The latest edition of the Terranova Security Global Phishing Benchmark Report is now available, giving cyber security and risk management leaders data-driven insights that stem from the global phishing simulation deployed during the 2021 Gone Phishing TournamentTM.

The resulting report suggests that, despite taking place during Cybersecurity Awareness Month, many employees were still susceptible to this type of phishing attack, and that organizational security awareness training must include real-world phishing simulations to ensure reliable threat detection and avoidance.

The data shows that employees are even more susceptible to phishing attacks than they were in 2020 and that current approaches to security awareness training must include real-world phishing simulations for reliable detection.

What is the Gone Phishing Tournament?

The Gone Phishing Tournament is a free annual cyber security event that empowers organizations everywhere to strengthen their security awareness training programs with accurate, dependable benchmarking data.

The insights generated by this data help security leaders better understand their organization’s phishing vulnerabilities, establish concrete cyber security goals, and build foundational resilience to ever-evolving cyber threats.

The 2021 edition of the Gone Phishing Tournament once again benefited from the partnership between Terranova Security and Microsoft. The two organizations collaborated on the phishing template used for the phishing simulation, leveraging real-world Microsoft intel to accurately portray the emulated cyber threat.

This year’s email, of which nearly 1 million were sent to participating organizations’ end users, and webpage templates reflected a real-world scenario all end users, particularly those working in a remote or hybrid environment, may encounter in their daily lives.

The template’s scenario, selected by the Terranova Security leadership team, measured several end user phishing behaviors, including:

  • Clicking on a link in the body of a phishing email
  • Delivering ransomware in a downloadable file through a phishing webpage.

Summary of Findings

The Tournament, which welcomed participating organizations from around the world, demonstrated that phishing threats are as prevalent as ever, with nearly one in five recipients clicking on the phishing email link included in the simulation’s initial message.

In addition, over 14% of all end users who encountered the scenario ultimately failed to identify the simulation’s webpage as unsafe and clicked on a link to download a malware file. Globally, more than 70% of the phishing simulation’s clickers went on to obtain the file from the phishing webpage.

Other highlights include:

  • When it came to downloading the malware document, North America fared best as a region (11.8%), while Europe took the runner-up slot. The Asia Pacific region finished with the highest malware download rate.
  • For click rates by industry, Education, Finance and Insurance, and Information Technology exhibited the highest totals, all scoring over 25%. Meanwhile, Healthcare, Transport, and Consumer Product all kept their click rates under 10%.
  • Information Technology had the highest click-to-download ratio across all industries, with 84% of those who clicked on the initial phishing link eventually downloading the malware file.
  • Interestingly, organizations with over 3000 employees performed worst of all size segments, posting an 18% email link click rate and a 12% document download rate. Of all the size brackets, they also featured the largest click-to-download ratio at 66%.
  • On the other size of the organizational size spectrum, those in the 500-2999 employee count range fared the best click rate-wise at 11%. This segment was also the one with both security awareness and phishing training programs in place.

How to Create the Best Phishing Simulation Training Campaigns for Your Organization

There are several things any organization, regardless of size, sector, or region, can do to build effective phishing simulation training that delivers consistent results. Here are a few recommendations from Terranova Security in-house CISO experts:

1.   Target the right end user behaviors

Explore your existing cyber security data to pinpoint employee behavior patterns or specific actions that have led to past data breach incidents. With this intel, you can determine which behaviors (e.g., clicking on a webpage link, submitting credentials in a malicious web form) your organization should target with your eLearning initiatives.

2.   Use phishing templates that address specific weaknesses

From templates that request password changes to those that ask recipients to download a suspicious email attachment, your phishing simulation templates must dovetail with the behaviors you wish to target with your larger training program. Over time, you can also up the difficulty level by including fresh scenarios to counter emerging threats.

3.   Collect real-time phishing simulation data

Collecting real-time phishing simulation data goes a long way in facilitating the process of maintaining and optimizing your security awareness on a quarterly or yearly basis. This data also informs behavior targeting choices you make for future simulations, training courses, and other reinforcement outreach.

4.   Track and monitoring user progress

Similarly, continuously monitoring end user progress related to phishing simulation performance will help your organization’s leadership team better gauge where those improvement areas lie and, broadly speaking, maximize your cyber security return on investment.

5.   Deploy just-time training modules for instant feedback

Whether it’s just for clickers or for every employee who participates in a phishing simulation, providing just-in-time training modules with instant feedback ensure everyone has access to actionable information and best practices regularly.


The Gone Phishing Tournament showed that, even as cyber threats continue to grab headlines worldwide, many organizations and their end users have room for improvement where phishing detection and avoidance are concerned. However, this reality is also an opportunity for organizations to invest in their employees and ensure that everyone has the tools they need to keep sensitive information safe.



Free Phishing Benchmarking Data to Train Your Cyber Heroes

Drive effective behavior change and strengthen your security awareness training initiatives with in-depth benchmarking data and expert guidance.