Ever Heard of Phishing Click Rates?

What the Numbers Really Say About Human Risk

Phishing remains one of the most persistent and effective entry points into modern cyber incidents. While organizations invest heavily in technical controls, phishing click rates continue to highlight a fundamental truth: attackers are still winning by targeting people as well as systems.

What is a Phishing Click Rate?

In its simplest form a phishing click rate measures the percentage of users who click on a malicious link in a phishing email and/or during a simulation. It is often used as a representation for human risk within an organization however, interpreting that number requires context.

The Baseline Reality: People Still Click

Multiple industry reports show that phishing susceptibility remains significant. According to 2025 benchmark data, roughly one-third of users (or 33.1%) click on phishing emails before any training is applied. In real-world attacks, the numbers are lower but still impactful.

Research from Proofpoint reports an average phishing email click rate of 3.4%, meaning 34 out of every 1,000 targeted users may engage with a malicious link. Even at a few percentage points, the risk is substantial as attackers only need one successful click to gain a foothold.

Simulation vs. Reality: A Critical Gap

Security teams often rely on phishing simulations to measure readiness. Typical simulation benchmarks have shown click rates ranging from 8% to 14%, depending on industry and maturity.

Nevertheless, simulation results can differ significantly from real-world behavior. Simulated emails are often anticipated, patterned, and less contextually convincing. In contrast, real phishing attacks are increasingly personalized, time-sensitive, and embedded into legitimate workflows. This gap is reflected in broader breach data.

The Verizon Data Breach Investigations Report (DBIR) consistently finds that human factors play a role in the majority of breaches, with phishing accounting for a large share of social engineering tactics.

Click Rates Are On The Rise (Again)

Recent data suggests phishing effectiveness is not static, it’s evolving. In 2024, enterprise click activity on phishing links increased sharply with measurable growth tied to user fatigue and more sophisticated temptations.

Two key drivers stand out:

• Volume and Fatigue: Users are overwhelmed by constant digital communication, reducing a higher level of scrutiny.

  
  

• Improved Attacker Tactics: Phishing emails increasingly mimic legitimate workflows, especially in cloud and SaaS (Software as a Service) environments.

Have you ever noticed how phishing emails use urgency or familiarity to get you to click, like a missed delivery or password reset? Emerging threats such as AI-generated phishing are categorically amplifying this trend. Some studies show dramatically higher engagement rates when phishing messages are highly personalized.

Does Training Actually Reduce Click Rates?

Security awareness training does have measurable impact (but it is not a silver bullet). Organizations that implement continuous training programs can reduce phishing susceptibility dramatically, with some reporting reductions of over 80% after sustained effort. Even well-trained organizations rarely reach zero phishing risk. Human error remains persistent, and attackers adapt quickly to awareness programs.

Rethink What “Good Click Rates” Resemble

A low click rate is often treated as success, but this can be misleading. A more complete picture includes:

• Report Rate: How many users flag suspicious emails

  
  

• Time to Report: How quickly threats are escalated

  
  

• Behavioral Trends Over Time: Whether click risk is decreasing sustainably

For example, a 5% click rate with a high reporting rate may indicate a healthier security culture than a 3% click rate with little reporting.

Tactics and Techniques

Introducing The NIST Phish Scale. 

Created by National Institute of Standards and Technology (NIST) researchers, the Phish Scale classifies emails based on how difficult or easy it is to detect the potential attack. 

Two measurement components are used:

1. Observable Characteristics (Cues): More Cues = easier for user to detect phishing (e.g., misspellings, threat of time pressure, generic greeting)

   
   

2. Alignment of Email Context to Specific Users

According to NIST, “emails with fewer cues and more relevant context are more difficult to identify as a phishing email. The overall score is then used by the phishing trainer to help analyze their data and rank the phishing exercise as low, medium or high difficulty”.

Phishing includes a range of tactics with different impacts. Broad attacks drive high volume with lower success rates, while targeted methods like spear phishing and whaling are less common but more effective. Here are a few variants to understand:

The Takeaways: Click Rates Are a Signal

Phishing click rates remain one of the clearest indicators of human cyber risk. As with most organizational risk, susceptibility can be reduced but not entirely eliminated.

The most effective programs treat click rates as one metric within a broader resilience strategy combining user behavior, detection capability, and response speed.

When it comes to phishing, success is not defined by who clicks on what but by how quickly the organization responds after they do.