Organisations in Africa can reduce phishing susceptibility by 79% after just one year of consistent security awareness training (SAT) – despite a threat landscape increasingly powered by AI, according to new research from KnowBe4.
The 2026 Phishing By Industry Benchmarking Report analysed 42-million phishing simulations across 14,8-million users at 64 000 organisations worldwide. The findings show that while employees remain a primary target for cybercriminals, organisations that invest in ongoing training and simulated phishing exercises can dramatically reduce employee phishing susceptibility over time.
According to the report, the African average Phish-prone Percentage (PPP) – the percentage of employees likely to engage with a phishing attack – starts at 35,9% before training. After 90 days of security awareness training, that figure drops to 21,1% – and after one year, falls to just 7,4%.
The security company says these findings come at a crucial point as cybercriminals increasingly leverage AI to generate highly personalised phishing campaigns, business email compromise (BEC) schemes, and deepfake-enabled social engineering attacks at scale. It is more important than ever to ensure employees are aware of the most current cyberthreats to avoid becoming victims.
Key findings for Africa in the report include:
- Before any training, more than one in three employees (35,9%) in Africa is likely to engage with a phishing attempt – slightly higher than the global average of 33,2%.
- Baseline PPP rises steadily with organisational size. Large enterprises in Africa with 10 000+ employees face a baseline PPP of 39%, compared with 28,9% for small businesses.
- The three most vulnerable industries at baseline in Africa are Energy & Utilities (48,0%), Retail & Wholesale (45,2%) and Consumer Services (43,6%), followed by Financial Services, Government, and Banking, all clustered in the high-30s.
- Organisations in Africa reduced phishing susceptibility by 41,2% within the first 90 days and by 79% after one year of ongoing security awareness training, reinforcing that continuous training drives lasting behaviour change over one-time compliance exercises.
- Globally, Africa recorded the highest baseline risk at 35,9%, followed closely by North America at 34,5% and South America at 31,5%, while Asia entered with the lowest baseline at 24,9%.
“As organisations in Africa expand their workforce from humans to include autonomous AI agents, the attack surface grows in ways traditional controls were not designed to address,” says Anna Collard, CISO advisor and SVP content strategy at KnowBe4 Africa. “This complexity is being exploited, evidenced by a 17% spike in phishing attacks since late 2025 alone. However, the data proves organisations can combat this through continuous personalised training, which drops employee phishing susceptibility to 7,4% over 12 months.”