Key numbers at a glance
Phishing click rate benchmarks answer two questions: how many of your people would click a real phish today, and what a realistic target looks like after training. Here are the headline phishing statistics for 2026, each from a named, published source.
- 33.1% of untrained employees fail a baseline phishing test globally; 32.5% in Europe - KnowBe4 Phishing by Industry Benchmarking Report 2025 (67.7 million simulations, 14.5 million users)
- 5.0% - the average European click rate after 12 months of regular training, roughly 85% below baseline (KnowBe4 Europe 2025)
- 3–5% is the established "gold standard" click rate for mature programs, according to the same KnowBe4 Europe report
- 60% of analysed intrusions started with phishing, making it the dominant intrusion vector in the EU (ENISA Threat Landscape 2025)
- 62% of breaches involved the human element (Verizon Data Breach Investigations Report 2026)
- Only 18.3% of simulated phishing emails were reported by employees (Proofpoint State of the Phish 2024)
- 3.8 million phishing attacks were recorded worldwide in 2025, up slightly from 3.76 million in 2024 (APWG Phishing Activity Trends Reports)
What is the average phishing click rate? Untrained vs trained
The average phishing click rate for untrained employees is 33.1% globally and 32.5% in Europe, according to KnowBe4's 2025 Phishing by Industry Benchmarking Report, which analysed 67.7 million simulated phishing tests across 62,460 organizations. After a year of regular simulations and training, the same organizations average under 5%. Those two numbers - roughly one in three before training, one in twenty after - are the anchor points for every benchmark in this article.
KnowBe4 calls this metric the Phish-prone Percentage (PPP): the share of users who click a link, open an attachment or submit credentials in a simulated phishing test. Other vendors call it click rate or failure rate. Hoxhunt, which measures failure rates across more than four million users, publishes maturity bands that match what we see in real engagements:
- No training program: 25–35% failure rate
- Early-stage program: 10–20%
- Mature program: 5–10%
- Highly mature, behaviour-based program: 2–5%
Going into 2026, the average phishing click rate has been stable for several years, so treat these figures as reliable anchors rather than moving targets. Real attacks move faster than training cycles, though: according to the Verizon DBIR, the median user falls for a phishing email in under 60 seconds of opening it.
Phishing click rate benchmarks by industry
The figures below are baseline (untrained) click rates from KnowBe4's 2025 benchmarking report, the largest published industry dataset, covering 19 industries across seven regions. Baselines answer one question: if you have never trained your staff, what should your first phishing test for employees return?
| Industry | Baseline click rate (untrained) | Source |
|---|---|---|
| All industries - global average | 33.1% | KnowBe4 Phishing by Industry Benchmarking Report 2025 |
| All industries - Europe average | 32.5% | KnowBe4 Phishing Benchmarking Report, Europe 2025 |
| Healthcare & Pharmaceuticals | 41.9% | KnowBe4 2025 (global, highest-risk industry) |
| Insurance | 39.2% | KnowBe4 2025 (global) |
| Banking (1,000–9,999 employees) | 39.5% | KnowBe4 2025 (global) |
| Financial Services (1,000–9,999 employees) | 38.4% | KnowBe4 2025 (global) |
| Retail & Wholesale | 36.5% | KnowBe4 2025 (global) |
Healthcare tops the table again. From the engagement side, the pattern is consistent: high mail volume, shift work and shared workstations leave little time to inspect senders. What gets clicked is equally consistent - Hoxhunt's trends data shows spoofed internal HR and IT announcements are the most-clicked simulation theme, with a 7.4% failure rate even among trained users.
Reporting discipline also splits by industry. Proofpoint's State of the Phish gives financial services the strongest resilience ratio (8.23 reports per click) and education the weakest (1.27).
