Numbers have a way of cutting through the noise. When someone asks why phishing simulation matters, or why security awareness training deserves a real budget, the fastest answer is usually a well-chosen statistic. But a statistic without context is just a number. What follows is not a list you paste into a slide deck — it is a curated set of data points with enough explanation to make each one genuinely useful.
These figures are drawn from major industry reports, breach investigation data, and behavioral research relevant to phishing defense in 2026. Where ranges appear, that reflects genuine variation across industries and organization sizes.
The Scale of the Problem
1. Phishing is involved in more than 36 percent of all data breaches.
This figure has held relatively stable for several years, which is itself significant. Despite advances in email filtering, endpoint detection, and threat intelligence, phishing keeps working at roughly the same rate. The technology layer is not solving the problem. The human layer is where the gap persists.
2. More than 3.4 billion phishing emails are sent every single day.
That is not a typo. Phishing infrastructure is cheap, highly automated, and globally distributed. The economics of phishing favor attackers: sending millions of emails costs almost nothing, and even a tiny success rate yields significant returns. Volume is part of the strategy — flooding inboxes increases the probability that someone will encounter a well-crafted message at a vulnerable moment.
3. The average organization receives over 700 phishing emails per month.
For larger enterprises the number climbs considerably higher. Even with robust filtering, a meaningful proportion of these land in employee inboxes. This is why technical controls alone cannot close the gap — humans remain the last line of defense on a meaningful number of inbound threats.
4. Phishing attacks increased by 58 percent over the prior two-year period.
The growth is not linear. It accelerates in periods of major news events, platform adoption spikes (such as widespread migration to new collaboration tools), and whenever new AI-assisted attack generation tooling becomes accessible to lower-skilled threat actors.
5. More than 90 percent of cyberattacks begin with a phishing email.
This is probably the most cited statistic in the security awareness space, and it deserves the attention it gets. Ransomware, business email compromise, credential theft, supply chain attacks — the overwhelming majority trace back to a human being who received and acted on a malicious message.
What Employees Actually Do
6. The average phishing click rate for organizations without active simulation programs is 32 percent.
Nearly one in three employees will click a well-crafted phishing email in the absence of any formal conditioning or practice. This is not because those employees are careless. It is because phishing messages are specifically designed to exploit cognitive patterns that are entirely normal and useful in everyday work — responsiveness, trust in authority, reaction to urgency.
7. Organizations with active monthly simulation programs reduce their click rate to below 10 percent within 12 months.
This is one of the most compelling data points in the entire field. The intervention works. Consistent, realistic simulation combined with behavior-triggered training produces measurable, sustained improvement. The difference between 32 percent and under 10 percent represents a dramatic reduction in organizational exposure.
8. Just-in-time training delivered at the moment of a simulated click produces 40 percent better retention than scheduled training modules.
Timing matters enormously in learning. An employee who clicks a simulated phishing link and immediately receives a short, specific explanation of what they missed is in a uniquely receptive state. The lesson is concrete, personal, and immediately relevant. Scheduled training — particularly annual compliance modules — cannot replicate this.
9. Employees who receive quarterly phishing simulations are 70 percent less likely to click on real phishing emails than those who receive none.
Quarterly is better than nothing. Monthly is better than quarterly. The data consistently shows that frequency of exposure is one of the strongest predictors of behavioral improvement, more so than the depth or sophistication of any single training module.
10. Only 17 percent of employees who click a phishing link report the incident to their security team.
This is a significant problem. The gap between click rate and reporting rate means that organizations are often unaware of active phishing campaigns affecting their employees. Building a reporting culture — where employees feel confident and rewarded for flagging suspicious messages — is as important as reducing the click rate itself.
11. Employees in finance and accounting roles are three times more likely to be targeted by spear phishing than employees in other departments.
Attackers are not indiscriminate. Finance teams with payment authorization responsibilities, executives whose credentials enable access to sensitive systems, and IT administrators with privileged access are specifically targeted with higher-effort, more personalized attacks. Risk-based simulation programs that run more frequent and more sophisticated campaigns for these groups produce better outcomes than uniform approaches.
