Every year, KnowBe4 analyzes millions of simulated phishing tests to measure one thing: how likely is your workforce to fall for a phishing attack? The results, published in the 2026 Phishing by Industry Benchmarking Report, paint a clear picture of where human risk concentrates — and what organizations can do about it.
Here are the key findings security leaders need to know.
One in Three Employees Is Vulnerable Before Training
Before any security awareness training is introduced, the global average Phish-prone Percentage (PPP) stands at 33.2%. That means if a real phishing email bypasses your technical filters today, roughly one in three of your employees is likely to engage with it. For large enterprises with 10,000 or more employees, that figure rises to 39.5% — and in large healthcare environments, it peaks at a staggering 54%.
The Same Industries Keep Appearing at the Top of the Risk Table
For the second consecutive year, Healthcare & Pharmaceuticals (42.7%), Insurance (38.1%), and Retail & Wholesale (36%) are the three most vulnerable industries at baseline. The consistency of this finding is itself significant. These sectors are not struggling because of a bad year — they face systemic targeting and structural vulnerabilities that require long-term, sustained intervention rather than a one-time fix.
Size Amplifies Risk
The data reveals a direct correlation between workforce size and phishing susceptibility. Small organizations with fewer than 250 employees start at a 24.7% baseline PPP. That figure climbs steadily through mid-sized organizations and reaches 39.5% for enterprises with more than 10,000 employees. Larger organizations present a wider attack surface, more complex communication environments and a weaker shared sense of security responsibility — all factors that make the human layer harder to protect without a formal, ongoing training program.
Security Training Works — But the Timeline Matters
The most compelling story in this year's data is not how bad the baseline numbers are. It is how dramatically they improve with consistent training.
Within 90 days of introducing security awareness training, the global average PPP drops 40%, falling from 33.2% to 20.1%. That is a meaningful early win — but it is only the beginning. After 12 months of continuous testing and training, the average PPP falls to just 4.2%, representing an 87% reduction from baseline. After 24 months, it stabilizes at 3.9%.
The practical implication is clear: the 90-day mark is not the finish line. The most significant behavioral change happens between month three and month twelve. Organizations that treat their first training campaign as a complete program are leaving the majority of the risk reduction on the table.
The Regional Picture
The 2026 report extends beyond global averages to benchmark phishing risk across seven regions. Africa records the highest baseline PPP at 35.9% and the highest residual risk after a year of training at 7.4% — roughly 70% above the global average at the one-year mark. South America, by contrast, achieves the lowest one-year regional PPP at 3.3%, while North America sits at 4.0%.
The regional data reinforces a finding that holds everywhere: sustained training closes the gap regardless of starting point. But organizations in higher-risk regions need more reinforcement cycles, not just more volume, to reach the residual risk levels that the best-performing regions achieve.
The AI Factor
This year's report introduces an important forward-looking dimension. Generative AI is lowering the cost and increasing the sophistication of phishing attacks globally, enabling threat actors to produce highly personalized, culturally convincing lures at scale. Generic awareness training is no longer sufficient. The organizations showing the strongest results are those using AI-powered training platforms that adapt to individual employee risk profiles, synchronize with emerging threat tactics in real time and move beyond annual compliance exercises toward continuous behavioral conditioning.
What This Means for Security Leaders
The data makes a straightforward case. Human risk is measurable, and it responds predictably to consistent investment. An 87% reduction in phishing susceptibility over 12 months is not an outlier — it is the average. The organizations that achieve it are not doing anything extraordinary. They are running structured, continuous awareness programs and measuring the results.
Additionally, as organizations expand beyond human employees to include AI agents, the attacks surface grows in ways that traditional controls were not designed to address. Security awareness training is not only the most effective lever for reducing human risk, it is the foundation for building the security culture and organizational vigilance required to manage the risk introduced by an AI-augmented workforce.
The 2026 Phishing by Industry Benchmarking Report gives security leaders the industry-specific benchmarks, regional context and organizational size data needed to assess where they stand and build the case for sustained action.
Download the full report to see where your industry ranks.
