How (and How Well) Companies Train for Phishing & Social-Engineering Threats in 2025

In 2025, phishing training has become one of the most critical components of corporate cybersecurity strategy as social-engineering attacks continue to dominate global breach statistics. Despite major investments in tools and awareness programs, the “human element” still contributes to most security incidents, proving that behavior and consistency matter as much as technology. This analysis explores how companies worldwide approach phishing and social-engineering preparedness, from simulation adoption and adaptive learning platforms to reporting workflows and real-world breach outcomes, revealing what truly works, where gaps persist, and how organizations can strengthen their human defense layer.

Executive takeaways

The “human element” remains present in roughly 60% of breaches, and phishing is implicated in ~14–16% of all breaches as a direct initial vector this year. Credential abuse, often downstream of phishing, accounts for another large share. [1][2][3][4][5]
Training and testing are widespread but uneven. Large organizations commonly run awareness programs and simulations (e.g., 76% of large UK firms conduct staff training; financial firms show the highest user reporting rates in simulations), while smaller sectors lag. [6][7]
Training works when it’s continuous and behavioral. Cohorts with sustained programs show big drops in click-through risk (up to 86% reduction over a year) and high reporting engagement; platforms running tens to hundreds of millions of simulations annually see rising adoption. [7][8][9]
Despite training growth, breaches still happen, including at trained orgs, highlighting the need for layered defenses (technical controls + people programs) and realistic attack simulation coverage beyond email (vishing, QR-phish, smishing, BEC). [10][11]
Costs remain high. The global average breach cost is ~$4.4–$4.8M, with phishing among the costlier initial vectors in many studies. [12][13][14]

1. Who is implementing training & testing, and in what percentage?

Adoption and maturity (cross-industry highlights)

United Kingdom (all sectors): Only ~19% of businesses overall reported formal staff cyber-training activities, but 76% of large businesses do so (UK Cyber Security Breaches Survey 2025). [6]
Program activity (global enterprise customers): Proofpoint customers ran >55,000 phishing-simulation campaigns totaling ~212M messages in 2024 (up 16% YoY), evidencing rising simulation adoption across industries. Financial services posted the highest average reporting rate (32.35%), while education was the lowest (7.71%). [7]
Benchmarking cohorts: KnowBe4’s 2025 benchmarking spans 62,400 organizations and 67.7M simulated tests across 19 industries and 7 regions, reporting an industry-wide baseline “phish-prone %” of 33.1% that can be reduced >40% in 90 days and up to 86% within a year when SAT and simulations are sustained. [8]

Takeaway: Adoption is strong among large and regulated orgs (finance, healthcare, public sector). Smaller firms and some sectors lag in formal programs and cadence, creating uneven resilience within supply chains. [6][15]

2. What mechanisms are companies using, and how common are they?

Core training & testing mechanisms (with representative tools)

Simulated phishing programs (email, QR-phish, BEC pretexting, attachments/URLs) with adaptive follow-up training
Tools: KnowBe4 Security Awareness Training [16], Proofpoint Security Awareness (State of the Phish) [9], Hoxhunt [17], Cofense PhishMe SAT [18], Mimecast Awareness Training [19], Barracuda Security Awareness (PhishLine) [20], Fortra Terranova Security [21], Infosec IQ [22].
Adoption notes: >212M Proofpoint simulation messages in 2024 (+16% YoY). Average simulated-phish reporting rate ~18.7% overall; finance leads (~32%), education lags (~8%). [7]
Built-in enterprise attack simulation suites (integrated with mail/security stacks)
Tools: Microsoft Defender for Office 365 – Attack Simulation Training (including smishing/vishing templates) [23][24].
Use-case: Broad coverage of payloads, user targeting, just-in-time micro-training.
Behavioral micro-learning & just-in-time nudges tied to risky actions (e.g., link clicks, password reuse)
Tools: Mimecast’s human-risk-centric training [19], Hoxhunt’s adaptive nudges [17].
Adoption indicator: Only ~7.5% of orgs use fully adaptive training that personalizes based on testing performance (US survey). [25]
User reporting workflows (report-phish buttons) with triage/feedback loops
Tools: Cofense Reporter (bundled in platform) [18], Microsoft Report Message add-ins (bundled with M365; covered in the Defender documentation suite) [23].
Outcomes: Reporting engagement can exceed 60% in trained cohorts (Hoxhunt), with 1.4 real malicious emails/user/year reported on average in 2024 cohorts. [9]
Beyond email: vishing (phone), smishing (SMS), QR-phish, collaboration-app phishing (Teams/Slack), and BEC simulations
Trend: URL-based threats now outpace attachments; Proofpoint saw 3.7B URL-based threats in six months, with rising QR code and SMS lures. [26]

Cadence & breadth matter: Programs that mix channels (email, SMS/voice, QR), emphasize reporting, and personalize training show the largest, sustained risk reduction. [7][8][9][26]

