HumanRisk SEAT
Home / Free Tools / Phishing Benchmark
Free Tool · Sourced & cited

Phishing click-rate benchmarks, and why they mislead

The real published numbers for phishing susceptibility by industry and company size, with sources. Compare your rate against them. Then the part most benchmark pages skip: why click rate alone is the wrong thing to optimize.

33.1%
Global average baseline Phish-prone Percentage: share of employees who fail an initial simulation before training.
KnowBe4 2025 Phishing by Industry Report
~1.5%
Median phishing simulation click-through rate across all simulations, including trained populations.
Verizon 2025 DBIR
4.1%
Where that 33.1% baseline lands after 12 months of ongoing training, an 86% reduction.
KnowBe4 2025 Phishing by Industry Report

Two different metrics. Phish-prone Percentage measures untrained baseline susceptibility; the DBIR median measures clicks across all simulations. Quoting one as the other is a common mistake.

Baseline Phish-prone Percentage by industry (highest risk)
IndustryBaseline PPPvs 33.1% global
Healthcare & Pharmaceuticals41.9%
Insurance39.2%
Retail & Wholesale36.5%
Global average (all industries)33.1%

Source: KnowBe4 2025 Phishing by Industry Benchmarking Report. Bars scaled to a 50% ceiling for comparison.

Baseline Phish-prone Percentage by organization size
Organization sizeBaseline PPP
1 - 250 employees24.6%
10,000+ employees40.5%

Larger organizations show higher baseline susceptibility. Source: KnowBe4 2025.

Compare your rateEnter your baseline phishing fail rate to see how it sits against the 33.1% global average and the highest-risk industries.

How to read these numbers without fooling yourself

There are two benchmarks on this page and they are not the same thing. KnowBe4's Phish-prone Percentage is the share of employees who fall for an initial simulation before any training, which is why it is high (33.1% globally, from 67.7 million simulations). The Verizon DBIR median click rate is much lower because it pools clicks across all simulations, including heavily trained populations. If someone tells you "the average phishing click rate is 1.5%" and someone else says "it's a third of employees," they are both right and measuring different things.

Why click rate is a weak program metric

A single click does not prove ignorance. Attackers only need one person to succeed, while defenders need systematic resilience, so a low click rate can hide a brittle program. Click rate also says nothing about whether employees recognized and reported the attack, which is the behavior that actually contains an incident. Optimizing click rate alone can even backfire: punitive programs drive the number down on paper while people quietly stop reporting their mistakes.

What to measure instead

The stronger signal is the ratio of reported phishing to clicked phishing, a quality-of-defense measure, plus time to report. A workforce that clicks occasionally but reports fast and often is far safer than one with a pristine click rate and no reporting culture. Regulations like NIS2 now require proof that controls actually work, and a click-rate chart does not meet that bar. This is the difference between an activity metric and an effectiveness metric.

The behavior behind the clicks

The clicks themselves are downstream of behavior. CybSafe's Oh, Behave! 2025-2026 report found 65% of workers now use AI and 43% admit to sharing sensitive data through unapproved tools, which expands the attack surface faster than any single simulation captures. Benchmarks are a useful gut-check, but a mature program measures behavior and risk, not just who clicked a test email.

Frequently asked questions

What is the average phishing click rate?

It depends on the metric. KnowBe4's 2025 report puts the global average baseline Phish-prone Percentage (failing an initial simulation before training) at 33.1%. The Verizon 2025 DBIR reports a median phishing simulation click-through rate of about 1.5% across all simulations. Different measurements, not contradictory.

What is a good phishing click rate by industry?

KnowBe4's 2025 data shows the highest baseline rates in Healthcare and Pharmaceuticals (41.9%), Insurance (39.2%), and Retail and Wholesale (36.5%), against a 33.1% global average, falling about 86% after 12 months of training. The useful question is whether yours is improving and whether people report attacks, not just avoid clicking.

Why is click rate a weak way to measure a program?

A single click does not prove ignorance; attackers need one success while defenders need systematic resilience. Click rate ignores whether employees report the attack and how fast. The stronger metric is the ratio of reported to clicked phishing, plus time to report. NIS2 now requires proof controls work, which click rate alone cannot give.

Where does this data come from?

Phish-prone Percentage figures are from KnowBe4's 2025 Phishing by Industry Benchmarking Report (67.7M simulations, 14.5M users). The median simulation click rate is from the Verizon 2025 DBIR. Behavioral context is from CybSafe's Oh, Behave! 2025-2026. All attributed below.

Sources

More free tools

All Free Tools
The full set of HumanRisk practitioner tools.
Maturity Self-Check
Where your program sits, Reactive to Embedded.
Compliance Requirements
Awareness obligations across 22 frameworks.
Phishing Triage Playbook
Build your reported-phishing triage workflow.

Measure the program, not just the clicks

A benchmark tells you where you stand on one number. The free SEAT assessment tells you whether your whole program is actually reducing human risk, across Strategy, Engage, Assess, and Train. No account needed, 10-15 minutes.

Take the free SEAT assessment