Benchmarks by company size: a 50-person firm vs an enterprise
Size changes the starting point more than the destination. In Europe, KnowBe4's 2025 data shows small organizations start at a 24.9% click rate, mid-size at 26.7%, and organizations with 1,000+ employees at 34.9%. Globally the spread is even wider: 24.6% for companies with up to 250 employees versus 40.5% for enterprises with 10,000 or more.
| Organization size (Europe) | Baseline (untrained) | After 90 days | After 12 months |
|---|---|---|---|
| 1–249 employees | 24.9% | 20.7% | 3.9% |
| 250–999 employees | 26.7% | 21.6% | 4.4% |
| 1,000+ employees | 34.9% | 20.5% | 5.3% |
| Europe average | 32.5% | 20.7% | 5.0% |
For a 50-person company, the math is blunt: an untrained baseline near 25% means roughly 12 employees would click a competent phish - and one click is enough for credential theft or a ransomware foothold. The good news is that small firms also finish best: after 12 months, European organizations under 250 employees average 3.9%, the lowest of any size band.
Enterprises start higher for structural reasons: more departments to impersonate, more SaaS notifications to spoof, higher turnover, slower internal communication. They also improve the most - an 84.8% drop after a year of training in Europe, per KnowBe4.
Report rate: the maturity metric that matters more than clicks
Click rate measures failure. Report rate - the percentage of simulated phish that employees flag to IT or security - measures defence. One early report can let your team purge a live campaign from every mailbox before the second victim opens it. That is why a phishing report rate benchmark belongs next to every click number you track.
The published baselines are sobering. Proofpoint's State of the Phish found only 18.3% of simulated phishing emails were reported, and Verizon's DBIR puts the global benchmark at around 20%. Hoxhunt's analysis is more demanding: sustained reporting above 20% is the mark of a deliberate behaviour-change program, and its best-performing behaviour-based programs see 52–74% of simulations reported, depending on industry.
The practical levers: a one-click report button in the mail client, visible recognition for first reporters, and teaching the red flags of phishing so people know what to flag. This is also where simulation platforms earn their keep - PhishGun, for example, pairs an employee report workflow with in-the-moment micro-training when someone clicks, so both metrics move at once.
Europe in focus: what ENISA and national CSIRTs report
The ENISA Threat Landscape 2025, which analysed 4,875 incidents between July 2024 and June 2025, found phishing remained the dominant intrusion vector at 60% - sustained by phishing-as-a-service kits that put convincing campaigns within reach of low-skill attackers.
Volume keeps climbing. APWG recorded about 3.8 million phishing attacks worldwide in 2025, and KnowBe4's email-security telemetry registered a 68% increase in phishing attacks and a 137% rise in BEC between March 2024 and March 2025. The Verizon DBIR 2026 adds that phishing held steady at 16% of breaches while the volume of AI-assisted text in malicious emails doubled year over year - the lures are getting better, not rarer.
Slovakia and Czechia: the local picture
National CSIRT data mirrors the EU picture. In Slovakia, the NBÚ's Správa o kybernetickej bezpečnosti for 2024 lists user-manipulation attacks as the most common incident type, with more than 660 phishing, smishing and credential-harvesting cases - attackers impersonated slovensko.sk, telecom operators and compromised public-sector mailboxes. In Czechia, NÚKIB's threat reporting consistently places phishing and spear-phishing among the most frequent attack types hitting regulated entities.
Regulation has caught up. NIS2 implementations in both countries now require documented security-awareness programs with measured effectiveness - simulation metrics like the ones on this page are exactly the evidence auditors ask for under the NIS2 awareness-training requirements.
How click rates change after 3, 6 and 12 months of simulations
Every longitudinal dataset shows the same curve: a steep drop in the first quarter, steady gains through mid-year, then a plateau in the 3–5% range. Here is what to expect from a continuous program rather than a one-off test.
After 3 months
KnowBe4's global data shows click rates fall by just over 40% within 90 days of starting training; in Europe, the average drops from 32.5% to 20.7%. The early win comes from awareness alone - people learn that tests happen and start pausing before they click.
After 6 months
Mid-program, organizations typically sit in Hoxhunt's early-stage band of 10–20%, and reporting accelerates faster than clicking declines - Hoxhunt's 2025 platform-insights data recorded a 225% increase in threat reporting among trained users. This is also the phase where repeat clickers surface and deserve targeted follow-up rather than punishment.
