Phishing Click Rate Benchmarks by Industry: How Does Your Organization Compare?

When your organization runs its first phishing simulation and the results come back showing a 28 percent click rate, the immediate question is almost always the same: is that bad?

The answer depends entirely on context. A 28 percent click rate for a first-ever simulation in a healthcare organization with a large non-technical clinical workforce looks different from a 28 percent click rate for a financial services firm that has been running monthly simulations for two years. One of those numbers suggests a realistic starting point. The other suggests a program that has not been working.

Industry benchmarks give your phishing click rate the context it needs to be interpretable. They allow you to answer not just "where are we?" but "where are we relative to organizations facing similar threats, similar workforce profiles, and similar constraints?" That comparative perspective is what transforms a raw percentage into actionable intelligence.

This guide provides a detailed overview of phishing click rate benchmarks across major industries, explains the factors that drive variation between sectors, and offers a framework for interpreting your organization's numbers relative to industry reference points. For a quick reference of broader threat statistics, see also our phishing statistics overview.

How Phishing Click Rate Benchmarks Are Produced

Before interpreting benchmark data, it is worth understanding how it is generated—because methodology matters significantly for how usefully any benchmark applies to your situation.

Phishing click rate benchmarks are typically produced by security awareness platform providers analyzing anonymized simulation data from their customer bases. These datasets can be large—aggregating millions of simulated phishing emails across thousands of organizations—but they also carry inherent biases that affect how the data should be interpreted.

Organizations that subscribe to phishing simulation platforms are, by definition, actively working on their security awareness posture. They are not a representative sample of all organizations in their industries—they are the subset that has made a deliberate investment in measuring and improving phishing resilience. This means industry benchmarks derived from simulation platform data tend to understate the click rates that would be observed in organizations with no active simulation program.

The practical implication is that if your organization is early in its simulation program, your click rates may be higher than industry benchmarks derived from more mature programs—not because your employees are unusually susceptible, but because your benchmark comparison group includes organizations that have been conditioning employee behavior for years.

A second methodological consideration is template difficulty. Click rates vary significantly depending on the sophistication and realism of the simulation template used. Industry benchmarks that aggregate across all template types will produce different numbers than benchmarks calculated from only high-difficulty scenarios. When interpreting your results against published benchmarks, understanding the template difficulty distribution behind both your results and the benchmark is important for valid comparison.

Healthcare: High Volume, High Stakes

Healthcare consistently appears among the highest-phishing-click-rate industries in benchmark data, with average rates typically observed in the range of 20 to 35 percent across organizations that are early in their simulation programs.

Several factors drive this elevated susceptibility profile. Healthcare workforces are large and occupationally diverse, including clinical staff whose primary training is medical rather than digital. Nurses, technicians, therapists, and clinical support staff often have limited exposure to the types of security awareness training common in technology or financial services environments.

The communication patterns of healthcare organizations also create fertile ground for phishing. Legitimate clinical communication regularly involves external parties—labs, pharmacies, insurance companies, referral networks, medical device vendors—who email staff directly. Employees are conditioned to respond to external communications quickly, and the volume of legitimate external email makes it harder to apply consistent skepticism.

Healthcare organizations that have invested in consistent phishing simulation programs over twelve to twenty-four months typically see click rates decline to the ten to eighteen percent range, with reporting rates improving substantially as staff develop the habit of escalating suspicious messages.

The stakes of healthcare phishing susceptibility are amplified by the regulatory environment—HIPAA breach notifications carry significant costs, and OCR enforcement actions increasingly include civil penalties that make the financial consequence of a phishing-related breach substantially higher than in less regulated industries.

Financial Services: High Awareness, Persistent Risk

Financial services organizations typically show lower baseline phishing click rates than healthcare, reflecting both the higher baseline security awareness of professionally trained financial staff and the longer average history of security training programs in the sector. Average click rates for financial services organizations in the early stages of phishing simulation commonly fall in the 15 to 25 percent range.

