Knowbe4 Identifies Industry Most Susceptible to Phishing Attacks

Security awareness and phishing training firm Knowbe4 has published a new report that identifies the industry most susceptible to phishing attacks.

For the report, Knowbe4 analyzed data from more than 6 million users and 11,000 organizations using its phishing email simulation service. Figures include a baseline taken prior to the provision of security awareness training, 90 days following training and phishing email simulations, and one year after the training and phishing simulation program commenced.

The baseline figures, across all industry sectors, was 27% – That means prior to the provision of phishing awareness training, 27% of employees failed phishing simulation exercises. The high click rates show just how important it is for employees to receive training and be taught how cybercriminals attempt to steal data and the common signs of phishing attacks.

At the start of the study, the industry most susceptible to phishing attacks was insurance in the small to mid-sized company category (under 1000 employees) with a click rate of 35.46%. Non-profits were the most susceptible to phishing attacks in the large company category (1000+ employees) with a 30.97% click rate.

The financial services fared best in the small business category (1-249 employees) with a phish-prone percentage of 27.41%, with government organizations faring best in the mid-sized category (250-999 employees) with a click rate of 25.12%. In the large category (1000+ employees), business services performed best with click rates of 19.40%. That means the best performing industry sector in the test saw one in five employees click on a phishing email before training was provided.

The effectiveness of training and phishing email simulations is clear. The average click rate after 90 days of training was 13%. After a year of training and phishing email simulations, user susceptibility had dropped to 2.17%.

After a year of training and simulations, the worst performing industries were the financial services, insurance, education, and the energy and utilities sectors, with phishing link click rates of around 5%.

“The new research uncovered some surprising and troubling results. However, it also demonstrates the power of deploying new-school security awareness training by lowering a 27 percent Phish-prone result to just over two percent.” said Knowbe4 CEO Stu Sjouwerman. “New-school security awareness training which includes frequent simulated social engineering testing is a proven method to dramatically slash an organization’s Phish-prone percentage. Effectively managing this problem requires commitment and C-level buy-in, but it can be done and isn’t difficult.”

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of