After 12 months
After a year of continuous simulations, KnowBe4 measures an 86% global reduction - taking the average click rate under 5% - and Hoxhunt reports failure rates of roughly 3–4%. From there, gains come from holding the plateau against harder templates, new joiners and attacker innovation.
Cadence matters more than intensity - monthly campaigns with rotating templates beat an annual blast every time. Our phishing simulation playbook covers template difficulty, targeting and scheduling step by step.
Methodology and sources: how to cite this page
Every figure on this page comes from a named, published source. We exclude vendor numbers without a stated sample size and surveys that ask people whether they would click. Where vendors define metrics differently (Phish-prone Percentage vs failure rate), we say so rather than averaging across methodologies.
- KnowBe4 Phishing by Industry Benchmarking Report 2025, global and Europe editions - 67.7 million simulations, 14.5 million users, 62,460 organizations
- Hoxhunt Phishing Trends Report 2026 and failure-rate benchmarks - 50+ million data points from more than four million users
- Proofpoint State of the Phish 2024 - simulation reporting rates and resilience ratios
- Verizon Data Breach Investigations Report 2026 - human element and phishing breach shares
- ENISA Threat Landscape 2025 - EU incident and intrusion-vector analysis
- APWG Phishing Activity Trends Reports, Q1–Q4 2025 - global phishing attack volumes
- NBÚ / SK-CERT: Správa o kybernetickej bezpečnosti v SR za rok 2024 - Slovak national incident data
- NÚKIB publications and quarterly threat overviews - Czech national incident data
You are welcome to cite this page. Quote each figure with its original source named (for example, "KnowBe4, 2025") and link to this article as the compilation. Data was last verified against primary sources in June 2026; we update the page as new report editions are published.
Benchmarks only become useful once you have your own baseline. PhishGun - built by the offensive-security team at Haxoris - lets you run your first phishing campaign free, with localized templates in English, Slovak and Czech and audit-ready reports you can put in front of a NIS2 or ISO 27001 auditor. Start with the free baseline campaign, or review the transparent per-employee pricing first.
Frequently asked questions
What is a good phishing click rate?
For an organization running regular simulations, 3–5% is the realistic "good" range - KnowBe4's Europe benchmark calls it the established gold standard after a year of training. Untrained organizations average around 33%. A rate near zero usually means your templates are too easy, not that risk is gone, so judge click rates together with report rates.
How many employees click on phishing emails without training?
About one in three. KnowBe4's 2025 benchmark, based on 67.7 million simulations, puts the untrained baseline at 33.1% globally and 32.5% in Europe. Small organizations start lower (24.6% for up to 250 employees) and enterprises higher (40.5% for 10,000+). Hoxhunt's data shows the same picture: 25–35% failure rates before any training program.
What is a phish-prone percentage (PPP)?
Phish-prone Percentage is KnowBe4's term for the share of employees who fail a simulated phishing test - by clicking a link, opening an attachment or submitting credentials. It is effectively the metric other vendors call click rate or failure rate. PPP is measured at baseline, after 90 days and after 12 months of training to track program progress.
What is a good phishing report rate benchmark?
Average reporting is weak: Proofpoint's State of the Phish found only 18.3% of simulated phish get reported, and Verizon's DBIR puts the benchmark near 20%. Anything sustainably above 20% signals a maturing security culture, and the best behaviour-based programs reach 52–74% of simulations reported. Track report rate alongside click rate, not instead of it.
How often should you run phishing simulations?
Monthly is the practical standard; quarterly is the minimum behind the longitudinal gains in vendor benchmark data. KnowBe4's 86% click-rate reduction and Hoxhunt's 3–4% first-year failure rates both come from continuous programs, not annual tests. Regulators under NIS2 and cyber insurers increasingly expect documented, regular simulations as evidence of a working awareness program.
Can you compare click rates between different vendors' platforms?
Only loosely. KnowBe4's Phish-prone Percentage counts clicks, attachment opens and credential entry; Hoxhunt's failure rate and Proofpoint's reporting metrics are defined differently, and template difficulty varies between platforms. Benchmark yourself against the same vendor's published baseline and, more importantly, against your own trend over time - that is the comparison auditors and insurers care about.