KnowBe4’s latest benchmarking report, based on 42 million phishing simulations worldwide, reveals the sectors most vulnerable to phishing attacks across the UK and Ireland, while highlighting the impact of continuous security awareness training. Healthcare and pharmaceutical organisations are the most susceptible to phishing attacks in the UK, followed by businesses in the hospitality and construction sectors, according to new research from cybersecurity awareness and digital workforce security provider KnowBe4.
The findings come from KnowBe4’s 2026 Phishing by Industry Benchmarking Report, which analysed 42 million phishing simulation tests involving 14.8 million users across 64,000 organisations worldwide. The research found that before any security awareness training is introduced, 43.9% of employees in healthcare and pharmaceuticals are likely to engage with a phishing attack. Hospitality follows at 38%, while construction recorded a baseline Phish-prone Percentage (PPP) of 34.1%.
Financial services (30.7%) and energy and utilities (29.3%) complete the top five most vulnerable sectors in the UK and Ireland.
Across all industries, the average UK baseline PPP stands at 30.3%, meaning almost one in three employees is likely to fall for a phishing attempt before receiving any formal training. Larger organisations face greater risk, with enterprises employing more than 10,000 people recording a baseline PPP of 33.1%, compared with 24.8% among small businesses.
The report also demonstrates the long-term impact of continuous security awareness programmes. Organisations reduced phishing susceptibility by 34.7% after 90 days of training, while after one year of ongoing education the average PPP fell by 81.9%, reaching just 5.5%.
The findings arrive as attackers increasingly use artificial intelligence to create convincing phishing emails, business email compromise (BEC) campaigns and deepfake-enabled social engineering attacks.
Javvad Malik, lead CISO advisor at KnowBe4, said the rise of AI is changing both the threat landscape and the workforce organisations need to protect. “As organisations in the UK expand their workforce from humans to include autonomous AI agents, the attack surface grows in ways traditional controls were not designed to address. This complexity is being exploited, evidenced by a 17% spike in phishing attacks since late 2025 alone. However, the data proves organisations can combat this through continuous personalised training, which drops employee phishing susceptibility to 5.5% over 12 months.”
Globally, the report found Africa recorded the highest baseline phishing susceptibility at 35.9%, followed by North America at 34.5% and South America at 31.5%. Asia reported the lowest baseline risk at 24.9%.
KnowBe4 said the findings reinforce the importance of ongoing, behaviour-focused security awareness programmes, particularly as organisations adopt AI technologies that expand the number of identities and systems requiring protection.




