000+ Employees): From 40.5% to Single Digits
At baseline, large enterprises were in the most danger, especially within specific sectors. Healthcare & Pharmaceuticals and Insurance both saw over 53% of employees fall for phishing attempts initially. Nonprofits (49.2%) and Retail & Wholesale (47%) weren’t far behind.
But these same industries made the biggest strides post-training. On average, large organizations improved their phishing resilience by 86.8%. The Hospitality industry led the way, dropping its PPP by 93% to just 2.4%. Consulting and Manufacturing both achieved 92% improvement rates, while Financial Services and Banking each hit 91%. Even the high-risk Healthcare sector reduced its PPP by 90%; a remarkable turnaround!
Large Organizations (1,000–9,999 Employees): Consistent Improvement
Organizations with 1,000 to 9,999 employees started with a baseline PPP of 33.7%, with elevated risks in Healthcare (41.1%), Banking (39.5%), Financial Services (38.4%), and Energy & Utilities (37.2%).
After one year of training, this group matched the improvement rate of the largest enterprises, with an 87% average reduction. Legal organizations saw the lowest click rate post-training at just 3.1%, while Healthcare & Pharmaceuticals, Hospitality, and Legal each achieved 91% improvement. Even industries with high initial risk like Banking and Energy saw significant progress, proving that training scales across mid-sized firms just as effectively.
Mid-sized Organizations (250–999 Employees): Resilience with Fewer Resources
Even among smaller organizations, phishing risk remains prevalent. The average baseline PPP for this group was 28.7%, with several industries crossing the 30% threshold — including Nonprofit, Insurance, and Construction.
Despite fewer resources, these organizations also showed strong improvement with training. The average risk reduction was 85.6%, and Banking again stood out by slashing its PPP by 91.8%, landing at just 2.5%. Other standout performers included Construction (89%), Energy & Utilities (88%), and Manufacturing (87%).
The Smallest Organizations (1–249 Employees): Low Baseline, High Gains
At first glance, the smallest organizations seem the safest, with a baseline PPP of 24.6%. However, this still means one in four employees is vulnerable — and attackers know it.
The highest baseline rates in this group came from Nonprofit (27.5%), Healthcare & Pharmaceuticals (26.9%), and Education (26.6%). But again, consistent training made all the difference. Banking organizations cut their PPP by 90%, ending up with just 2% of employees clicking phishing links. Other high achievers included Transportation, Construction, and Education, each seeing an average improvement rate of 87%.
Final Thoughts: People Are the Perimeter
In a world where phishing emails are routinely engineered to bypass traditional detection mechanisms and then can be interacted with in seconds, your employees are the last line of defense. The findings from KnowBe4’s phishing report underscores the fact that previous approaches aren’t enough. The combination of AI-fueled attacks and human error means traditional defenses are no longer sufficient.
But there’s good news: behavior can be changed. With strategic, ongoing security awareness training, organizations across industries and sizes have proven they can reduce phishing risk by more than 85% in a single year. Better yet, that progress compounds over time.
Additionally, as part of effective human risk management, this training combines with behavior-based threat detection, such as AI-powered email security, that leverages the latest threat intelligence and deep behavioral analytics to detect and prevent a broader range of threats than traditional security. These products offer real-time detection and coaching to equip employees to work more securely than ever.
If you want to build a culture of security, stop thinking of phishing resilience as a one-off fix. Think of it as a long-term commitment — one that pays off not just in improved metrics, but in fewer breaches, better protection, and ultimately, greater peace of mind.
For the complete analysis across 19 industries and seven geographical regions, read the full report.
