Phishing simulations revealed high rates of counterfeit internal emails being clicked on
KnowBe4 Releases Q2 2025 Simulated Phishing Roundup Report
In a world where cyber threats are becoming increasingly sophisticated, the importance of human risk management in cybersecurity strategies has never been more crucial. This is the key takeaway from the recently released Q2 2025 Simulated Phishing Roundup report by cybersecurity firm KnowBe4.
The report, based on data collected from the KnowBe4 HRM+ platform between April 1, 2025, and June 30, 2025, sheds light on the ongoing battle against social engineering tactics used by attackers.
One of the most striking findings is the significant rise in PDF attachment clicks, which increased by 8.1% compared to Q1, and accounted for 61.1% of the top 20 attachments. This underscores the need for organisations to be vigilant about the types of attachments they open, especially those from unknown or suspicious sources.
The report also highlights a continued trend of employee susceptibility to social engineering techniques. Phishing emails that appear to originate from reputable sources have a higher chance of lowering a recipient's suspicions. In fact, 98% of the top email subject lines in the report involved interactions with internal communications and well-known brands.
Attackers often use sophisticated social engineering tactics to take advantage of the human instinct to trust. For instance, 71.9% of malicious landing page interactions involved branded content, with Microsoft being the most common brand, accounting for 26.7%, followed by LinkedIn, X, Okta, and Amazon.
However, the report also emphasizes the critical role trust plays in cybersecurity. Erich Kron, cybersecurity advocate at KnowBe4, underscores this point, stating that trust is a fundamental component of any successful cybersecurity strategy.
To combat these threats, a layered approach to human risk management is recommended. This approach centers on human risk management, focusing on security training and intelligent detection technology. Employee empowerment involves relevant, timely, and adaptive security training, which equips employees with the knowledge they need to identify and respond to threats effectively.
The need for organisations to focus on human risk management in their cybersecurity strategies is further emphasized by the findings. For example, HR was cited in 42.5% of phishing failures, and IT in 21.5%. This suggests that employees across all departments need to be aware of the risks and take steps to protect themselves and their organisations.
The Q2 Simulated Phishing Roundup findings reinforce the need for organisations to strengthen their human defenses. With PDF attachment clicks on the rise and social engineering tactics becoming more sophisticated, it's essential for organisations to invest in security training and real-time threat detection technology to mitigate these threats.
In conclusion, the Q2 Simulated Phishing Roundup report is a valuable resource for organisations looking to improve their cybersecurity strategies. By understanding the threats and trends highlighted in the report, organisations can take proactive steps to protect themselves and their employees from cyber threats.
