CyberheistNews Vol 16 #28 Your 2026 Phishing by Industry Benchmarks: The Findings on Human Risk

KnowBe4 Team | Jul 14, 2026
Cyberheist News

CyberheistNews Vol 16 #28  |   July 14th, 2026

Your 2026 Phishing by Industry Benchmarks: The Findings on Human Risk

Every year, KnowBe4 analyzes millions of simulated phishing tests to measure one thing: How likely is your workforce to fall for a phishing attack? The results, published in the 2026 Phishing by Industry Benchmarking Report, paint a clear picture of where human risk concentrates — and what organizations can do about it.

Here are the key findings security leaders need to know.

One in Three Employees Is Vulnerable Before Training
Before any security awareness training is introduced, the global average Phish-prone Percentage (PPP) stands at 33.2%. That means if a real phishing email bypasses your technical filters today, roughly one in three of your employees is likely to engage with it.

For large enterprises with 10,000 or more employees, that figure rises to 39.5% — and in large healthcare environments, it peaks at a staggering 54%.

The Same Industries Keep Appearing at the Top of the Risk Table
For the second consecutive year, Healthcare & Pharmaceuticals (42.7%), Insurance (38.1%) and Retail & Wholesale (36%) are the three most vulnerable industries at baseline. The consistency of this finding is itself significant.

These sectors are not struggling because of a bad year — they face systemic targeting and structural vulnerabilities that require long-term, sustained intervention rather than a one-time fix.

Size Amplifies Risk
The data reveals a direct correlation between workforce size and phishing susceptibility. Small organizations with fewer than 250 employees start at a 24.7% baseline PPP. That figure climbs steadily through mid-sized organizations and reaches 39.5% for enterprises with more than 10,000 employees.

Larger organizations present a wider attack surface, more complex communication environments and a weaker shared sense of security responsibility — all factors that make the human layer harder to protect without a formal, ongoing training program.

Security Training Works — But the Timeline Matters
The most compelling story in this year's data is not how bad the baseline numbers are. It is how dramatically they improve with consistent training.

Within 90 days of introducing security awareness training, the global average PPP drops 40%, falling from 33.2% to 20.1%. That is a meaningful early win — but it is only the beginning. After 12 months of continuous testing and training, the average PPP falls to just 4.2%, representing an 87% reduction from baseline. After 24 months, it stabilizes at 3.9%.

The practical implication is clear: the 90-day mark is not the finish line. The most significant behavioral change happens between month three and month twelve. Organizations that treat their first training campaign as a complete program are leaving the majority of the risk reduction on the table.

The Regional Picture
The 2026 report extends beyond global averages to benchmark phishing risk across seven regions. Africa records the highest baseline PPP at 35.9% and the highest residual risk after a year of training at 7.4% — roughly 70% above the global average at the one-year mark. South America, by contrast, achieves the lowest one-year regional PPP at 3.3%, while North America sits at 4.0%.

The regional data reinforces a finding that holds everywhere: sustained training closes the gap regardless of starting point. But organizations in higher-risk regions need more reinforcement cycles, not just more volume, to reach the residual risk levels that the best-performing regions achieve.

The AI Factor
This year's report introduces an important forward-looking dimension. Generative AI is lowering the cost and increasing the sophistication of phishing attacks globally, enabling threat actors to produce highly personalized, culturally convincing lures at scale. Generic awareness training is no longer sufficient.

The organizations showing the strongest results are those using AI-powered training platforms that adapt to individual employee risk profiles, synchronize with emerging threat tactics in real time and move beyond annual compliance exercises toward continuous behavioral conditioning.

What This Means for Security Leaders
The data makes a straightforward case. Human risk is measurable, and it responds predictably to consistent investment. An 87% reduction in phishing susceptibility over 12 months is not an outlier — it is the average. The organizations that achieve it are not doing anything extraordinary. They are running structured, continuous awareness programs and measuring the results.

Additionally, as organizations expand beyond human employees to include AI agents, the attack surface grows in ways that traditional controls were not designed to address. Security awareness training is not only the most effective lever for reducing human risk, it is the foundation for building the security culture and organizational vigilance required to manage the risk introduced by an AI-augmented workforce.