Human element & phishing prevalence (all industries):
– ~60% of breaches involved a human element in the 2025 DBIR. [1][4][5]
– As an initial access vector, phishing accounted for ~14–16% of breach intrusions this year; credential abuse (frequently a downstream effect of phishing/infostealers) is also a leading vector. [2][3]
Did victims have training? Sector example (healthcare):
HIPAA Journal’s survey data shows that among orgs that reported a notifiable breach in 2024, ~77% test HIPAA security awareness and ~69% run phishing simulations, evidence that training alone doesn’t eliminate incidents without layered controls and realistic scenario coverage. [10]
Perceived readiness vs. outcomes:
In 2025, 76% of CISOs felt at risk of a material attack in 12 months, and 58% admitted they’re not prepared; two-thirds reported material data loss in the past year. [11]

Bottom line: Training correlates with improved behavior (lower click rates, higher reporting), but companies still get breached if simulations are narrow, if reporting/response loops are weak, or if technical controls (MFA, isolation, URL detonation, secrets management) lag. [7][8][9][10][11][26]

Global averages: IBM’s 2025 report pegs the average breach at ~$4.4M (down from 2024’s $4.88M), while multiple roundups cite ~$4.8M as the average breach cost across 2024–25 periods. Phishing remains among the costlier initial vectors in IBM’s breakdowns and compendia. [12][13][14]

5. Insider-driven incidents (malicious or unhappy employees)

The insider share varies by study. Coverage of the 2025 DBIR and industry analyses put internal actors around ~30% of breaches this year (externals ~67%, partners ~4%). Other summaries cluster the “human element” (error + social + malicious misuse) at ~60%. [4][5][27]
Separate surveys show insider data leakage is a top concern; 61% of surveyed organizations experienced unauthorized access to sensitive data in the last two years, with average losses around $2.7M. [28]

MGM Resorts (2023): Social engineering (help-desk pretexting/vishing) led to ransomware and multi-day outages across hotel/casino operations; attackers leveraged identity/Okta weaknesses. [29][30][31]
Caesars Entertainment (2023): Confirmed social-engineering intrusion leading to data theft (customer rewards program) and reported an eight-figure payment. [32]
Uber (2022): MFA-fatigue and IT help-desk social engineering resulted in extensive internal access. [33][34][35]
Twitter/X (2020): Phone spear-phishing of employees to gain admin-tool access; takeover of 130 high-profile accounts. [36][37]

7. What organizations get right (and where they still miss)

What works consistently

High-cadence, adaptive simulations across email, SMS/voice, QR, and collaboration apps—paired with micro-learning and just-in-time nudges. [7][8][9][25]
Robust reporting workflows (one-click report buttons + analyst triage + closed-loop feedback). High reporting rates correlate with real-world detection. [7][9][18]
Controls that blunt phishing impact: phishing-resistant MFA (FIDO2/passkeys), robust URL/attachment inspection, browser isolation for untrusted links, and secrets management to reduce credential re-use risk. [1][2][3][26]
Scenario coverage for BEC & pretexting (invoice fraud/vendor impersonation), the fastest-growing social action pattern. [1][2][3]

Common gaps

Narrow programs focused only on email links (missing vishing/smishing/QR and BEC). [26]
Non-adaptive annual training (only ~7.5% use truly adaptive content tied to test results). [25]
Weak secret hygiene and credential reuse controls are fueling high rates of credential-based intrusions. [3][5]
Overconfidence without response readiness; many CISOs acknowledge readiness gaps despite training. [11]

8. Tooling landscape (selected, all link to original pages)

Platform suites (awareness + simulation + reporting + analytics)

KnowBe4 Security Awareness Training (SAT, AI-driven personalization, massive content library) [16]
Proofpoint Security Awareness / State of the Phish (programs + research + reporting workflows) [9]
Hoxhunt Human Risk Platform (adaptive, gamified training; strong user reporting engagement) [17]
Cofense PhishMe SAT (human-vetted, real-threat simulations; reporter add-ins) [18]
Mimecast Awareness Training (human-risk-centric micro-learning) [19]
Barracuda Security Awareness Training (PhishLine) (threat-intel-aligned simulations) [20]
Fortra Terranova Security (attack simulations + diverse content; HRM platform) [21]
Infosec IQ (role-based training + phishing simulator) [22]

Integrated enterprise attack simulation

Microsoft Defender for Office 365 – Attack Simulation Training (email/URL/credential-harvest/QR/smish/vish; Defender portal) [23][24]

Program design tip: Combine one primary SAT/simulation suite with your native suite (e.g., Microsoft AST) for breadth, then tune reporting & response workflows so reported phish route to your SOC with automated enrichment.

9. Anything missing? The big shifts to watch in 2025–26

URL-first lures & QRishing: URL-based threats now outpace attachments; QR code and SMS lures are surging. Ensure simulations mirror this. [26]
Credential-centric attacks: 88% of basic web-app breaches involve stolen credentials; pair training with passkeys, SSO hygiene, and secret scanning. [3][5]
Third-party exposure: Breaches with third-party involvement doubled to ~30%; ensure supplier training/controls match your bar. [4][5]