What's a Good Phishing Click Rate? 2026 Benchmarks by Industry
Average phishing simulation click rates for 2026, broken down by industry, plus what 'good' actually looks like and how to bring yours down.
If you have just run a phishing simulation, your first question is the obvious one: is this number good or bad? Here is the context you need to read your result, using 2026 benchmark data.
What "click rate" actually measures
Click rate is the share of people who clicked the link in a simulated phishing message. It is the headline metric of any awareness program because it is a direct, behavioral signal: not whether people say they are careful, but what they actually did.
The global average
For organizations that have never trained their people, the 2026 numbers are sobering. Benchmark datasets put the untrained baseline around 33 to 34 percent. In other words, roughly one in three employees clicks a realistic lure the first time.
That is the bad news. The good news is that this number moves faster than almost any other security metric once you start testing.
Click rates by industry
Rates vary widely by sector, driven by regulation, technical literacy, and how email-heavy the work is. Approximate ranges for organizations early in their programs:
| Industry | Typical early click rate |
|---|---|
| Hospitality | 45 to 53 percent |
| Education | 25 to 50 percent |
| Healthcare | 20 to 35 percent |
| Manufacturing | 12 to 20 percent |
| Retail | 10 to 18 percent |
| Technology | 5 to 9 percent |
| Financial services | 4 to 7 percent |
Sources vary in methodology, so treat these as ranges, not gospel. The pattern is what matters: heavily regulated, well-funded sectors like finance and tech sit lowest, while high-turnover, less email-trained sectors like hospitality and education sit highest.
So what is a "good" click rate?
For a mature program running regular simulations, 3 to 5 percent is the widely cited gold standard, achievable after about a year of consistent testing. If you are starting in the double digits, do not panic. That is normal. The trajectory matters more than the starting point.
Click rate is not the whole story
A low click rate can hide a weak program. Two numbers tell you more about real resilience:
- Reporting rate: the share of people who reported the suspicious message. A high reporting rate means your team is actively defending, not just avoiding.
- Time to report: how quickly the first report comes in. Minutes is great. Days means an attacker would have had free rein.
A team with a 6 percent click rate and a 50 percent reporting rate is in far better shape than a team at 3 percent that reports nothing.
How to bring your rate down
- Test consistently. One campaign every four to six weeks beats a single annual event. (More on cadence in our step-by-step guide.)
- Always show the reveal. Immediate, specific feedback is where learning sticks.
- Rotate your lures. If every test looks the same, you are measuring memory, not skill.
- Test SMS too. Text-based lures often score far higher than email, so an email-only rate flatters you. See email vs SMS phishing.
- Coach, do not punish. Repeat clickers need support, not a public list.
Get your baseline number
You cannot improve what you have not measured. phis3d makes it simple to run a baseline phishing test, see your click rate by team, and track it down over time. Sign up and we will include a free baseline test.