The 2026 Phishing by Industry Benchmarking Report gives security leaders the industry-specific benchmarks, regional context and organizational size data needed to assess where they stand and build the case for sustained action. See the next section to download the report.

Download the Report Now:
https://info.knowbe4.com/2026-phishing-industry-benchmarking-report?utm_source=chn_email&utm_medium=email&utm_campaign=dg-sat-campaign-26&utm_content=pib-report

Your Email is Protected. Is Your Teams Chat?

For years, security teams have poured resources into locking down the inbox, and for good reason. Email has always been the front door for phishing and social engineering. Unfortunately, another door has been left wide open: Microsoft Teams.

Threat actors are increasingly posing as IT helpdesk staff inside Microsoft Teams chats, exploiting the built-in trust employees place in their internal collaboration tools to steal credentials and take over accounts. And unlike email, these conversations happen completely outside the reach of most traditional security filters.

Our own data makes the scope of this exposure clear: 74% of surveyed organizations have external Teams access enabled with no domain restrictions in place. Just as concerning, many of these organizations have no clear internal owner responsible for that configuration, meaning a dangerous default can sit unnoticed and unaddressed indefinitely.

Closing the Gap Between Email and Chat
Today, we’re extending KnowBe4 Defend’s threat detection into Microsoft Teams, giving organizations a single, unified defense across the two communication channels attackers rely on most.

This isn’t a bolt-on integration. It’s the same behavioral AI and detection engine that already protects your inbox, now applied to external Teams conversations and a new layer of visibility into the Teams configurations that create risk in the first place.

What’s New

  • Continuous Chat Monitoring: Defend ingests messages from external Teams senders and runs them through a multi-layer detection engine, including URL blacklisting, antivirus scanning and WHOIS analysis with the same rigor already applied to inbound email.
  • Automated Remediation, Your Way: Admins can choose Report Only mode to build confidence in detection accuracy before rolling out automation, or Block mode, which automatically removes dangerous messages from a user's chat before they can interact with them.
  • Posture Management for Teams: Detection is only half the battle. Many of these risks start with configuration. Defend now audits your Microsoft Teams Admin Center settings, surfacing vulnerable external-access defaults and providing guided steps to remediate them.
  • One Console with Unified Visibility: All Teams threat data lives natively inside the Defend console, including a new Recent Messages tab and a dedicated Teams Security Posture section. SOC teams get full visibility into both channels without switching tools or losing context.

Pairs Naturally with the Teams Phish Alert Button (PAB)
This isn’t KnowBe4’s first move into securing Microsoft Teams. Earlier this year, we launched the Phish Alert Button (PAB) for Microsoft Teams, giving end users the same one-click reporting experience in Teams that they already know from email. This gives your workforce a way to remain vigilant and report suspicious activity across all collaboration mechanisms.

Defend’s new Teams capabilities add that necessary protection before the message lands in the user’s Teams. Together, the two form a complete Teams security strategy: automated detection and posture management from Defend backed by an empowered, well-trained workforce equipped with the PAB for anything that end users want extra eyes on.

Collaborating Should Be Fun, Not Fearful
Microsoft Teams has become essential to how global teams get work done. It shouldn’t come with an asterisk. With Defend now securing both email and Teams, employees can collaborate the way they already do: quickly, informally and across external partners without fear of opening the door for attackers.

We’re not just protecting the inbox anymore. We’re protecting the conversation. Wherever it happens. Want to see how Defend secures both email and Microsoft Teams from a single console? Get a demo or visit the Defend product page to learn more.

Blog post with links:
https://blog.knowbe4.com/your-email-is-protected.-is-your-teams-chat

What’s New in Defend and Prevent?

Keeping pace with modern, AI-driven phishing attacks requires speed, automation and deep visibility.

We have rolled out several powerful new features across Defend and Prevent to help your security team slash response times, eliminate dashboard fatigue and gain granular control over data protection. Here is a breakdown of what’s new and how to take advantage of these updates today.

