Phishing continues to dominate the threat landscape in 2025. As attackers evolve their tactics to bypass technical defenses, businesses face a critical question: How likely are employees to fall for a phishing attempt?

KnowBe4’s latest Phishing by Industry Benchmarking Report 2025 provides a data-driven answer. Based on results from 56 million simulated phishing tests across 55,000+ organizations, the report reveals average Phishing-Prone Percentages (PPP) across industry sectors, company sizes, and regions.

Let’s explore the top takeaways, and how to proactively reduce your organization’s phishing risk.

What is the Phishing-Prone Percentage (PPP)?

The Phishing-Prone Percentage (PPP) is the percentage of users who clicked on a simulated phishing email during testing. It reflects how vulnerable your employees are to phishing before any training.

In the 2025 benchmarking study, KnowBe4 analyzed simulation results across:

• 19 different industry sectors
• 9 geographic regions
• 3 company size categories

The findings deliver critical insight into how susceptible specific verticals are, and how well training programs actually work.

Initial Phishing Risk in 2025: Benchmarking by Industry

The average baseline PPP across all industries was 34.3 percent, meaning over one in three employees clicked on a phishing link without training. But some industries performed significantly worse.

Industries with the Highest Initial PPPs:

• Hospitality – 52.9%
• Education – 50.2%
• Pharmaceuticals – 48.2%
• Healthcare & Medical – 46.9%
• Energy & Utilities – 45.8%

These sectors are high-risk due to sensitive data, high employee turnover, or frequent external communication, all factors that increase phishing vulnerability.

Industries with the Lowest Initial PPPs:

• Technology – 28.5%
• Finance & Banking – 29.8%
• Insurance – 30.1%

Organizations in these industries tend to have more mature cybersecurity programs and stricter access controls.

Phishing Risk by Company Size

Company size plays a role in phishing vulnerability, but not in the way many expect:

• Small organizations (1–249 employees): More vulnerable due to limited resources
• Mid-sized organizations (1,000–2,500 employees): Highest average PPP across the board
• Large enterprises (10,000+ employees): Lower PPPs thanks to stronger governance and layered defenses

Regardless of size, no organization is immune, especially without ongoing training.

Assess your Third Party Risk Management

Training Works: How PPP Drops Over Time

The most impactful takeaway from KnowBe4’s 2025 report? Security awareness training works, fast and sustainably.

Organizations that implemented consistent phishing simulations and training saw a massive drop in PPP:

That’s an 86 percent reduction in phishing vulnerability over one year.

Phishing Tactics: What Lures Are Employees Falling For?

KnowBe4’s simulations use real-world phishing templates designed to mimic what attackers actually send. The most effective lures in 2025 include:

• IT alerts: “Password expired. Click here to reset.”
• Delivery notifications: “FedEx: Your package is delayed.”
• HR notices: “Policy update: View changes to PTO benefits.”
• Account security warnings: “Suspicious login detected.”

These messages rely on urgency, fear, or curiosity, triggering emotional responses before critical thinking kicks in.

How to Reduce Phishing Risk in Your Organization

Based on the 2025 benchmark data, here are the most effective strategies for reducing phishing exposure:

• Invest in Security Awareness Training: Train employees continuously, not just once a year. Tailor content by department and role.
• Launch Ongoing Phishing Simulations: Test your workforce with simulated phishing campaigns. Use results to identify high-risk users.
• Measure Your Own PPP and Benchmark It: Compare your phishing-prone rate against KnowBe4’s industry averages to assess your risk.
• Layer Technical Controls: Use secure email gateways, DNS filtering, and multi-factor authentication to block phishing payloads.
• Build a Security-First Culture: Reward users for reporting suspicious emails and normalize asking IT for help.

In Closing: Understand the Risk, Train to Prevent It

The Phishing by Industry Benchmarking Report 2025 underscores a hard truth: technical defenses alone aren’t enough. People are the last line of defense, and often the first target.

The most at-risk industries in 2025 are those that interact with sensitive data, the public, or third-party vendors. But no sector is truly safe without training.

Want to benchmark your organization’s PPP and improve employee resilience? RSI Security provides tailored phishing simulation services, role-based awareness training, and advisory to help reduce human cyber risk.

Schedule A Third Party Risk Management service