12. New employees are 60 percent more likely to click a phishing link than employees with more than 12 months of tenure.
Onboarding is a high-risk window. New hires are establishing workflows, learning who to trust, and trying to be responsive and helpful — all of which make them more susceptible to authority-based phishing and requests that seem like legitimate business operations. Integrating simulation into onboarding rather than waiting for the next scheduled campaign cycle addresses this vulnerability at the moment it is most acute.
The Cost of Getting It Wrong
13. The average cost of a data breach in 2026 is $4.88 million.
This figure encompasses detection and escalation, notification, post-breach response, and lost business. It does not include reputational damage, regulatory fines, or the long-term customer attrition that often follows a public breach. For organizations outside the largest enterprise tier, a breach of this magnitude is existential.
14. Breaches caused by phishing take an average of 261 days to identify and contain.
Nearly nine months. During that window, attackers may move laterally across systems, exfiltrate data in batches, establish persistence, and identify additional targets. The length of the dwell period directly correlates with breach cost — longer detection means more damage.
15. Business email compromise (BEC) attacks cost organizations more than $50 billion globally in 2025.
BEC is a sophisticated phishing variant in which attackers compromise or impersonate legitimate business email accounts to authorize fraudulent payments, redirect payroll, or extract sensitive data. It requires no malware and no technical exploit — just a convincing email and an employee who acts without verifying. BEC prevention training is the primary defense.
16. Ransomware attacks, 94 percent of which originate from phishing, cost their victims an average of $1.85 million in total impact.
The ransom payment itself is often a fraction of the total cost. Business downtime, recovery expenses, reputational damage, and the operational disruption of rebuilding compromised systems frequently dwarf the initial ransom demand. Prevention through human risk reduction is dramatically cheaper than recovery.
17. Organizations with mature security awareness programs experience 70 percent lower breach costs on average than those without.
This is the number that makes the business case. Security awareness training is not a cost center — it is a risk reduction investment with a directly calculable return. The delta between breach costs for prepared organizations and unprepared ones vastly exceeds any reasonable training budget.
18. The average phishing attack costs a mid-size organization $1.6 million in productivity loss, even when no data is exfiltrated.
Incident response, employee downtime, IT investigation time, legal review, and executive attention all have direct costs. Even a phishing attack that is caught before data is stolen is expensive. The operational disruption of dealing with a credible phishing incident — particularly one involving executive impersonation or financial fraud — consumes significant resources.
Industry-Specific Data
19. Healthcare organizations face a phishing click rate of 35 percent — the highest of any major industry.
Healthcare is a particularly high-risk environment for phishing. Staff are trained to be responsive and patient-focused, which makes skepticism about incoming communications feel at odds with their professional instincts. Regulatory complexity around systems and credentials creates conditions that attackers exploit with IT impersonation and access-related urgency.
20. Financial services organizations have reduced their average click rate to 18 percent through mandatory simulation programs.
Regulatory pressure has driven meaningful investment in awareness programs in financial services, and the numbers reflect it. Mandatory simulation requirements, audit-ready reporting, and executive-level accountability for human risk metrics have produced measurable improvement — though the sector remains a high-value target and the threat continues to evolve.
21. Education is the fastest-growing target sector for phishing attacks, with a 224 percent increase in targeted campaigns.
Universities and school districts present a combination of weak technical controls, high-value data (student records, research data, payment information), and populations with limited security awareness. Ransomware groups have identified education as a high-return target with lower defenses than corporate or government environments.
22. Technology companies experience the highest rate of credential phishing attempts.
Employees at technology firms are targeted for their access to cloud infrastructure, source code repositories, API keys, and customer data. Credential harvesting attacks that impersonate internal tools, CI/CD systems, or cloud provider login pages are particularly common. Role-specific simulation that reflects the tools technology employees actually use produces better outcomes than generic campaigns.
23. Government and public sector organizations experience a 47 percent phishing click rate without active training programs.
Fragmented IT infrastructure, legacy systems, limited security budgets, and high employee turnover in some roles create vulnerability. The public sector's exposure to nation-state threat actors adds a dimension of attacker sophistication that makes robust awareness programs especially important.