Defend Updates

  • EasyDMARC Integration: Defend now integrates with EasyDMARC to give you DMARC monitoring for your Microsoft 365 domains. This partnership will help you stop impersonation and BEC with DMARC, DNS, SPF and DKIM enforcement while receiving weekly emails on your posture management. Learn more here: SUPPORT LINK COMING MONDAY
  • Messaging Security: Defend is expanding protection to Microsoft Teams. Organizations can now detect and remediate threats within Microsoft Teams and audit your Microsoft Teams Admin Center configuration to surface vulnerable settings regarding external user access. Learn more here: https://support.knowbe4.com/hc/en-us/articles/52675899278739

Prevent Updates

  • Self-Serve Configurability for Misdirected Content and DLP
    We have introduced new ways to manage your policies that give administrators independent control over sensitive data protection.
  • Pattern Builder: Easily create and manage your own granular rules to block unauthorized outbound emails. To minimize false alarms, you can set smart, high-fidelity conditions, such as only blocking an email if it contains multiple combined pieces of sensitive data, making it simpler to autonomously meet HIPAA and GDPR compliance. Learn more here: https://support.knowbe4.com/hc/en-us/articles/52029642574611-Prevent-Custom-Pattern-Builder-User-Guide

DLP Data Dictionaries:
https://support.knowbe4.com/hc/en-us/articles/50911005253011-Prevent-Policies-and-Library-User-Guide

Hyper-Targeted Social Engineering Needs Real-Time Video Response

There’s an important metric that can tell you exactly how vulnerable your high-risk employees and departments are to the next generation of social engineering.

It’s not phishing click rates or training completion percentages. It probably doesn’t show up on any security dashboard. It’s the precise number of days it takes your team to respond to a live, context-specific threat with adequate training – training time to market.

When attackers can use generative AI to launch precise campaigns targeting unique organizational processes, regional policies and role-specific workflows, security teams need to deploy new training quickly to protect vulnerable employees. And right now, many security teams are losing the race by weeks – if they even reach the finish line at all.

Fight fire with fire by using AI to accelerate the time to market of hyper-targeted training content.

The Net and the Needle
Defending against this new wave of attackers requires security teams to reconsider how they build and deploy training.

Deep, expert-crafted training content is a tremendous foundation for protecting your workforce, casting a broad security net that covers new and pressing threats at scale. But to address the vulnerabilities that hide inside the edge cases unique to your organization, you need the surgical precision of a needle to craft highly tailored, custom training experiences that accurately reflect these risks.

Traditionally, production bottlenecks make producing custom training assets and experiences difficult. The fundamental friction has never been intentional. Security teams often just don’t have time and budget to create training packages for all the little edge cases. And even when they do, the time it takes to prepare this training leaves a window where high-risk employees are vulnerable.

This logistical barrier is exactly what KnowBe4’s AI-native SAT solves. Over the last year, we’ve introduced several AI Defense Agents (AIDA) that accelerate the creation of custom training experiences. With a few prompts and a couple of clicks, KnowBe4’s AI agents create polished, interactive training courses and realistic deepfake simulations featuring key leaders and employees.

Now, we’re closing another friction point hindering the creation of custom training experiences: video production.

Custom AI Video Builder Dismantles the Barriers to Video Production
Custom AI Video Builder, our latest content customization capability, embeds a native AI video pipeline directly into our SAT platform, collapsing production timelines by up to 90% while boosting engagement and training retention. The operational workflow, powered by a strategic partnership with Synthesia, accelerates the deployment of rich video training content from weeks to minutes, empowering you to:

  • Create context-specific training instantly. All you need to create highly relevant on-brand video content on any topic is some simple reference material — a threat report or internal policy documents, for example.
  • Make your training content your own. Inject key leaders and personnel directly into training content by creating your own custom avatar or choose from 120 distinct AI avatars. No need for live actors, voice talent or cameras.
  • Go global with a micro-targeted training focus. With support for more than 160 languages and dialects, you can create narrated video content tailored to localized threats in the precise regional dialect of a small satellite office overnight.
  • Deploy with one-click publishing. Instead of downloading large video files and manually assembling SCORM packages, a single click triggers automated SCORM 2004 ingestion, routing video directly into your ModStore Uploaded Content library.

How It Works
Custom AI Video Builder lives in the Customization hub in the ModStore, empowering you to start the video building workflow straight from the platform you already use to manage your training campaigns. Here’s how you go from reference material to studio-quality video with just a bit of prompting.

