Phishing Awareness Kit

2022 State of the Phish Report Explores Increasingly Active Threat Landscape, Importance of People-Centric Security

Share with your network!

We’re excited to announce the launch of our 2022 State of the Phish report, our latest in-depth look at user awareness, vulnerability and resilience. This eighth annual study from Proofpoint features an analysis of global survey responses, simulated phishing exercises and real-world attacks. It also delivers robust benchmarking and insights to help you manage and mitigate user-driven phishing risks more effectively.

This year’s report compiles data from multiple sources, including:

  • A commissioned survey of 3,500 working adults across seven countries (Australia, France, Germany, Japan, Spain, the United Kingdom and the United States)
  • A commissioned survey of 600 infosec and IT professionals across those same seven countries
  • Nearly 100 million simulated phishing attacks sent by Proofpoint customers over a one-year period
  • More than 15 million suspicious emails reported by our customers’ end users

About the report

State of the Phish focuses on analytical insights and actionable advice. This year’s report highlights:

  • Trends and issues that influenced the security landscape in 2021
  • Volumes and impacts organizations dealt with related to socially engineered attacks in 2021
  • End-user awareness gaps and cybersecurity behaviors that could be introducing preventable risk within your organization
  • Key metrics to identify in relation to phishing awareness and training initiatives, including failure rates, reporting rates, reporting accuracy and resilience factors
  • Benchmark data for 25 industry and department designations (versus 20 in last year’s report)
  • Key insights related to real-world reporting, consequence models and security culture
  • Practical advice for using internal data, threat intelligence and clear communications to improve the effectiveness of your security awareness training program

Sneak peek: global findings

Following is an overview of some global findings included in our new report:

Infosec and IT survey

  • Attackers were more active in 2021 compared with 2020. Reports of “bulk” (i.e., indiscriminate) phishing attacks increased by 12% and more targeted attacks—including spear phishing and business email compromise (BEC)—were up about 20%.
  • Attackers were also more successful in 2021. More than 80% of survey respondents said their organization experienced at least one successful phishing attack last year. This represents a year-over-year increase of more than 45%.
  • Nearly 70% of survey participants said their organization experienced at least one ransomware infection in 2021. Almost 60% opted to negotiate with attackers, and many paid more than once (with mixed results).
  • More than 80% of respondents said that at least half of their employees are working remotely (either part time or full time) due to the COVID-19 pandemic. But less than half said they educate workers about best practices for remote working.

Survey of working adults

  • More than 40% of survey participants admitted to taking a dangerous action in 2021, such as clicking a malicious link, downloading malware or exposing login credentials.
  • Nearly all (97%) of those surveyed said they have a home Wi-Fi network, but only 60% said their network is password protected.
  • Of those who have access to an employer-issued device (such as a laptop, smartphone or tablet), 56% said they allow their friends and family members to use those devices for activities like online shopping and playing games. This is an increase from last year’s finding (52%).
  • Key disconnects point to the potential for significant organizational risk. For example, many workers believe their organization or personal email provider will prevent all malicious emails from reaching their inbox.

Proofpoint Security Awareness Training data

  • Though our customers were far more active in their testing in 2021, the average failure rate on simulated phishing attacks held steady at 11% year over year.
  • Among customers who use our PhishAlarm in-client email reporting button, we saw very positive changes between 2020 and 2021: an increase in the average reporting rate on phishing tests and a decrease in the average failure rate, for a 25% improvement in resilience.
  • New benchmark data on reporting accuracy rates show that many of our customers’ users frequently report malicious, suspicious and spam messages.
  • In our one-year measurement period, our customers’ end users reported more than 350,000 credential phishing attacks, nearly 40,000 emails with malware payloads (like Trojans, downloaders and stealers), and more than 20,000 malicious spam messages.

Sneak peek: regional findings

Here’s a look at some of the regional findings in our latest State of the Phish report:

United States

  • 84% of U.S. infosec and IT professionals said security awareness training had reduced phishing failure rates, the most of any country surveyed.
  • 52% of U.S. workers dealt with a cyber attack or fraud in 2021. Nearly 20% of survey participants said they were victims of identity theft, and 17% said they experienced a ransomware infection and paid to regain access to a personal device or data.


  • 81% of French infosec and IT survey respondents said their organization experienced at least one ransomware infection in 2021. But just 44% of these organizations cover ransomware in their security awareness training program.
  • Just over one-quarter (26%) of German workers could correctly identify the definition of ransomware in a multiple-choice array. This was the lowest mark of all countries surveyed and well below the 36% global average.
  • Less than one-third (29%) of Spanish organizations said they’re using a consequence model (meaning disciplinary tactics or punishments for employees who interact with real or simulated attacks). This is the lowest of all countries surveyed—and well below the 55% global average.
  • 82% of U.K. organizations infected with ransomware in 2021 opted to pay at least one ransom, the highest of any region surveyed (and 41% higher than the global average).


  • Only 5% of Australian workers said they had accidentally compromised their account credentials in 2021; that is well below the 11% global average and the high mark set by U.S. workers (17%).
  • Fewer than 45% of the Japanese infosec and IT professionals surveyed for the 2022 State of the Phish report said cybersecurity is a high priority for their organization. That is much lower than the 65% global average—which, in itself, is concerningly low.

Download the report for more global findings and regional insights

There’s no question that organizations experienced both new and familiar cybersecurity challenges in 2021—and that a people-centric security approach has become only more critical.

“Where 2020 taught us about the need to be agile and responsive in the face of change, 2021 taught us about the need to better protect ourselves,” says Alan Lefort, senior vice president and general manager of Security Awareness Training at Proofpoint. “As email remains the favored attack method for cyber criminals, there is clear value in building a culture of security. In this evolving threat landscape and as work-from-anywhere becomes commonplace, it is critical that organizations empower their people and support their efforts to learn and apply new cyber skills, both at work and at home.”

Download your copy of the 2022 State of the Phish report now to get full access to global and regional findings, including country-by-country breakdowns of the survey results.

Also, be sure to register for our February 24 webinar, 2022 State of the Phish, where Proofpoint experts will break down the report findings and insights, and you can participate in a live Q&A session.