Phishing Techniques and Trends
24. Spear phishing accounts for 65 percent of successful phishing attacks despite representing only 0.1 percent of total phishing volume.
Volume and success rate are inversely correlated in phishing. Mass phishing campaigns succeed occasionally against large populations. Targeted spear phishing, which incorporates personal details, organizational context, and role-specific content, succeeds at dramatically higher rates. Defending against it requires simulation programs that go beyond generic templates.
25. AI-generated phishing emails have a 35 percent higher click rate than manually crafted equivalents.
Large language models have made it trivially easy to produce grammatically perfect, contextually relevant, and psychologically sophisticated phishing messages at scale. The spelling errors and awkward phrasing that once served as reliable detection signals are disappearing. Training programs need to evolve their red-flag education accordingly.
26. Phishing-as-a-service (PhaaS) platforms now enable non-technical attackers to launch sophisticated campaigns for as little as $50 per month.
The barrier to entry for phishing has dropped dramatically. This is expanding the threat actor pool beyond organized criminal groups and nation-states to include opportunistic individuals with minimal technical skill. Volume and sophistication are both increasing as a result.
27. Mobile phishing (smishing) increased by 127 percent in the past two years.
SMS-based phishing exploits the fact that mobile users apply less scrutiny to text messages than to emails, click links more readily on small screens, and often receive fewer technical warnings about suspicious content. Training programs that ignore the mobile attack surface are leaving a significant gap.
28. Vishing (voice phishing) attacks have a success rate three times higher than email phishing.
A real human voice on a phone call is extraordinarily persuasive. Vishing attacks, particularly those that combine caller ID spoofing with prior intelligence from social media or data breaches, regularly succeed against targets who would have recognized the same content as suspicious in email form. Awareness training needs to explicitly address this vector.
29. QR code phishing (quishing) increased by 587 percent since widespread adoption of mobile payment systems.
QR codes bypass many email security filters because they contain no malicious URL — just an image. Employees who scan a QR code from a phishing email are taken directly to a credential harvesting page with no warning. Most awareness training programs have not yet addressed this technique adequately.
30. The average phishing email is opened within six minutes of delivery.
Urgency works. The opening pattern of phishing emails mirrors normal email behavior closely because phishing messages are designed to look like normal email. The six-minute median opening time means that technical detection and takedown of phishing infrastructure often occurs after employees have already been exposed.
What Good Programs Look Like
31. Organizations that run monthly simulations see a 64 percent greater click rate reduction than those running quarterly simulations.
Frequency is the most consistently predictive variable for program success. Monthly exposure builds and reinforces habits in a way that quarterly campaigns cannot. The compounding behavioral effect of regular, varied simulation outperforms the single-event impact of any individual training module.
32. Programs that vary simulation templates across attack types reduce click rates 40 percent more than programs using the same templates repeatedly.
Template variety forces genuine skill development. Employees who only ever see IT password reset simulations become good at recognizing IT password reset simulations — not phishing in general. Rotating across credential harvesting, BEC, executive impersonation, vendor fraud, and delivery notification scenarios builds broader, more transferable recognition skills.
33. Reporting rates in organizations with active simulation programs are 5.4 times higher than in organizations without.
Simulation programs normalize the act of encountering suspicious emails and reporting them. Employees who have practiced the behavior in a low-stakes simulation context are far more likely to apply it when they receive a real suspicious message. Reporting rate is arguably as important as click rate — it determines how quickly your organization can detect and respond to real campaigns.
34. Organizations that publicly recognize high reporting rates see a 28 percent further improvement in reporting behavior.
Positive reinforcement works. Acknowledging departments or individuals with high reporting rates — even through simple internal communications — creates social proof that the behavior is valued and normal. This compounds over time as reporting becomes a cultural expectation rather than an exceptional act.
35. Security awareness programs with executive sponsorship are 2.3 times more likely to show sustained improvement over 18 months.
Programs that are treated as operational necessities supported by leadership produce better long-term outcomes than programs operated by security teams in isolation. Executive sponsorship signals organizational seriousness, unlocks adequate resources, and creates accountability for improvement that extends beyond the security team itself.