  • Claim your free Synthesia Starter license from the ModStore. This license allows you to create 120 minutes of custom video content.
  • Choose whether you want to start your project from a prompt or file. If you have reference materials, like a threat report or policy doc, this can help jumpstart the process, but starting from a prompt is just as easy.
  • Preview the video and edit as needed. Synthesia will share a template and script based on your input. You can edit as needed, modifying the script, the background or even the AI presenter’s outfit. Once you’re done, you can generate the video.
  • Import the video to the ModStore. Once the video has been generated, click "Export to KnowBe4" under the Share button to add the video to the Uploaded Content section of the ModStore.

Once the video has been added to your content library, you can incorporate it into your training campaigns as you see fit. Whether you’re adding it to text-based training created with the Content Creation Agent or using it some other way, you’ve effectively collapsed the entire production cycle to minutes.

Personalized, Relevant, Engaging: The Keys to Creating Custom Training That Sticks
The most effective training is the training that reflects your workforce’s lived reality. When employees are presented with training using brand colors and logos, features your company’s leaders and covers the real-world challenges and scenarios that matter to them, it drives engagement and trust.

Custom AI Video Builder builds on a powerful content customization foundation laid by our AI Defense Agents. The Content Creation Agent creates interactive text-based training content tailored to your company’s specific policies, processes and workflows, personalizing training to reflect the real-world situation your workforce faces.

The Deepfake Training Content Agent inserts your leaders into practical training exercises, making training more relevant to employees. The Custom AI Video Builder makes your custom training content more engaging, capturing attention with studio-quality production value.

The combination of these capabilities accelerates the delivery of custom training. But the power of content customization isn’t just speed; it’s being able to create deeply personalized, highly relevant training experiences at scale. This is what makes training resonate with your workforce and keeps it top of mind in moments of risk.

Fighting Fire with Fire
Attackers understand that unique corporate processes, special regional policies and role-specific workflows are common gaps in security training. Generative AI has turned them into favored attack surfaces, enabling bad actors to create highly targeted campaigns at scale.

KnowBe4’s content customization suite is how security teams keep up. When an attack targeting your company’s specific wire-transfer workflow surfaces on a Wednesday, your team can deploy engaging, hyper-relevant training to the people at risk by day’s end.

These new agentic capabilities and strategic partnerships with key innovators build on our deep catalog of expert-crafted training content, enabling you to reach your workforce with breadth and depth.

Blog post with links:
https://blog.knowbe4.com/hyper-targeted-social-engineering-video-response

Check out KnowBe4 at Black Hat 2026!

KnowBe4 is heading to Black Hat! Visit Booth #2439 to score custom engraved swag, spin for prizes, and see how we’re redefining security culture within the KnowBe4 platform.

Here's what's happening at Black Hat:

  • Main Stage session with Perry Carpenter, worth carving out time for if you're on the floor. Thursday, August 6, 1:30–2:00pm, Business Hall
  • "Ghosts in the Inbox: AI Agents, Email Security, and the New Social Engineering Playground" with Erich Kron and Jack Chapman. This session looks at how attackers are starting to target the AI agents and copilots sitting between people and their inboxes, not just the humans reading the email.
    Wednesday, August 5, 3:15–3:45pm, PULSE_STAGE/01
  • Prefer a quieter setting? We've reserved a private meeting space in the Business Hall, just steps from our booth, ideal for a focused conversation about securing your digital workforce and other market trends we're seeing.

Grab a time here:
https://web.cvent.com/event/beb789d7-cbd9-4d97-b5e9-2a8dc1813e39/register?rp=0c4780a9-c89c-450c-9f09-2db1919003cf

Hope to see you in Vegas!

AWS-Themed Phishing Campaign Targets... YOU

Researchers at DataDog are tracking a wave of phishing campaigns targeting Amazon Web Services credentials. The sites use adversary-in-the-middle (AiTM) techniques to intercept multifactor authentication codes. The attackers also deploy techniques to hide the phishing sites from security measures.

"The operators sent phishing emails through legitimate platforms such as SendGrid and Nimbu to pass email authentication checks, a standard technique to improve deliverability and avoid spam filters," the researchers write.

