KnowBe4 Research Finds Global Phishing Susceptibility Drops 79% After One Year of Security Awareness Training

KnowBe4, the global leader in digital workforce security, securing both AI agents and humans, today released its 2026 Phishing by Industry Benchmarking Report, revealing that organizations can reduce phishing susceptibility by 79% after one year of consistent security awareness training (SAT), despite a threat landscape increasingly powered by artificial intelligence.

The report analyzed 42 million phishing simulations across 14.8 million users at 64,000 organizations worldwide. The findings show that while employees remain a primary target for cybercriminals, organizations that invest in ongoing training and simulated phishing exercises can dramatically reduce employee phishing susceptibility over time.

According to the report, the global average Phish-prone Percentage (PPP) – the percentage of employees likely to engage with a phishing attack – starts at 33.2% before training. After 90 days of security awareness training, that figure drops to 20.1%, and after one year falls to just 4.2%.

These findings come at a crucial point as cybercriminals increasingly leverage AI to generate highly personalized phishing campaigns, business email compromise (BEC) schemes, and deepfake-enabled social engineering attacks at scale. It is more important than ever to ensure employees are aware of the most current cyber threats in order to avoid becoming victims.

Key Global Findings:

  • Before any training, roughly one in three employees is likely to engage with a phishing attempt.

  • Baseline PPP rises steadily with organizational size. Large enterprises with 10,000+ employees face a baseline PPP of 39.5%, compared to 24.7% for small businesses.

  • For the second consecutive year, the three most vulnerable industries at baseline are Healthcare & Pharmaceuticals (42.7%), Insurance (38.1%), and Retail & Wholesale (36%).

  • Organizations reduced phishing susceptibility by 40% within the first 90 days and by 79% after one year of ongoing security awareness training, reinforcing that continuous training drives lasting behavior change over one-time compliance exercises.

  • Across the different regions, Africa recorded the highest baseline risk at 35.9%, followed closely by North America at 34.5% and South America at 31.5%, while Asia entered with the lowest baseline at 24.9%.

“As organizations expand their workforce from humans to include autonomous AI agents, the attack surface grows in ways traditional controls were not designed to address,” said Javvad Malik, lead CISO advisor at KnowBe4. “This complexity is being exploited, evidenced by a 17% spike in phishing attacks since late 2025 alone. However, the data proves organizations can combat this through continuous personalized training, which drops employee phishing susceptibility to 4.2% over 12 months.”

Download the full 2026 Phishing by Industry Benchmarking Report.

About KnowBe4

KnowBe4 empowers the modern workforce to make smarter security decisions every day. Trusted by more than 70,000 organizations worldwide, KnowBe4 is the pioneer of digital workforce security, securing both AI agents and humans. The KnowBe4 Platform provides attack simulation and training, collaboration security, and agent security powered by AIDA (Artificial Intelligence Defense Agents) and a proprietary Risk Score. The platform leverages 15-years of behavioral data to combat advanced threats including social engineering, prompt injection, and shadow AI. By securing humans and agents, KnowBe4 leads the industry in workforce trust and defense. More info at knowbe4.com.

Follow KnowBe4 on LinkedIn and X.

Media gallery