The employees of insurance companies and non-profit organizations are most likely to fall for phishing attacks, according to a study conducted by security awareness training firm KnowBe4.
KnowBe4’s study is based on data collected from six million users across 11,000 organizations. The company has tested users at three stages: before any awareness training, after 90 days of initial training and simulated phishing, and after one year of training.
The average phish-prone percentage, represented by the percentage of employees that clicked on a link or opened an attachment during testing, was 27% across all industries and organizations of all sizes.
In the case of small and mid-size organizations (under 1,000 employees), insurance companies have the highest percentage of phish-prone employees, specifically 35% and 33%. In the case of large organizations, nonprofits are at the top of the list with roughly 31% of employees taking the bait during the baseline phishing tests conducted by KnowBe4.
The lowest phish-prone percentage was recorded in large business services organizations, where only 19% of employees took the bait.
Unsurprisingly, 90 days after undergoing initial training and simulated phishing, the percentage of employees that fell for phishing attacks dropped significantly across all sectors and organizations of all sizes.
For example, in the case of the insurance industry, the phish-prone percentage dropped to 13% in small and large organizations, and 16% in mid-size companies. In the case of nonprofits, it dropped to 16-17%.
After one year of training, the phish-prone percentage dropped to 1-2% in most cases. The highest percentage of employees that still fell for phishing attacks, roughly 5%, was in large organizations in the energy and utilities, financial services, insurance, and education sectors.
“The new research uncovered some surprising and troubling results. However, it also demonstrates the power of deploying new-school security awareness training by lowering a 27 percent Phish-prone result to just over two percent,” said Stu Sjouwerman, CEO of KnowBe4.
Related: Simulated Phishing Firm KnowBe4 Raises $30 Million
Related: Ongoing Adwind Phishing Campaign Discovered
Related: Phishing Poses Biggest Threat to Users
Related: Analysis of 3,200 Phishing Kits Sheds Light on Attacker Tools and Techniques

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
- Meta Awards $27,000 Bounty for 2FA Bypass Vulnerability
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
Latest News
- How the Atomized Network Changed Enterprise Protection
- Critical QNAP Vulnerability Leads to Code Injection
- Saviynt Raises $205M; Founder Rejoins as CEO
- OpenVEX Spec Adds Clarity to Supply Chain Vulnerability Warnings
- GitHub Revokes Code Signing Certificates Following Cyberattack
- Russian Millionaire on Trial in Hack, Insider Trade Scheme
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
- Vulnerabilities in OpenEMR Healthcare Software Expose Patient Data
