The Truth About Phishing: Who's Clicking and Why It Matters
Who’s clicking on phishing attacks in your company?
The Truth About Phishing: Who's Clicking and Why It Matters
Phishing attacks are evolving at an alarming rate. AI-powered phishing, deepfake scams, and hyper-personalized attacks are making it easier for cybercriminals to bypass traditional security defenses. Despite significant investments in security awareness training, phishing simulations, and email filtering solutions (SEG’s), employees are still falling victim to phishing scams.
At PhishCloud, we conduct Custom Phishing Readiness Assessments for organizations worldwide, and our findings reveal some startling insights—not just how many people click, but who is clicking. Understanding these trends is critical to strengthening your organization’s security posture.
The Startling Reality of Phishing Click Rates
Our research and data from real-world phishing assessments show that when faced with an external, “hacker-like” phishing attack:
- 10% of employees will click on a malicious phishing link.
- 40% – 70% of those who click will provide their credentials.
- Many employees attempt multiple times on different devices, increasing exposure to security breaches.
To further illustrate the enormity of the phishing problem for companies today, here’s some additional data you need to know:
- Data shows that 91% of cyberattacks start with phishing.
- Phishing-related business email compromise (BEC) attacks cost organizations an average of $5 million per incident.
- Cybercriminals are using AI to create phishing emails that are 90% more effective than traditional spam.
This means that despite security awareness efforts, employees continue to fall for phishing attempts—but the real concern is who is clicking.
Who’s Most Likely to Click?
A key takeaway from our assessments is that phishing isn’t just a problem among the general workforce—executives and key personnel are among the most frequent clickers.
Click Rate by Employee Role
- 20% – 29% of clicks come from Executive Leadership.
- 19% – 27% of clicks come from Developers.
- 18% – 23% of clicks come from Managers.
- 15% – 22% of clicks come from Salespeople.
Here’s the math: 52% of all phishing clicks come from company management—the very people responsible for security oversight. Why are executives and key management personnel more vulnerable?
- Skipping Training: Executives often bypass security training due to time constraints, making them prime targets.
- High-Value Targets: Cybercriminals specifically target executives because they have access to sensitive data, financial information, and decision-making authority.
- Overloaded & Distracted: With packed schedules and high email volume, executives and managers are more likely to skim emails and click without verifying.
One of the most alarming cases involved a CEO who unknowingly approved a $25.6 million wire transfer after cybercriminals used deepfake video technology to impersonate a senior executive.
PhishCloud’s Custom Phishing Readiness Assessment: A Real-World Approach
Unlike standard phishing simulations that employees quickly recognize, PhishCloud’s Custom Phishing Readiness Assessment replicates real-world phishing attacks, incorporating multi-layered, sophisticated techniques used by today’s cybercriminals.
Our assessments go beyond compliance to provide actionable insights that help organizations:
✔ Strengthen their security posture by identifying vulnerabilities.
✔ Understand their level of phishing risk across different user roles.
✔ Improve Security Awareness Training programs with data-driven strategies.
✔ Assess their organization’s information footprint and exposure to phishing.
✔ Meet regulatory compliance requirements for phishing risk management.
Companies using PhishCloud have seen a 75% reduction in phishing click rates within 6 months.
If you’re serious about security and ready for the truth, it’s time to experience the PhishCloud difference.
PhishCloud PHISH360°: The Only True Phishing Protection
Once you understand your phishing risk, let’s talk about PhishCloud PHISH360°—the only cloud-native solution focused 100% on phishing prevention.
Why PhishCloud PHISH360°?
✅ AI-Powered Threat Detection: Uses machine learning to detect phishing attempts before they reach employees.
✅ Real-Time Email & Website Scanning: Identifies and blocks phishing links in emails and online interactions.
✅ Behavior-Based Protection: Recognizes abnormal user behavior and alerts security teams.
✅ 99.5% Phish Avoidance Rate: The highest phishing protection rate in the industry.
Unlike traditional email security solutions that only block known threats, PhishCloud prevents even zero-day phishing attacks before they can cause harm.
Don’t wait until a phishing attack compromises your business. Protect your employees, executives, and sensitive data with PhishCloud today.
