Phishing attacks are evolving at an unprecedented rate, and KnowBe4, the world's largest security awareness training platform, has been tracking phishing trends for a long time through the 14.5 million users, 62,400 organizations and 67.7 million simulated fishing tests The data provides companies with the most authoritative Phish-Prone Percentage (PPP) and risk insights.
This year's report shows that the global average failure rate of first tests is as high as 33.1%The breakdown by industry shows that medical, insurance and retail industries are the most vulnerable to attacks. Meanwhile, AI-generated phishing emails and spoofed emails from internal accounts have become more insidious, posing a more serious challenge to traditional technical defense.
For companies, insufficient staff development, increased cross-border factors and lack of localized fishing simulations further increase the risks. The challenge for companies is not only technical, but also about employee behavior and safety culture. Getting to grips with key data and trends is the first step in developing a training strategy.
In the first stage, before any SAT testing, the baseline phishing vulnerability rate (PPP) for global businesses was 33.1%In other words, one in three employees is vulnerable to phishing emails and social engineering attacks.
Digging deeper, we found that more than half of the industries (10 out of 19) have PPP First Test averages above this baseline. For organizations of all sizes, the following industries are the most at risk:
The data shows that employees in highly sensitive information industries and customer-facing interactive business operations are more likely to be targeted, with significantly higher than average failure rates at first detection. Only five industries had PPPs below 301 TP3T, and even then, more than a quarter of employees were vulnerable to phishing attacks: Transportation (29.91 TP3T), Business Services (29.61 TP3T), Consumer Services (29.51 TP3T), Legal (28.51 TP3T), and Government (28.21 TP3T).
On average, having More than 10,000 employees The company's PPP is as high as 40.5%Ownership 1,000-9,999 staff The corporate PPP for 33.7%Ownership 250-999 staff The corporate PPP for 28.7%; in contrast, only 1-250 staff The corporate PPP for 24.6%The
This phenomenon is illustrated by the fact that the more people there are, the more emails there are, and the more fingers there are to click on the links. And it's harder to raise a collective consciousness among more people. The risk profile varies by industry and organization size, but collectively, the greatest risks are concentrated in the larger enterprises.
The good news is that after just 90 Days of Best Practices TrainingThe risk of phishing can be significantly reduced across all industries. The global average click-through rate per five employees (19.81 TP3T) can be reduced by Over 40%The
The situation continues to improve:12 months laterAverage PPP declines 86% to 4.1%This downward trend will continue. With continued training, the average PPP could be reduced to $4.5 billion in two years' time. 3.7%In three years' time, it could even be reduced to 2.6%This trend of decline has been observed in all sectors. This downward trend has been observed in all sectors.
| Enterprise Size | Number of workers | Baseline PPP (First Test Failure Rate) | Average improvement rate (SAT one year later) | High Risk Sector (Baseline PPP ≥30%) | Industries with the Most Outstanding Training Effectiveness and Data |
|---|---|---|---|---|---|
| Large Enterprises | 1,000-10,000 | 33.7% | 87% | Healthcare & Pharmaceuticals (41.1%), Banking (39.5%), Financial Services (38.4%), Energy & Utilities (37.2%) | Medical & Pharmaceuticals, Hospitality, Legal: 91% improvement rate; Legal SAT lowest click-through rate after one year 3.1% |
| Medium-sized Enterprises | 250-999 | 28.7% | 86% | Nonprofit (31.7%), Insurance (31.6%), Healthcare & Pharmaceuticals (31.4%), Retail (31.5%), Banking (30.4%), Consumer Services (30.1%) | Banking click rate down 91.8% (to 2.5%), Transportation 89%, Energy & Utilities 88%, Manufacturing 87%, Transportation 87%, Financial Services 87% |
| Small Business | 1-249 | 24.6% | 85% | Nonprofit (27.5%), Insurance (26.9%), Healthcare & Pharmaceuticals (26.6%), Retail (26.5%) | Banking hit rate down to 21 TP3T (down 901 TP3T); Energy & Utilities, Transportation, Construction, Education all at 871 TP3T |
Form Instructions:
While large enterprises are rich in training resources and can make more significant improvements, small and medium-sized enterprises rely on tools and automation templates to make up for the lack of training coverage.
The Asia-Pacific data confirms the effectiveness of continuous training and phishing simulations; it also reminds companies not to overlook regional differences and localization needs.
AI interventions have made phishing emails more realistic and difficult to recognize even for trained security professionals. In the next two years, some traditional detection mechanisms may become ineffective.
虹科高保真 HIL(Hardware-in-the-Loop)仿真解決方案,以 aiSim 模擬平台為核心,支援 L3/L4 自動駕駛測試、多傳感器仿真與 SiL/MiL/HiL 驗證,提供高置信度智能駕駛測試環境,適用於 OEM、Tier1 及自動駕駛科技企業。
隨著歐盟《網絡韌性法案》(Cyber Resilience Act, CRA)逐步落地,產品安全與供應鏈透明度已成為企業進入歐洲市場的強制要求。CRA要求製造商在產品全生命週期內建立安全機制,並提供SBOM、漏洞管理及合規證據。隨著歐盟《網絡韌性法案》(Cyber Resilience Act, CRA)逐步落地,產品安全與供應鏈透明度已成為企業進入歐洲市場的強制要求。CRA要求製造商在產品全生命週期內建立安全機制,並提供SBOM、漏洞管理及合規證據。ONEKEY安全與合規平台協助企業快速完成合規診斷與漏洞管理,建立可追溯、可驗證的產品安全合規體系。
在數碼轉型與監管要求日益提升的背景下,企業若仍將合規培訓與資訊安全意識培訓分開管理,往往難以真正降低人為風險。KnowBe4透過模擬釣魚測試、安全意識培訓及Compliance Plus合規培訓庫,建立「測試、培訓、再測試、數據回饋」的閉環管理模式。企業可藉此把合規課程與資安訓練整合為端到端培訓治理,建立可量化、可追蹤、可稽核的合規培訓體系。