However, financial services organizations face a phishing risk profile that is qualitatively different from other sectors. Business email compromise—phishing attacks specifically designed to impersonate executives, vendors, or payment processors to authorize fraudulent wire transfers—is disproportionately prevalent in financial services. These attacks are often highly targeted, low-volume, and carefully researched to impersonate specific internal communication patterns. Standard simulation templates that represent generic credential harvesting may show favorable click rates without adequately capturing the organization's vulnerability to the high-value attacks it is most likely to face.

Financial services security teams should supplement standard phishing simulation with targeted BEC-specific scenarios that test employees who handle payment authorization, wire transfers, and account management against the specific attack patterns most relevant to their roles.

Education: Volume Challenges and Heterogeneous Workforces

Educational institutions—K-12 districts, colleges, and universities—consistently show some of the highest average phishing click rates in industry benchmark data, frequently above 30 percent in baseline assessments.

The factors driving this susceptibility are structural. Education sector workforces are highly heterogeneous: faculty, administrative staff, research personnel, facilities staff, student employees, and adjunct instructors all have different relationships to digital security and different levels of prior training. Turnover in many of these categories is high, creating persistent new-employee vulnerability. IT budgets in education are typically constrained, limiting the investment available for robust awareness programs.

Universities face the additional complexity of a dual-use network environment where students, faculty, and administrative staff coexist with vastly different security expectations and permissions. Social engineering that exploits the open, collaborative culture of academic environments—unexpected research collaboration requests, fake conference invitations, fraudulent journal submission notifications—is particularly effective in this context.

Education sector organizations that run consistent simulation programs see improvement, but the high turnover rate in student employee populations means baseline conditions reset more frequently than in stable workforce environments. Program design for education needs to account for this by building onboarding-triggered simulation into the new employee or new academic year cycle.

Technology: Lower Baselines, Sophisticated Threats

Technology companies typically exhibit the lowest average phishing click rates across industry benchmarks, often in the 10 to 20 percent range even in early simulation programs. This reflects the higher average baseline security literacy of technology workforces, greater exposure to security-adjacent topics through professional development, and longer average histories of security awareness programs.

However, lower average click rates in technology organizations can mask significant internal variation. Non-technical staff—sales, marketing, finance, legal, and administrative employees—often show click rates considerably higher than engineering and security staff. Technology organizations that report aggregate click rates without examining department-level variation may be significantly underestimating their risk exposure in the non-technical segments of their workforce.

Technology organizations are also frequent targets of sophisticated, targeted spear phishing campaigns that exploit their perceived security sophistication. Attackers who know that generic phishing templates are unlikely to fool technology employees design highly personalized, contextually specific attacks—impersonating known vendors, referencing real projects or personnel, or exploiting specific software platforms the organization uses. Standard simulation templates may not adequately prepare technology employees for this level of attack sophistication.

Retail and Hospitality: Seasonal Patterns and High Turnover

Retail and hospitality organizations face a distinctive combination of high workforce turnover, significant seasonal staffing variation, and a customer-service culture that emphasizes responsiveness—all of which create elevated phishing susceptibility.

Average click rates in retail and hospitality commonly fall in the 20 to 30 percent range, with significant seasonal variation. The period leading up to major retail holidays—when staffing is at its highest and includes the largest proportion of newly onboarded employees—consistently shows the highest click rates in any annual simulation cycle for these organizations.

Phishing attacks targeting retail organizations often exploit the seasonal patterns that attackers have learned to recognize. Fake vendor payment requests during high-volume ordering periods, fraudulent shipping notifications during peak delivery seasons, and impersonation of loyalty program platforms during promotional periods are all effective because they arrive at precisely the moments when employees are most distracted and least likely to scrutinize communications carefully.

Retail security teams should design simulation cadences that frontload training before high-risk seasonal periods rather than distributing campaigns evenly throughout the year.

Government and Public Sector: Bureaucratic Structure and Compliance Culture

Government and public sector organizations show highly variable phishing click rates that reflect the enormous diversity of the sector—from small municipal offices to large federal agencies with sophisticated security programs.

At the local and state government level, click rates commonly fall in the 20 to 35 percent range for organizations without established simulation programs, reflecting limited security awareness investment, budget constraints, and workforces that skew older and less digitally native than comparable private sector organizations.