"The phishing domains cloned the AWS console login page, and the credential harvesting logic lived in a single JavaScript file. The site has AiTM capabilities and captures second factors delivered via email, SMS or a time-based one-time password (TOTP)."

Notably, the phishing attacks are highly targeted, with each link being crafted for a specific recipient. Most of the emails targeted software engineers and engineering leadership, using lures that these employees would expect to receive.

In one example, the attackers sent an email impersonating AWS support, informing the recipient of an issue that would limit the organization's bandwidth.

"Most AWS credential theft focuses on access keys, a pattern that holds in both Datadog's internal data and public reporting," the researchers write. "Targeted actors, however, still pursue username and password phishing against the AWS console.

"The AiTM capability observed here captures MFA codes in real time, which makes this campaign more dangerous than a simple credential-harvesting page. Defenders should treat AWS console phishing as an active threat rather than a secondary concern."

KnowBe4 empowers your workforce to make smarter security decisions every day.

DataDog has the story:
https://securitylabs.datadoghq.com/articles/behind-the-console-aws-aitm-phishing-kit-and-beyond/


Let's stay safe out there.

Warm regards,

Stu Sjouwerman, SACP
Executive Chairman
KnowBe4, Inc.

PS: Your KnowBe4 Fresh Content Updates from June 2026:
https://blog.knowbe4.com/your-knowbe4-fresh-content-updates-from-june-2026

PPS: Yours Truly via @forbes "The Dashboard’s New Job Is To Keep AI Honest":
https://www.forbes.com/councils/forbestechcouncil/2026/07/07/the-dashboards-new-job-is-to-keep-ai-honest/

Quotes of the Week  
"Success is, did I make something I’m proud of?"
- Steve Jobs (1955–2011)

"Far and away the best prize that life offers is the chance to work hard at work worth doing."
- Theodore Roosevelt (1858–1919)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-16-28-your-2026-phishing-by-industry-benchmarks-the-findings-on-human-risk

Security News

Scammers Can Use AI Tools to Pinpoint Your Location Based on a Photo

Scammers can use AI tools to find your location in photos you post to social media, according to researchers at McAfee. This information can then be used in targeted social engineering attacks. The researchers found that free AI models can correctly identify a photo's location with around 90% accuracy.

"Gemma3 27B correctly identified the city and country of a travel photo 87% of the time," McAfee says. "Qwen3 VL 30B performed even better, reaching 91% accuracy across the same dataset. That means in roughly nine out of ten cases, an AI model that's available for free, to anyone, could look at an ordinary travel photo and correctly name where it was taken.

"This kind of analysis is also how AI tools understand images more broadly, shaping not just scams, but how information shows up in AI-powered answers. And when the exact city wasn't identified, the country alone was almost always correct. For a scammer, that's more than enough.

"It's also enough to turn a vague, generic scam into one that feels specific, timely and believable." People need to be aware of how threat actors can exploit publicly available information, especially now that AI can remove the legwork from the reconnaissance stage of the attack.

"Knowing where someone is or where they've recently been is one of the oldest tricks in a scammer's playbook," the researchers write. "But until recently, getting that information required either knowing the person or getting lucky. AI removes the guesswork, allowing attackers to build highly specific, contextual scams at scale.

"With geo-location inference this accurate, scammers no longer need to cast a wide net and hope a generic phishing message lands. Instead, they can use publicly shared photos to build a believable context around an attack."

McAfee has the story:
https://www.mcafee.com/blogs/mcafee-news/ai-travel-photo-location-scams-geolocation-research/

Report: Attackers Are Using AI to Automate Social Engineering

Threat actors continue to make use of AI tools to automate their attack flows and increase efficiency, according to researchers at ReliaQuest.

"In the incidents we reviewed, AI appeared in two main roles," the researchers write. "First, it was embedded in the attack workflow: clues pointed to attackers using it to generate phishing pages, build web shells and credential harvesters, pad code to frustrate static analysis and improve the fluency of social-engineering content.

"Second, AI was the lure itself. Attackers used demand for AI tools and trust in AI brands to get users to install malicious extensions, run commands or follow fake setup steps that looked routine enough to pass initial scrutiny. We saw that pattern cut across sectors and actor type, from 'ShinyHunters' linked social engineering and 'ClickFix'-driven malware delivery to DPRK IT-worker fraud.

