KnowBe4’s Q2 2025 Phishing Simulation Roundup Report reveals how phishing tactics continue to adapt and how employees are reacting. Based on simulation data from April to June 2025 collected via the KnowBe4 HRM+ platform, the report highlights which phishing approaches remain most successful.
For organisations focused on strengthening their human defence, these insights provide both a clear benchmark and a roadmap for action.
What Are Users Still Clicking?
The report’s most notable finding is that phishing emails themed around internal communication continue to be the most successful. Of the top 10 most-clicked simulation templates in Q2, 98.4% were styled to appear as internal messages. This included topics related to HR, IT, and team collaboration platforms.
Within these internal themes:
- 42.5% of clicks were on HR-related topics such as reimbursements, performance reviews, and policy updates.
- 21.5% were IT-related, including messages about helpdesk support and internet usage reports.
The most effective subject line during the quarter was:
“Microsoft Teams: You have been added as a guest to [[company_name]] Strategic Planning.”
Other examples that received high click-through rates included:
- MS Teams Strategic Planning Doc
- Google Doc IT Help Desk
- HR Reimbursement
- HR: Dress Code
- Time Off Request
These results indicate that users are more likely to engage with phishing emails that mirror their everyday workplace communication.
Brands Continue to Be a Key Vector
The report also highlights the role of brand impersonation in phishing simulations. 71.9% of landing page interactions involved the use of a well-known brand. Attackers rely on this trust to increase the chances of engagement.
The most impersonated brands were:
- Microsoft (26.7%)
- Amazon
- LinkedIn
- Okta
- X (formerly Twitter)
There was also a noticeable increase in phishing pages styled after social media platforms, especially X, which accounted for 17.2% of interactions, up from Q1. This suggests a continued expansion in the types of services attackers are mimicking.
Insights From Real-World Reports
In addition to simulated attacks, KnowBe4 also tracks real phishing emails reported by users through its Phish Alert Button (PAB). These incidents offer a closer look at the tactics being used in active campaigns.
Some common patterns observed:
- Urgency and disruption: e.g. “Please ASAP Read – Action Required” or “Urgent: Payment Verification Required”
- Credential prompts: often impersonating IT, Microsoft, or AI-related updates
- Financial and business-related: e.g. onboarding emails, ad account notifications, or audit mentions
- Document requests: such as “Adobe Sign: Signature Requested”
These emails often included phishing links, spoofed sender domains, or attachments designed to look authentic.
How Users Interact With Phishing Content
The report also analyses how users respond to different phishing delivery methods:
- Hyperlink clicks:
- 80.6% of the top-clicked links came from internal-themed simulations
- 68.2% used domain spoofing, reinforcing the need for visual awareness training
- 80.6% of the top-clicked links came from internal-themed simulations
- QR codes:
- An emerging tactic
- 3 out of the top 5 scanned QR codes were HR-related
- An emerging tactic
- Attachment types:
- PDFs were the most clicked format (61.1%), with an 8.1% increase over Q1
- HTML files made up 20.9%, often used for credential harvesting
- Word documents accounted for 18%, mostly containing macros
- PDFs were the most clicked format (61.1%), with an 8.1% increase over Q1
This confirms that phishing simulations are increasingly diverse in both format and presentation.
What This Means for Organisations
The Q2 2025 data shows that phishing tactics are continuing to evolve in line with user behaviour. What remains consistent is the role of human judgement and the importance of preparing employees to pause, assess and respond correctly.
To address this, organisations should consider the following steps:
- Ongoing Security Awareness Training
Training should be relevant, continuous, and adaptive to new tactics such as QR code phishing, brand impersonation, and internal-themed emails. - Focused Communication Awareness
Special attention should be given to common internal formats, especially HR and IT communications, which consistently lead to high engagement. - Education on Common Psychological Triggers
Employees should be trained to recognise urgency, authority, and familiarity as potential signals of phishing, not validation. - Clear Verification Processes
Build habits and protocols for verifying unexpected requests, especially those involving access credentials, sensitive documents, or financial instructions. - Supportive Technical Controls
Layered technical controls such as domain authentication, attachment sandboxing, and email filtering should complement user education efforts.
How iConnectCan Help
As an award-winning KnowBe4 partner, we support enterprises in implementing practical and measurable security awareness strategies. From setting up simulation campaigns to building human risk management dashboards, our team works with you to develop a culture of awareness and accountability across your organisation.
If you’re ready to reduce phishing risk through people-first security, talk to us today.