Federal agencies and large state departments with established security awareness mandates and compliance programs often show significantly lower click rates, sometimes in the eight to fifteen percent range, reflecting years of consistent program investment and the regulatory pressure of frameworks like FISMA that require documented security training.

Government organizations face a specific phishing risk associated with the public availability of employee information. Government employee names, titles, and contact information are often publicly accessible through official directories, freedom of information disclosures, and public records—providing attackers with the targeting data needed for effective spear phishing without the research investment typically required.

Professional Services: Information Custodians Under Pressure

Legal, accounting, consulting, and other professional services firms handle highly sensitive client information while operating under significant time pressure and with a culture that prizes responsiveness. These conditions produce a phishing risk profile that is distinct from both financial services and technology.

Average click rates in professional services commonly fall in the 15 to 25 percent range, with significant variation by firm size and security maturity. Smaller professional services firms—boutique law practices, independent accounting firms, niche consulting groups—often show substantially higher click rates than large firms with dedicated security functions, reflecting the correlation between firm size, security investment, and awareness program maturity.

The most significant phishing risk in professional services is data exfiltration rather than financial fraud. Attackers who successfully compromise a law firm or accounting firm email account gain access to client information, deal-in-progress documentation, and sensitive financial data that has significant value in both corporate espionage and organized crime contexts. The reputational and liability consequences of a breach of client data in professional services are severe, which amplifies the stakes of phishing susceptibility beyond direct financial loss.

What Your Click Rate Benchmarks Mean for Program Design

Understanding where your organization sits relative to industry benchmarks informs program design decisions in several specific ways.

If your click rate is significantly above your industry benchmark—even for a first simulation—it suggests that your workforce has had less prior exposure to security awareness than comparable organizations and will require a more intensive training cadence to build baseline phishing recognition skills.

If your click rate is at or below your industry benchmark from the outset, it does not mean your program is complete. It means your employees are performing at a typical level for your sector, which still leaves substantial room for improvement and does not preclude targeted attacks that exploit specific organizational knowledge.

If your click rate has been declining over time but has plateaued above your industry benchmark, it suggests either that your simulation templates have become predictable enough that employees are pattern-matching to your specific scenarios rather than developing generalized phishing detection skills, or that there is a specific high-risk population segment whose performance is disproportionately influencing the aggregate number.

In all cases, benchmarks are reference points for interpretation, not performance targets. The meaningful target for any organization is continuous improvement measured against its own baseline—with industry benchmarks providing context for how that improvement trajectory compares to the sector.

Beyond Click Rate: The Benchmarks That Matter Most

Click rate is the most widely cited phishing benchmark, but it is not the most informative single metric of security culture health. Two additional benchmarks deserve equal attention in any serious program assessment.

Reporting rate benchmarks. Industry data on reporting rates—the percentage of employees who identify and report a simulated phishing email—typically show averages in the eight to fifteen percent range across sectors for organizations without mature reporting cultures. High-performing organizations achieve reporting rates of 25 to 40 percent or above, reflecting a workforce that actively participates in collective defense rather than simply avoiding individual mistakes. Improving reporting rate is often a more achievable near-term goal than reducing click rate, and it produces more direct security value per unit of improvement.

Improvement velocity benchmarks. How quickly organizations reduce their click rates varies significantly and is itself benchmarkable. Organizations with well-designed programs—monthly simulations, behavior-triggered just-in-time training, consistent reinforcement—typically reduce click rates by eight to fifteen percentage points in the first year of active program management. Organizations with sporadic or poorly designed programs often show minimal improvement over the same period. Knowing the typical improvement velocity for your sector helps set realistic expectations and identify whether your program design is producing results at a competitive rate.

PhishSkill provides industry-benchmarked reporting that puts your organization's phishing click rate, reporting rate, and improvement trajectory in context alongside comparable organizations in your sector. Because knowing your number is only the beginning—knowing what it means is where the program decisions start.

Related Reading

Benchmarks are great for context, but ROI is what wins the budget. Master the business case in How to Prove the ROI of Security Awareness Training to Your Board and CFO or learn more about the Phishing Resilience Score: What It Is and How to Calculate It.

For the definitive industry data on breach vectors, see the Verizon Data Breach Investigations Report (DBIR).