"The goal varied—extortion, access, fraud or espionage support—but AI consistently enabled these operators to achieve more, faster, with less effort." In one campaign observed by ReliaQuest, attackers used AI to create thousands of phishing pages, removing the need for tedious manual effort.

"One of the clearest examples of AI as a multiplier appeared in a recent sector-wide phishing campaign," the researchers write. "Threat actors generated thousands of phishing pages impersonating well-known booking platforms and individual businesses.

"In the HTML, we identified several clues consistent with an AI-assisted workflow that likely contributed to both the infrastructure behind the campaign and the user-facing content. While none of these clues are definitive on their own, together, they point to a process built for speed, reuse and believable presentation."

While AI speeds up attacks and allows threat actors to easily scale their operations, most of the attacks still rely on traditional techniques such as social engineering.

"AI hasn't yet fundamentally changed cyber intrusion tradecraft," they write. "For most threat actors, it's cheaper and more practical to plug AI into proven attack chains than to build bespoke AI-first capabilities. The dark-web discussions in this report reflect that reality.

"Actors are treating AI as operational infrastructure, in other words, something to buy, tune and slot into existing workflows, but they're also looking to balance efficacy with reliability and cost."

ReliaQuest has the story:
https://reliaquest.com/campaigns/how-threat-actors-use-ai/executive-summary

What KnowBe4 Customers Say

"Bryan, Thanks for reaching out. We are very happily using KnowBe4, your team did a great job with onboarding. Maddy R. in particular was amazingly knowledgeable, helpful and just super enthusiastic about getting us up and going as easily and as quickly as possible."

- C.G., Chief Information Officer

The 10 Interesting News Items This Week
  1. Those Soldiers Flooding Your Feeds? They Might Not Be Real:
    https://www.nytimes.com/2026/07/07/business/soldiers-ai-disinformation.html

  2. Scammers are using AI to sell impossible flowers:
    https://www.malwarebytes.com/blog/scams/2026/07/scammers-are-using-ai-to-sell-impossible-flowers

  3. UK VodafoneThree says its new security process blocked two million SMS fraud messages:
    https://www.techradar.com/pro/no-single-organisation-can-tackle-it-alone-vodafonethree-says-its-new-security-process-blocked-two-million-sms-fraud-messages

  4. [AI Agent Social Engineering] GitHub AI agent leaks private repos when asked nicely:
    https://www.theregister.com/security/2026/07/07/github-ai-agent-leaks-private-repos-when-asked-nicely/5267924

  5. Okta: "Vishing actors target Entra passkey:
    https://www.okta.com/en-au/blog/threat-intelligence/vishing-actors-target-microsoft-entra-passkey-enrollment-/

  6. Over 5,800 arrests, USD 293 million intercepted in global fraud bust:
    https://www.helpnetsecurity.com/2026/07/09/interpol-fraud-bust-social-engineering-scams/

  7. Phishing lures impersonate job offers from large corporations:
    https://www.bleepingcomputer.com/news/security/phishing-poses-as-big-brand-job-interview-to-steal-google-accounts/

  8. Upgraded Android malware spreads via social engineering:
    https://www.group-ib.com/blog/redhook-android-rat-upgraded/

  9. Dutch data authority warns of AI-assisted social engineering attacks:
    https://nltimes.nl/2026/07/08/ai-increases-dangers-phishing-cyberattacks-says-dutch-data-authority

  10. Three-quarters of CISOs worry that executives underestimate cybersecurity risks:
    https://www.infosecurity-magazine.com/news/cisos-fear-execs-dont-understand/

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime

Secure the Digital Workforce: Human + AI

KnowBe4 empowers the modern workforce to make smarter security decisions every day. Trusted by more than 70,000 organizations worldwide, KnowBe4 is the pioneer of digital workforce security, securing both AI agents and humans. The KnowBe4 Platform provides attack simulation and training, collaboration security, and agent security powered by AIDA (Artificial Intelligence Defense Agents) and a proprietary Risk Score. The platform leverages 15 years of behavioral data to combat advanced threats including social engineering, prompt injection, and shadow AI. By securing humans and agents, KnowBe4 leads the industry in workforce trust and defense.