If you are a regular reader of the Proofpoint State of the Phish report, we want to inform you that we’re taking a new approach this year. Instead of a single annual report, we will be introducing a series of reports that are more timely, frequent, and focused on trending threats. Periodically, we’ll be sharing insights from those reports on our blog.
In today’s threat landscape, attackers target people instead of infrastructure. And phishing remains one of the most effective cyberattack methods. This isn’t because it relies on sophisticated technology. Rather, it’s because phishing exploits the human element—our trust, curiosity and response to a sense of urgency.
Opportunities for phishing have increased as the digital workspace has expanded beyond email. Cybercriminals can now reach users on almost any collaboration tool and messaging app. Their goal is to manipulate them into clicking malicious links or handing over their credentials. One of the ways to assess how well users recognize and respond to these attacks is with phishing simulations.
Our customers across the globe use Proofpoint ZenGuide—our security awareness and behavior change solution—to conduct their phishing simulation campaigns. We’ve gathered data about these campaigns over a 12-month period to give our customers insights into key trends and provide industry benchmarks. This blog post offers some highlights.
Popular phishing templates reveal threat trends
The content in Proofpoint phishing simulations is informed by our Nexus threat intelligence. As such, it represents real-world phishing attacks that have been blocked by Proofpoint. Customers have access to a template library that is updated nearly every day.
Additionally, Proofpoint publishes new templates from its threat research every week. This gives organizations the ability to test their employees on a wide variety of themes, topics and tactics. They are based on the latest threats that have been identified by Proofpoint threat researchers in the wild.
The most used phishing templates represent several key trends in the evolving social engineering and attack landscape. Let’s look at the templates that have been prioritized by Proofpoint customers to see what this suggests about threat trends.
Top trends
- 30% of simulations focus on compromising accounts and bypassing MFA. This suggests that attackers are increasingly targeting authentication systems.
- 25% exploit collaboration and file-sharing platforms like Microsoft Teams, SharePoint and Dropbox, which highlights attackers’ shift to targeting vectors beyond email.
- 20% use consumer-facing brands, which shows that attackers are increasingly exploiting trust in well-known companies to lure users into clicking.
Phishing simulations on the rise
Proofpoint customers were extremely busy in 2024. They sent out more than 55,000 campaigns to users—more than 212 million messages in total. Compared to the 183 million messages sent in 2023, this represents a 16% increase (Figure 1). This suggests that organizations increasingly understand that testing and educating employees on phishing is essential.
Figure 1. The number of phishing simulation messages sent, shown in thousands.
Most popular campaign types—and how well they perform
When we analyze how frequently different simulation types are used and how well they perform, we can gain a deeper understanding of the phish simulation landscape (Figure 2).
- 60% of all campaigns use the Drive By template.
- 30% use Data Entry templates.
- 9% use Attachment-based templates.
Figure 2. Frequency of use by template type.
What do the average failure rates, reporting rates and resilience ratios for the three different template types tell us?
Data Entry has the lowest failure rate at 2.46%. This result provides insight into the occurrence of credential sharing compared to other types of phishing simulations. In contrast, Attachment-based campaigns are used the least, but they have the highest failure rate (6.59%). In other words, while fewer phishing attempts use attachments as a delivery method, those that do are still relatively successful compared to other methods.
Figure 3. The average failure rate for each simulation type.
Awareness, engagement and security culture
Here, we provide an overview of the failure rates, reporting rates and resilience ratios for all campaigns. Also, benchmarking against industry peers is a valuable way to assess program success. So, for comparison we provide subset of benchmarks across 29 industries.
Awareness
Failure rates reveal user awareness levels and how well they can identify phish. Across all organizations and campaigns, the average failure rate is 4.93%. This rate reflects how well users do when they interact with a simulated phishing. Do they open the message? Do they click on embedded links or respond?
Notably, energy/utility has the lowest overall failure rate (3.6%), while legal has the highest (8.9%).
Engagement
Reporting rates are a key indicator of how engaged users are. Across all organizations and campaigns, the average rate for users reporting simulated phishing messages is 18.65%. A high rate shows that users can recognize and flag suspicious messages. It reflects that they are actively involved in maintaining security vigilance.
From an industry perspective, the financial services sector has the highest average reporting rate (32.35%), and education has the lowest (7.71%).
Such a significant reporting gap may stem from differences in industry practices and training frequency. In financial services, employees often handle sensitive data. What’s more, compliance requirements around handling this data requires them to be more aware about phishing threats. In contrast, education sector employees may not face similar requirements. They also probably aren’t reminded about cyber threats as often.
Figure 4. Average failure and reporting rates by industry.
Security culture
A resilience ratio indicates how proactive users are when it comes to threats. Do they report them to their IT or security team? Or do they ignore or delete them? A higher ratio means an organization’s security culture is strong, which makes it more resilient.
The overall average reporting rate across all organizations and campaigns is 18.65%. This translates into a resilience ratio of 3.78. Across all 29 industries, financial services has the highest resilience ratio (8.23) and education has the lowest (1.27).
Figure 5. Average resilience ratio by industry.
Reporting accuracy in the real world
Not every reported email is, in fact, malicious. We benchmarked real-world reporting accuracy for customers who use our reporting button PhishAlarm (Figure 6). This metric is crucial as it measures how accurately users report phishing emails.
Understanding reporting accuracy helps assess employees' ability to distinguish between legitimate and malicious emails. When reports are accurate, false positives are reduced. What’s more, phishing threats are detected early without overburdening security teams.
Across all 29 industries, the education, legal and marketing/advertising sectors ranked the highest.
Figure 6. Industry average reported email accuracy rate by industry.
Spotting the trickiest simulation templates
Organizations are increasingly requesting phishing simulations that have high failure rates as well as advanced templates. This suggests they are concerned that attacks are getting more sophisticated, and they want to elevate their phishing programs.
Which of last year’s phishing template themes were the trickiest to spot? The answer depends on your definition of “tricky.”
If you are measuring difficulty in terms of the failure rate, then the templates with the theme of Unusual Sign-in Activity, Auto Renewal and Dispatched Goods were the most deceptive. However, if you define difficulty in terms of low reporting rates, then the Unusual Sign-in Activity template was the hardest to spot.
Notably, the “trickiest” template theme—which had the highest failure rate of 40.37%—also had the lowest reporting rate of 4.81%. An example is below.
Figure 7. Screenshot of the phishing template with the highest failure rate and the lowest reporting rate.
Beyond simulations: creating a comprehensive human-centric security program
Phishing simulations are a useful way to understand how users behave as well as their vulnerabilities. Our findings show that security professionals recognize that it’s important to educate users on emerging threats. That’s why they’re aligning their phishing campaigns with real-world threat trends.
Clearly, security awareness provides a critical foundation for preparing people against targeted threats. But you need to do more than train or simulate phishing attacks with your employees to mitigate human risk.
As the digital workspace expands, security teams must guide people to make safer choices and stay vigilant across all platforms—email, messaging apps, collaboration tools and more.
If you want to effectively guide and protect employees in today’s digitally transformed world, you also need a human risk management strategy. You need to integrate both technology and education into comprehensive protection. That’s where Proofpoint can help.
Proofpoint offers a comprehensive solution to defend against human-centric threats, both current and emerging. It combines a wide range of security protections to help you maximize threat prevention.
To learn more, check out our web page on Prime Threat Protection. Or download our Prime Threat Protection solution brief.
Note: If you are a Proofpoint ZenGuide customer, you can find best practices on phishing simulation program planning and evaluation in the ZenGuide content library.
