Phishing Click Rate — What Is Normal and How Does Your Company Improve?

April 2026

After the first phishing simulation comes the inevitable question: "Is our click rate good or bad?" The honest answer: without context, a single number is meaningless.

A click rate of 15 percent can be excellent — if the template was a highly personalized CEO fraud. Or alarming — if it was an obvious spam email. The benchmark alone does not tell the whole story.

Average Click Rates — Orientation Values

As rough orientation from aggregated industry data:

In an initial measurement without prior training, click rates typically lie between 20 and 35 percent. That means every fifth to third employee clicks a simulated phishing link. It sounds alarming but is the expected baseline.

After six months of regular training and at least two simulations, the click rate typically drops to 8 to 15 percent.

After twelve months with a continuous program — baseline training, advanced modules, and quarterly simulations — click rates below 5 percent are achievable.

These values are averages and vary considerably by industry, company size, and template difficulty.

Why the Click Rate Alone Is Not Enough

The click rate measures how many employees fell for the attack. It does not measure how many recognized the attack and acted correctly.

The report rate — the share of employees who actively reported the suspicious email — is at least as meaningful. A click rate of 10 percent with a report rate of 40 percent tells a different story than a click rate of 10 percent with a report rate of 2 percent.

Even more interesting is the question of social sharing: do employees warn each other? Does someone post in the team chat, "Careful, this email looks suspicious"? This informal warning is the strongest protective factor in an organization — stronger than any technical tool.

Research confirms it: in organizations where employees warn each other, the probability of a successful phishing attack is significantly lower than in organizations without this culture of social sharing.

Factors That Influence the Click Rate

Department and role play a major part. Finance and HR teams typically have higher click rates — not because they are less competent, but because they work with external emails daily and are used to reacting quickly. Reception staff, assistants, and customer service are also more exposed.

The timing of the campaign matters. On Monday mornings, when inboxes are full, people click faster and less attentively than on Wednesday afternoons.

Template quality is the biggest factor. A generic "Your package has been delivered" template has a much lower click rate than a personalized CEO fraud with the correct name and a current reference. That is why comparisons between campaigns only make sense if template difficulty is taken into account.

From Measurement to Improvement

A phishing simulation is not an end in itself. The value lies in the measures that follow from the results.

Train risk groups specifically: if the finance department has a click rate of 30 percent while the rest is at 12 percent, finance needs additional training — not a reprimand.

Increase template difficulty: if the click rate is below 10 percent after three campaigns, that is a good sign. Now the difficulty can be raised — more realistic templates, personalized attacks, multi-channel scenarios. The bar has to grow with the results.

Positive feedback instead of punishment: employees who report suspicious emails should receive confirmation. "Well spotted, that was a simulation" reinforces the desired behavior. Punishing clicks achieves the opposite — employees hide mistakes instead of reporting them.

Transparency toward the team: results should be shared with the team in aggregated, anonymized form. "Our click rate dropped from 22 to 9 percent" is a success story that creates motivation.

The Most Important Metric Is the Trend

Whether the click rate at the initial measurement is 15 or 30 percent matters less than the question: where does it stand after six months? After twelve months? The development over time is the most meaningful indicator of an awareness program's effectiveness — and the most convincing evidence for any auditor.

Free security awareness training — with quiz, certificate, and measurable results. Learn more in the free security awareness training.

Start for free →