Companies pour money into firewalls and email filters, but the weakest link in security is still the person holding the mouse. A new benchmarking report from security-awareness vendor KnowBe4 puts a number on how much of that human risk can be trained away, and it is a striking one.
The company’s 2026 Phishing by Industry Benchmarking Report crunched 42 million simulated phishing tests sent to 14.8 million users across roughly 64,000 organizations worldwide. The headline finding: after a full year of consistent security-awareness training, an employee’s likelihood of falling for a phishing email drops by 79%.
The starting point is sobering. Before any training, the report says roughly one in three employees is likely to take the bait, whether that means clicking a malicious link, opening a booby-trapped attachment, or surrendering their credentials. That is exactly the behaviour attackers count on, and it is why phishing remains the front door for so many breaches.
The attacks are getting smarter, too
The timing matters because the lures are harder to spot than they used to be. KnowBe4 says AI-powered phishing has climbed 17.1% since the second half of 2025, as generative tools help criminals write cleaner, more convincing messages at scale. With automated defences and automated attacks escalating in parallel, the firm’s pitch is that a trained human who reports or simply deletes a suspicious email remains one of the cheapest controls a company can deploy.
Some sectors start out riskier than others. For the second consecutive year, the most phishing-prone industries at baseline are Healthcare and Pharmaceuticals (42.7%), Insurance (38.1%), and Retail and Wholesale (36%) — all fields that pair large workforces with sensitive data and, often, high staff turnover.
The usual caveat applies. KnowBe4 sells the security-awareness training its report champions, so a study concluding that such training works is not a disinterested one, and the 79% figure reflects simulated tests rather than live attacks. Even so, the dataset is enormous and the direction is consistent with years of prior benchmarks: repetition and regular testing measurably lower click rates over time.
The full report is available on KnowBe4’s website. The takeaway for IT teams is familiar but worth repeating: technology alone will not stop phishing, and the humans in the loop are trainable, provided organizations actually keep at it.
