Cybersecurity vendor KnowBe4, which focuses on human and AI agent risk management, has released their Q3 2025 Phishing Roundup. The research shows that simulated phishing emails personalized to appear from internal departments, particularly HR and IT, continue to drive the highest user interaction rates. This continues and highlighs a persistent trend of employee vulnerability to techniques exploiting familiarity. All of the data for this roundup was aggregated from the KnowBe4 HRM+ platform between July 1, 2025, and September 30, 2025.
In looking at key findings from the Q3 roundup, KnowBe4 found that internal topics dominate. Personalization increased click rate in simulated phishing emails – the two most-clicked subject lines contained the recipients’ company name. Internal topics made up 90% of most-clicked subject lines and HR was cited in 45% of the top 10 most-clicked emails.
Branded landing pages were also a danger, as 70% of simulated landing page interactions involved branded content. Microsoft – unsurprisingly – was the most common brand, accounting for 25%, followed by LinkedIn, X, Okta, and Amazon. In addition, 82% of the top 20 clicked links in simulated phishing emails came from internally themed simulations. 66% used domain spoofing techniques. PDFs made up 56% of the top 20 attachments opened in simulated phishing emails, followed by Word documents (25%) and HTML files (19%).
“When a message seems routine, such as something from HR or IT, users are less likely to question it,” said Erich Kron, CISO advisor at KnowBe4. “The fact that this trend continues quarter after quarter tells us that this is not just about tricking users, it is about understanding human behavior. That is exactly why KnowBe4’s human and agentic AI risk management platform addresses both training and behavior change to build lasting security resilience.” That’s why humans remain the most vulnerable attack surface, something that KnowBe4 protects against weaving risk deterrence into everyone’s workday.
Kron gave an extreme example of this kind of problem, where thieves stole $25 million in one video call.
“An employee in Hong Kong just experienced every security team’s nightmare: a video conference with their CFO and colleagues to discuss an urgent wire transfer,” Kron said. “Crystal clear video. Familiar voices. Everything looked legitimate. There was just one problem: they were the ONLY real person on the call. Every other face? AI-generated deepfakes.” He said that the future of cybercrime isn’t just about better technology. It’s about industrial-scale operations that exploit human psychology.
“To fight back, we need to strengthen the human element in cybersecurity and rise above risk,” Kron emphasized.
Kron works as essentially an evangelist for the company, sharing his knowledge and experience at events ranging from San Diego to Detroit and points in between. In addition, he speaks to people at all levels of IT and cybersecurity from front-line practitioners to C-Level executives across nearly every industry.
For KnowBe4, a key tool is what they call AIDA (Artificial Intelligence Defense Agents). It is an AI-native suite of agents that supercharges your approach to human risk management. It leverages multiple AI technologies to create personalized, adaptive, and highly effective training for all of your users that actually changes behavior. It uses AIDA’s alignment with the NIST Phish Scale Framework. By automating template generation, training, and reporting, AIDA reduces the administrative burden on your security teams so they can focus on protecting your network.
At the core of AIDA is the SmartRisk Agent that creates an adaptive human risk management framework that evolves with your threat landscape. With inputs from all KnowBe4’s products, the SmartRisk Agent utilizes 316 indicators influencing 37 factors across 7 knowledge areas to provide a complete picture of human risk in an organization.