Numbers Don’t Lie: Phishing Training Works
Editor’s note: In recognition of National Cybersecurity Awareness Month this October, we are publishing a series of blog posts dedicated to educating and informing you about cybersecurity practices. This is the 11th in a series of posts. Below, you can find a list of links to the rest of the series:
- FBI’s Warning: How to Protect Yourself from AI-powered Schemes
- Stuck on Windows 10? Here Are Your Options After Support Ends
- Job Scam Texts are On the Rise: Here are 5 Red Flags to Watch Out For
- Balance in Cybersecurity: Lock the Doors Before Boarding the Windows
- What is a Vishing Scam and How Do I Protect Myself?
- The CIA of Data Security: What It Means and Why It Matters
- Top 3 Cybersecurity Trends We Uncovered from GrrCON 2025
- Why MDR is the Security Team Your Organization Needs
- BYOD for Smartphones: Balancing Security, Privacy and Cost
- Ransomware Is Getting Smarter: How AI Is Changing the Threat Landscape
- Beware: Phishing Attacks Can Now Mimic Your Organization’s Login Page in Real Time (Posting Oct. 27)
- Traveling for Work? Here are the Best and Worst Ways to Connect. (Posting Oct. 28)
- Why You Should Care About Your Organization’s Security Culture Score (Posting Oct. 29)
For years, we’ve been touting how regular phishing training can empower your employees to more successfully spot phishing attacks to protect your organization.
We can (and have) rattle off numbers at you until you’re blue in the face, like how phishing email volume is up 17.3% in 2025.
These numbers help people understand the severity, but what about phishing training numbers? Do organizations actually see improvement in the number of employees who successfully spot a phishing attack?
According to KnowBe4, a security awareness company, it’s a resounding yes.
It may seem like busy work or a waste of time to watch a 15-minute video about new phishing trends every quarter or receive simulated phishing attacks every month. But it’s helping people spot phishing attempts and lowering the percentage of people who are likely to fall for a phishing attack.
Let’s dive into the numbers — specifically, how the number of people who are likely to fall for a phishing attack after training is significantly lower than before training, regardless of industry or size of organization.
Before and After: The Training Payoff
To determine how effective training is, KnowBe4 developed the Phish-prone Percentage (PPP), which is the percentage of users likely to fall for a phishing email.
You can read more about how PPP is calculated here. The short story is that an employee can have a personal PPP of more than 100% on a single email if they have many failures, such as opening an email, clicking a link or opening an attachment.
Across all organizations, KnowBe4 found the average PPP to be:
- Before training: 33.1%
- After training: 19.8%
Before training, 1 in 3 employees are clicking on potentially dangerous links or opening potentially dangerous attachments, and that number decreases to 1 in 5 after just 90 days of best-practice training.
But phishing training isn’t complete after one year. It’s a long-term commitment, and the numbers also back that up.
KnowBe4 found the average PPP to be:
- After one year of training: 4.1%
- After two years of training: 3.7%
- After three years of training: 3.6%
With regular phishing training, organizations large and small can reduce their risk by more than 85% in a year, and that progress compounds over time.
After just one year of training, the average PPP significantly drops from 1 in 5 employees to 1 in 25.
How Your Company Size Affects Risk
Small businesses — those defined by KnowBe4 as organizations with 1 to 249 employees — have the lowest baseline of average PPP (24.6%) compared to:
- Enterprises-10,000 or more employees (40.5%)
- Large organizations-1,000-9,999 employees (33.7%)
- Midsized organizations-250-999 employees (28.7%)
However, that still means 1 in 4 employees are vulnerable before training.
Many people think small businesses aren’t targeted because they don’t have as many employees or don’t have as much money to steal. But small businesses often are targeted more frequently because they often don’t have the same investment in security tools and practices that larger organizations do.
While enterprise organizations might result in more data or a bigger payday from selling that data, attackers aren’t picky about who they target. If they think they can trick you, they’ll go after you.
Your Employees are Your Best Defense
More and more phishing emails are designed to bypass traditional security tools. Human error and AI-powered attacks mean it’s no longer sufficient to just utilize these security tools and call it a day.
But with regular phishing training, organizations large and small can reduce their risk by more than 85% in a year, and that progress compounds over time.
Don’t wait until someone at your organization falls victim to implement phishing training.
If you’re looking to protect your company from cybersecurity threats, contact us to learn how we can help train your employees to spot the telltale signs of a scam.
Stay updated! Get tips and insights delivered to your inbox weekly by subscribing to our newsletter.
