KnowBe4 Inc.

07/07/2026 | Press release | Distributed by Public on 07/07/2026 06:07

KnowBe4 Research Finds Global Phishing Susceptibility Drops 79% After One Year of Security Awareness Training

2026 Phishing by Industry Benchmarking Report reveals a 17.1% spike in phishing attacks while ongoing training slashes risk to 4.2%

KnowBe4, the global leader in digital workforce security, securing both AI agents and humans, today released its 2026 Phishing by Industry Benchmarking Report, revealing that organizations can reduce phishing susceptibility by 79% after one year of consistent security awareness training (SAT), despite a threat landscape increasingly powered by artificial intelligence.

The report analyzed 42 million phishing simulations across 14.8 million users at 64,000 organizations worldwide. The findings show that while employees remain a primary target for cybercriminals, organizations that invest in ongoing training and simulated phishing exercises can dramatically reduce employee phishing susceptibility over time.

According to the report, the global average Phish-prone Percentage (PPP) - the percentage of employees likely to engage with a phishing attack - starts at 33.2% before training. After 90 days of security awareness training, that figure drops to 20.1%, and after one year falls to just 4.2%.

These findings come at a crucial point as cybercriminals increasingly leverage AI to generate highly personalized phishing campaigns, business email compromise (BEC) schemes, and deepfake-enabled social engineering attacks at scale. It is more important than ever to ensure employees are aware of the most current cyber threats in order to avoid becoming victims.

Key Global Findings:

  • Before any training, roughly one in three employees is likely to engage with a phishing attempt.
  • Baseline PPP rises steadily with organizational size. Large enterprises with 10,000+ employees face a baseline PPP of 39.5%, compared to 24.7% for small businesses.
  • For the second consecutive year, the three most vulnerable industries at baseline are Healthcare & Pharmaceuticals (42.7%), Insurance (38.1%), and Retail & Wholesale (36%).
  • Organizations reduced phishing susceptibility by 40% within the first 90 days and by 79% after one year of ongoing security awareness training, reinforcing that continuous training drives lasting behavior change over one-time compliance exercises.
  • Across the different regions, Africa recorded the highest baseline risk at 35.9%, followed closely by North America at 34.5% and South America at 31.5%, while Asia entered with the lowest baseline at 24.9%.

"As organizations expand their workforce from humans to include autonomous AI agents, the attack surface grows in ways traditional controls were not designed to address," said Javvad Malik, lead CISO advisor at KnowBe4. "This complexity is being exploited, evidenced by a 17% spike in phishing attacks since late 2025 alone. However, the data proves organizations can combat this through continuous personalized training, which drops employee phishing susceptibility to 4.2% over 12 months."

Download the full 2026 Phishing by Industry Benchmarking Report.

FAQs

What is the Phish-prone Percentage (PPP)?

The Phish-prone Percentage (PPP) is a metric that measures the share of employees likely to engage with a phishing attack. KnowBe4's 2026 Phishing by Industry Benchmarking Report found the global average baseline PPP is 33.2%, meaning roughly one in three employees is susceptible before any security awareness training is in place.

Why is phishing still growing despite advances in cybersecurity technology?

Cybercriminals are increasingly leveraging AI to craft highly personalized phishing campaigns and deepfake-enabled social engineering attacks at scale, making threats harder to detect. KnowBe4's 2026 report documents a 17.1% spike in phishing attacks since late 2025, underscoring that training the modern workforce remains a critical and actively targeted risk.

Which industries face the highest phishing risk?

For the second consecutive year, Healthcare & Pharmaceuticals (42.7%), Insurance (38.1%), and Retail & Wholesale (36.0%) are the three most vulnerable industries at baseline. Organizational size also plays a role - large enterprises with 10,000+ employees face a baseline PPP of 39.5%, compared to 24.7% for small businesses.

How much can security awareness training reduce phishing susceptibility?

Organizations that invest in ongoing security awareness training can reduce employee phishing susceptibility by 40% within the first 90 days and by 79% after one full year, dropping the average PPP from 33.2% to just 4.2%.

KnowBe4 Inc. published this content on July 07, 2026, and is solely responsible for the information contained herein. Distributed via Public Technologies (PUBT), unedited and unaltered, on July 07, 2026 at 12:07 UTC. If you believe the information included in the content is inaccurate or outdated and requires editing or removal, please contact us at [email protected]