90% of organizations experienced incidents caused by employee mistakes.

The top factor cited for attackers successfully bypassing systems was human error at 46.10%.

43% of cybersecurity professionals identified distraction as a primary reason employees fall victim to cyberattacks.

Human error remains the top cybersecurity vulnerability in 2025, with 66% of CISOs citing people as their greatest risk.

55% of security leaders are constantly worried that a single employee mistake could put their entire organisation at risk.

7% of VEC engagements came from employees who had engaged with a previous attack.

Employees in large enterprises engaged with malicious vendor messages 72% of the time after reading them, taking follow-up actions such as replying or forwarding.

Repeat engagement with VEC in EMEA is the highest of any region, over twice that of BEC.

The second-ranked industry for VEC engagement rate was the energy/utilities sector (56%).

Junior sales staff were among the most vulnerable roles, engaging with read VEC attacks at a rate of 86%.

EMEA organisations demonstrate the lowest reporting rate for VEC, at 0.27%.

In EMEA, the VEC engagement rate exceeds Business Email Compromise (BEC) by 90%.

The overall reporting rate for advanced text-based email threats was just 1.46%.

Employees in large enterprises engaged with malicious vendor messages 72% of the time after reading them, taking follow-up actions such as replying or forwarding.

The overall reporting rate for advanced text-based email threats was just 1.46%.

Telecommunications saw the highest VEC engagement rate at 71.3%.

Conversely, EMEA organisations show the highest reporting rate for BEC, at 4.22%

In just 12 months, attackers attempted to steal more than $300 million via VEC.

Human error, while still significant, has dropped to third place of most concerning threat actors.

Human error, while still significant, has dropped to third place of most concerning threat actors.