ROI and Investment Data
36. The average organization spends $27 per employee per year on security awareness training.
This figure varies enormously by organization size, program maturity, and vendor selection. What is consistent is that even at the high end of per-employee investment, the cost of a mature awareness program is a small fraction of the cost of a single breach. The economics are not subtle.
37. For every dollar invested in security awareness training, organizations see an average return of $37 in avoided breach costs.
This calculation is based on actuarial models that weight breach probability against training cost. The ratio is not uniform — organizations in high-risk industries or those beginning from high baseline click rates see even greater returns. But the directional case is clear: awareness training is among the highest-return investments in the security budget.
38. Organizations that can demonstrate a mature security awareness program negotiate cyber insurance premiums that are 15 to 23 percent lower.
Insurers are increasingly sophisticated about human risk. Programs that produce documented simulation histories, measurable click rate improvement, and verifiable training completion provide evidence of reduced exposure that carriers factor into premium calculations. The insurance savings alone can offset a meaningful portion of program cost.
39. Security teams that provide regular, data-driven awareness reports to leadership are 60 percent more likely to receive increased budget in subsequent cycles.
Measurement enables advocacy. Security teams that can show quarter-over-quarter click rate reduction, improving reporting rates, and risk reduction in quantifiable terms are far better positioned to make budget cases than those operating without visible metrics. The data from a well-run simulation program is also the data that justifies the program's continuation.
40. The cost of a phishing simulation platform is, on average, recovered within 11 days of a single prevented breach.
This figure is based on median breach cost estimates and typical platform pricing. It is not a guarantee — it is a probability-weighted expectation. Organizations that run mature programs and prevent even a fraction of the breaches they would otherwise experience recover their investment many times over. The question is not whether awareness training is worth the cost. It is how quickly you start.
What to Do With These Numbers
Statistics are most useful when they move someone to act. The numbers above point consistently in the same direction: phishing remains the dominant entry point for organizational compromise, the human layer remains the most under-defended, and consistent simulation programs with behavior-triggered training produce measurable, sustained improvement at a fraction of the cost of a single breach.
If your organization is currently running no simulation program, the most valuable number here is 32 percent — your likely baseline click rate, and your starting point. If your program is already running but inconsistently, the most important number is 64 percent — the additional improvement that monthly cadence produces over quarterly. If you are making the budget case to leadership, the most useful number is $37 — the return on every dollar invested.
Every organization's specific numbers will differ from these industry averages. That is why measuring your own baseline matters more than any benchmark. The benchmarks tell you what is normal. Your own data tells you what is true.
PhishSkill helps security teams establish baselines, run consistent simulation campaigns, and produce the reporting that turns these statistics into evidence about your specific organization. Start building your program with data that is yours.
Related Reading
For a concise reference of the most important data points, see our learning guide: Phishing Statistics: Key Numbers Every Security Team Should Know.
See how phishing click rates vary by industry and what your benchmark should be in Phishing Click Rate Benchmarks by Industry (2026 Edition).
For a deeper look at where the threat is heading, read The State of Phishing in 2026.
More from the Blog
View all
MFA Is Not Enough: How Phishing Attacks Bypass Multi-Factor Authentication and What Training Can Do
Multi-factor authentication has become a foundational security control, but attackers have evolved techniques to bypass it. Learn how adversary-in-the-middle phishing, MFA fatigue attacks, and vishing for OTP codes defeat MFA—and why training is your only defense.
Insider Threat Awareness Training: Building a Program That Protects Without Eroding Trust
Most insider incidents are accidental, not malicious. Learn the difference between insider threat monitoring and insider threat training, how to build a program that addresses negligent insiders without creating a culture of suspicion, and what truly effective insider threat awareness looks like.
Gamification in Security Awareness Training: Does It Actually Work?
Points, leaderboards, and badges are ubiquitous in security awareness training. But do they actually change behavior, or do they just drive engagement metrics? Explore the evidence behind gamification, when it helps, when it distracts, and how to combine it with simulation-based learning.
Ready to stop phishing attacks?
Run realistic phishing simulations and high-impact security awareness training with PhishSkill's automated platform.