Australia & New Zealand phishing risk drops after training
Thu, 9th Jul 2026 (Today)
KnowBe4 has published research showing that phishing susceptibility among employees in Australia and New Zealand falls after a year of security awareness training, with the regional average dropping to 5.3% after 12 months.
The findings are based on phishing simulations involving 14.8 million users at 64,000 organisations worldwide, including data from Australia and New Zealand. In the region, the average share of employees likely to engage with a phishing attempt stood at 33% before any training, broadly in line with the global average of 33.2%.
That means roughly one in three workers in Australia and New Zealand are likely to click, reply or otherwise engage with a phishing message before any awareness programme is in place. Within 90 days of training, the figure fell to 21%, a 36% reduction, before declining further over a full year.
The data also points to large differences between industries. Banking recorded the highest baseline phishing susceptibility in Australia and New Zealand at 62%, followed by Healthcare & Pharmaceuticals at 41%.
Company size was another clear dividing line. Organisations with more than 10,000 employees recorded a baseline Phish-prone Percentage of 54.5%, compared with 24.6% among small businesses.
The report's Phish-prone Percentage measures the share of users likely to engage with a simulated phishing attack. It is intended to show how exposed an organisation is before and after staff training.
Regional picture
Australia and New Zealand broadly tracked the global average at the outset, but international comparisons showed notable regional differences. Africa recorded the highest baseline risk at 35.9%, followed by North America at 34.5% and South America at 31.5%. Asia had the lowest baseline at 24.9%.
The report links the persistence of phishing risk to changes in the threat environment, particularly the growing use of artificial intelligence in cybercrime. Attackers are using AI tools to produce more tailored phishing emails, business email compromise attempts and deepfake-enabled social engineering campaigns at greater scale.
This has raised the stakes for employers that rely on staff to identify fraudulent messages before they lead to a breach, payment diversion or credential theft. Phishing attacks have risen by 17.1%, adding to pressure on organisations to strengthen internal controls and staff awareness.
Security awareness training has long been part of many companies' cyber risk programmes, but the figures in this study suggest the biggest gains come from repeated, sustained training rather than one-off exercises. In Australia and New Zealand, phishing susceptibility fell by 84% from the baseline over the first year.
The contrast between large and small organisations may reflect the broader attack surface in bigger companies, where larger workforces and more complex communications channels give attackers more opportunities to target staff. The findings also suggest that industries handling sensitive financial or health data remain especially exposed.
Threat shift
The research comes as businesses increasingly weigh how to manage cyber risks linked not only to employees but also to automated systems and AI-based tools used in daily operations. Security teams have warned that the spread of generative AI is making malicious messages more convincing and easier to produce at scale, reducing some of the signals that once helped users spot fraud.
For firms in sectors such as banking and healthcare, that shift is particularly significant because phishing attacks often serve as the first step in wider fraud or ransomware incidents. Staff may be targeted for login details, internal information or authorisation to move funds, and even a small number of successful attacks can have disproportionate consequences.
Dr Kawin Boonyapredee, CISO Advisor at KnowBe4 APAC, commented on the findings and the wider threat picture.
"As organisations in Australia and New Zealand expand their workforce from humans to include autonomous AI agents, the attack surface grows in ways traditional controls were not designed to address," said Dr Kawin Boonyapredee, CISO Advisor at KnowBe4 APAC. "This complexity is being exploited, evidenced by a 17% spike in phishing attacks since late 2025 alone. However, the data proves organisations can combat this through continuous personalised training, which drops employee phishing susceptibility to 5.3% over 12 months."