SYDNEY, AUSTRALIA– KnowBe4, the world-renowned cybersecurity platform that comprehensively addresses human and AI agent risk management, today released its Q3 2025 Phishing Roundup. The research reveals that simulated phishing emails personalised to appear from internal departments, particularly HR and IT, continue to drive the highest user interaction rates, highlighting a persistent trend of employee vulnerability to techniques exploiting familiarity. All of the data for this roundup was aggregated from the KnowBe4 HRM+ platform between July 1, 2025, and September 30, 2025.
Key Findings from the Q3 Roundup
Internal Topics Dominate
-
Personalisation increased click rate in simulated phishing emails – the two most-clicked subject lines contained the recipients’ company name.
-
Internal topics made up 90% of most-clicked subject lines and HR was cited in 45% of the top 10 most-clicked emails.
Branded Landing Pages
-
70% of simulated landing page interactions involved branded content.
-
Microsoft was the most common brand, accounting for 25%, followed by LinkedIn, X, Okta, and Amazon.
Top Clicked Hyperlinks
-
82% of the top 20 clicked links in simulated phishing emails came from internally themed simulations.
Attachment Interactions
-
PDFs comprised 56% of the top 20 attachments opened in simulated phishing emails, followed by Word documents (25%) and HTML files (19%).
“When a message seems routine, such as something from HR or IT, users are less likely to question it,” said Erich Kron, CISO advisor at KnowBe4. “The fact that this trend continues quarter after quarter tells us that this is not just about tricking users, it is about understanding human behaviour. That is exactly why KnowBe4’s human and agentic AI risk management platform addresses both training and behaviour change to build lasting security resilience.”
Download a copy of the Q3 2025 KnowBe4 Simulated Phishing Roundup here.
About KnowBe4
KnowBe4 empowers workforces to make smarter security decisions every day. Trusted by over 70,000 organisations worldwide, KnowBe4 helps to strengthen security culture and manage human risk. KnowBe4 offers a comprehensive AI-driven ‘best-of-suite’ platform for Human Risk Management, creating an adaptive defence layer that fortifies user behaviour against the latest cybersecurity threats. The HRM+ platform includes modules for awareness & compliance training, cloud email security, real-time coaching, crowdsourced anti-phishing, AI Defense Agents, and more. As the only global security platform of its kind, KnowBe4 utilises personalised and relevant cybersecurity protection content, tools and techniques to mobilise workforces to transform from the largest attack surface to an organisation’s biggest asset. More info at knowbe4.com.
