Cofense Phishing Defense Center (PDC) tracked one malicious email every 42 seconds in 2024. Many of these were part of polymorphic phishing attacks.

Cofense Phishing Defense Center (PDC) tracked one malicious email every 42 seconds in 2024. Many of these were part of polymorphic phishing attacks.

Security training reduces global phishing click rates by 86%.

The global PPP fell by a total of 86% after 12 months of ongoing security training.

After implementing phishing training, the global PPP fell by 40% in just three months.

Globally, the top three most at-risk industries with the highest baseline PPP were Healthcare & Pharmaceuticals (41.9%), Insurance (39.2%), and Retail & Wholesale (36.5%).

Organizations with 10,000+ employees showed a global baseline PPP of 40.5%.

Organizations with 1-250 employees had a global baseline PPP of 24.6%.

In organizations of 1,000-9,999 employees, three sectors achieved PPP improvement rates of 91% after 12 months of ongoing training: Healthcare & Pharmaceuticals, Hospitality, and Legal.

The global average baseline PPP before training was 33.1%. This means approximately one-third of employees interact with phishing simulations before undergoing best-practice security awareness training.

From 2024 to 2025, the general trend of around one-third of employees clicking on a simulated phishing link before training remained fairly consistent.

Across different regions, the highest baseline PPPs were found in South America (39.1%), North America (37.1%), and Australia and New Zealand (36.8%).

After 12 months of security training, the global Phish-prone™ Percentage (PPP) dropped to 4.1%.

There has been a 3.5% decrease in the global baseline PPP within a year (from 2024 to 2025), highlighting a positive shift in overall security awareness worldwide.

59% of financial professionals cite SMS and phishing scams powered by AI to deceive victims.

AI-driven attacks now occur as frequently as phishing, placing AI firmly among the top three cybersecurity threats.

Top concerns for CIOs regarding cybersecurity risk include: Malware and ransomware (42%), data breaches (37%), AI-driven attacks (34%), and phishing (33%).

Over 60% of top-clicked phishing emails were related to HR and IT.

People were more likely to click on links related to internal topics or impersonating known brands, accounting for 61.6% of clicks.

The top three QR codes scanned in simulations related to: A new drug and alcohol policy from HR (14.7%), A DocuSign for review and signing (13.7%), A Workday happy birthday message (12.7%).