Every phishing attack that works needs a human to do something: click the link, open the attachment, type the password. Which is why the most uncomfortable number in KnowBe4’s 2026 Phishing by Industry Benchmarking Report is the baseline one. Before any security awareness training at all, roughly one in three employees is likely to engage with a phishing attempt.
The good news, and the reason the security vendor is publishing this, is that the number moves. Organizations that ran consistent security awareness training for a year cut employee phishing susceptibility by 79%.
The dataset is large enough to take seriously: 42 million simulated phishing attacks sent to 14.8 million users across 64,000 organizations worldwide.
Who fails the most
For the second consecutive year, the same three industries sit at the bottom of the baseline rankings. Healthcare and pharmaceuticals leads at 42.7% susceptibility, followed by insurance at 38.1% and retail and wholesale at 36%. Two of those three are sectors that hold enormous quantities of personal and financial data, which is not a coincidence attackers have missed.
KnowBe4 also reports a 17.1% increase in AI-powered phishing attacks since the second half of 2025. That tracks with what the rest of the industry is seeing: generative models have quietly eliminated the broken-English tell that generations of corporate training videos taught people to look for. The typo-ridden Nigerian prince email is a museum piece. What arrives now is grammatical, contextual and often personalized.
The vendor caveat
It is worth naming the obvious conflict: KnowBe4 sells security awareness training, and this report concludes that security awareness training works extremely well. Reports like this are marketing documents with real data inside them, and the 79% figure comes from customers who bought and stuck with the product — a group that is self-selecting for organizations already taking security seriously.
That does not make the underlying point wrong. As technical defenses harden, attackers route around them through people, and the calculus is asymmetric in a useful way. If a phishing email slips past every filter you own, the attack still fails when the person receiving it reports, deletes or simply ignores it. The human layer is the one that gets blamed after every breach and funded before almost none of them.
The full 2026 Phishing by Industry Benchmarking Report is available from KnowBe4.
