Pular para o conteúdo principal
Close
Security

Phishing: 1 in 3 Clicks and the Repetition That Closes the Door

Gabriel Ferraresi· CEO | Tech86July 15, 20265 min
securityphishingawarenesssimulationmfaedrroihuman-resources

1 in 3 employees clicks on phishing. That is the number that defines the problem — and most companies still treat awareness as a checkbox.

According to KnowBe4 2025, based on 67 million simulations, the global click rate before training is 33.1%. In Brazil, according to Kaspersky 2025, 553 million phishing attempts were blocked in 12 months — 1.5 million per day. The math is direct: 33.1% click rate against 1.5 million malicious emails per day. The problem lives in people, not in technology.

We at Tech86 see this pattern in every company we audit. The technical infrastructure is hardened — firewall, EDR, MFA, Zero Trust. But the employee still clicks. And one click is all the attacker needs.

The scale: 33.1% click rate, 1.5 million emails per day

The numbers are what scare. According to KnowBe4 2025, 33.1% of employees click on phishing before any training. It is not a subset — it is one in three. In a 300-person company, 100 will click on the first convincing email they receive.

In Brazil, according to Kaspersky 2025, 553 million phishing attempts were blocked in 12 months. That is 1.5 million per day — and it is only what was blocked. What passed the filters reached the inboxes. And against those, the click rate is 33.1%.

Phishing also evolved. According to Microsoft 2025, AI-generated phishing reached a 54% click rate versus 12% for manual phishing. AI eliminates grammatical errors, personalizes the message at scale, and mimics the target company's tone. According to Cofense 2025, there is one attack every 19 seconds. Volume and quality increased at the same time — and the average employee has no instinctive defense against it.

The answer is repetition

This is where it changes. According to KnowBe4 2025, after 12 months of continuous simulation, the click rate drops from 33.1% to 4.1%. An 87.6% reduction. It is not an annual workshop. It is not a best-practices PDF. It is repetition.

According to KnowBe4, based on 493 million tests, weekly simulations are 2.74x more effective than quarterly ones. Frequency is the variable that matters most — more than training content, more than duration, more than format. The brain learns through repeated exposure. An annual workshop is an event. A weekly simulation is a habit.

We repeat: the answer is repetition. There is no shortcut. One-off training does not change behavior because behavior does not change with a single stimulus. Continuous simulation works because it rewrites the employee's automatic reaction to seeing a suspicious email. The click stops being instinct and becomes a decision.

MFA is necessary. Training is what closes the door

MFA is the layer most companies already have. And it is necessary — without MFA, leaked credentials work on their own. But MFA is not sufficient.

According to Proofpoint 2025, 59% of compromised accounts had MFA active. The attacker evolved: MFA fatigue (sending dozens of prompts until the user approves out of exhaustion), adversary-in-the-middle (a proxy that intercepts the session token after MFA), and phishing kits that capture the second factor in real time. MFA raises the cost of the attack, but it does not close the door.

MFA is necessary. Training is what closes the door. The two layers work together — MFA contains what training did not prevent, and training reduces what reaches MFA. Neither replaces the other. Whoever trusts MFA alone is betting the attacker did not evolve — and the attacker did evolve.

The ROI: $4.8 million against $80K

The financial argument is what closes the conversation. According to IBM 2025, the average cost of a phishing-initiated breach is $4.8 million. That figure includes detection, containment, notification, revenue loss, and regulatory fines.

The cost of an annual simulation program is about $80K — a market estimate for a mid-size company. The return is approximately 60 to 1. Every dollar invested in simulation prevents 60 dollars in breach cost.

No security control has ROI of that magnitude. Firewall does not. EDR does not. SIEM does not. All of them reduce risk, but none has a 60-to-1 ratio between cost and loss avoided. The reason is simple: phishing is the entry vector in more than a third of breaches, and simulation is the only control that attacks the human variable directly — which is where the attacker enters.

How Tech86 implements

We send unlimited phishing simulations, with micro-training at the moment of the click. The employee clicks, immediately receives a 30-second training in the exact context of the mistake — not a week later in a classroom. The human risk panel identifies who is vulnerable, by department, with historical click rate and trend.

The reporting button integrated with Outlook and Gmail turns every employee into a sensor. A suspicious email reported by one employee alerts the entire security team before others click. And EDR detects and isolates the payload if the click becomes execution — because even with training, some click will happen. The three layers work together: training reduces clicks, the reporting button turns clicks into intelligence, EDR contains what escaped.

Conclusion: simulation is the highest ROI control

Simulation is the highest ROI control in your security stack. Whoever treats it as a checkbox doesn't understand the problem.

The problem is not lack of technology — it is lack of repetition. A 33.1% click rate is not a firewall failure; it is a habit failure. And habit changes through repeated exposure, not through an annual workshop. The 87.6% reduction after 12 months is not magic — it is the human brain's response to repetition.

At Tech86, we help companies build simulation programs that actually reduce click rates — with weekly frequency, micro-training at the moment of the click, a human risk panel by department, and integration between the reporting button and EDR. Not as a checkbox. As the highest ROI control that exists in your security stack.

Interested in this solution?

Explore our managed services and infrastructure.

Phishing Simulation and Training

Frequently Asked Questions

According to KnowBe4 2025, based on 67 million simulations, the global click rate before training is 33.1%. That means 1 in 3 employees clicks on a phishing email. In Brazil, according to Kaspersky 2025, 553 million phishing attempts were blocked in 12 months — 1.5 million per day. The math is direct: 33.1% click rate against 1.5 million malicious emails per day. The problem lives in people.

According to KnowBe4 2025, after 12 months of continuous simulation, the click rate drops from 33.1% to 4.1% — an 87.6% reduction. The answer is repetition. Weekly simulations are 2.74x more effective than quarterly ones, according to KnowBe4, based on 493 million tests. Frequency is the variable that matters most. One-off training does not change behavior; weekly repetition does.

According to Microsoft 2025, AI-generated phishing reached a 54% click rate versus 12% for manual phishing. AI personalizes messages at scale, mimics tone and context, and eliminates the grammatical errors that used to expose amateur attacks. According to Cofense 2025, there is one attack every 19 seconds. Volume and quality increased at the same time.

MFA is necessary, but it is not sufficient. According to Proofpoint 2025, 59% of compromised accounts had MFA active. MFA adds a layer, but attackers use techniques like MFA fatigue and adversary-in-the-middle to bypass the second factor. MFA is necessary. Training is what closes the door. The two layers work together — neither replaces the other.

According to IBM 2025, the average cost of a phishing-initiated breach is $4.8 million. The cost of an annual simulation program is about $80K (market estimate). The return is approximately 60 to 1 — every dollar invested in simulation prevents 60 dollars in breach cost. Simulation is the highest ROI control in your security stack. Whoever treats it as a checkbox doesn't understand the problem.

Blog — Get in Touch

Have a question about our articles or services? Our team is ready to help.

Schedule a Meeting

Book a time slot.

Schedule Now

Email

Send us a message.

[email protected]

WhatsApp

Quick conversation.

Address

Avenida Paulista, 1636 - São Paulo - SP - 01310-200

Tech86 Specialist

Online now

Hello! How can we help scale your business today?

Tech86 Engineering

We Value Your Privacy

We use cookies and similar technologies to optimize your experience, analyze site traffic, and personalize content. By clicking "Accept All", you agree to the use of all cookies. Read our Privacy Policy.