Contact us: +45 32 67 26 26
English
Back to blog
4 min read

Curiosity Beat Urgency: What Our Latest Phishing Data Reveals

Sandie Thieu Bui
By: Sandie Thieu Bui Cyber Security,Phishing Training | 27 January

Phishing is still one of the most effective ways for attackers to get a foothold in an organisation. 

Last year we looked at data from more than 500,000 phishing simulations. These simulations were conducted by us and based on real-world attack techniques and psychological triggers used by attackers today.

We shared what we learned at the time.

Now, with new data in hand, it’s time to see what’s changed. 

PHISHING TRICKS

From urgency to curiosity 

We use different “signs” in our phishing mails that play on different psychological triggers. We simulate the ones we see the most often in the real world. 

For years, urgency has been the most reliable phishing tactic.

Emails that created pressure like “Act now”, “Your account will be deleted”, “Immediate action required" consistently led to more clicks and more submissions. The feeling of time running out made people act before thinking.

But our data from 2025 tells us a slightly different story. It shows that another trigger has become even more effective.

Curiosity has overtaken urgency as the strongest driver of clicks
People are now more likely to click on emails with compelling, curiosity-driven subject lines.

For example, “This person requested to connect with you on LinkedIn” or "1 message is being held for you to review". 

Let's see how our other signs performed in comparison.  

stats-signs-2025

Urgency and rewards still play an important role, especially when it comes to submitting data. When those signs are present, people who click are still more likely to follow through.

Curiosity-driven emails are different.
People click more, but they’re less likely to submit data. 

One possible explanation lies in what happens after the click.
Curiosity often triggers a fast, almost automatic reaction. Once people land on the page and see the content, some recognise that something feels off and stop before entering any information.

But clicking isn’t harmless.

Even when curiosity-driven emails don’t lead to data submission, a single click can still trigger a malware download or take you to a malicious fake website designed to steal personal information.

In other words, fewer submissions don’t necessarily mean fewer incidents.

The shift from urgency to curiosity doesn’t reduce the risk. It just changes how, and when, that risk unfolds.

 

BY WEEKEND

Clicks also happen outside work hours

Previously, weekdays were the riskiest. That’s when click and submit rates were highest. 

But that pattern changed in 2025. People were more likely to click and submit outside normal work hours, particularly during the weekend.  

dayofweek-2025

We can’t point to a single explanation, but the pattern is clear.

Outside of work, context changes. People read emails more casually, often on personal devices, and with less of the routine skepticism that comes with a work setting. Attention is split, expectations are different, and emails blend more easily into everyday noise.

This becomes even clearer when we break click and submit rates down by the hour.

hourofday-2025

Click and submit rates tend to peak early in the morning and later in the afternoon. These are moments when people are starting up, winding down, or switching context and emails are often handled more quickly.

Taken together, the picture is consistent across time and context.

Phishing isn’t just a workplace issue anymore. The risk follows people outside the office.

 

PEAK PHISHING SEASON

Clicks rise during the holidays 

Each year, we run seasonal phishing simulations during the holiday period. These emails reflect the kinds of messages people expect to see at that time such as  sales, rewards, and end-of-year offers.

Even among trained users, we see a consistent seasonal pattern: click rates increase during November and December.

From 2024 to 2025, the trend remains clear:

November 2024: 7% 

December 2024: 11% 

November 2025: 10%

December 2025: 12% 

The emails and themes themselves don’t change much.
“Time to pick out your Christmas presents.” Black Friday offers. End-of-year deals.

The higher click rate during this time makes perfect sense. During this period, phishing activity also increases significantly. Attention is divided, and inboxes are busier. Familiar themes blend in more easily, and people engage a little faster than usual. 

The holiday spirit makes us more vulnerable, and a little extra caution can go a long way.

Stopping and thinking before you click can make all the difference. 

INFRASTRUCTURAL RISKS

Critical infrastructure amongst the most vulnerable industries

When we break down our data by industry, some sectors stand out more than others. 

Globally, critical infrastructure is among the most targeted sectors for cyberattacks. 

Our own data reflects similar trends at a human level.

Organisations within critical infrastructure are among the top five industries with the highest click rates, at around 15%, significantly higher than our overall benchmark.

This includes: 

  • Electricity, gas, and district heating
  • Water supply
  • Schools and universities. 

That doesn’t necessarily mean people in these sectors are less aware or less careful.

Many of these roles are about keeping things running. Emails about access, updates, or external systems are part of everyday work, and acting quickly is often the right thing to do. When messages look familiar, they don’t always stand out as suspicious.

Add busy inboxes, external partners, and work environments where attention is often split and phishing emails can blend in more easily.

These are industries that keep society running. Even just a few wrong clicks can have critical consequences.

 

WHAT HAPPENS OVER TIME

People do get better over time

Phishing often comes with dramatic headlines about new tricks, new threats and new reasons to worry.

And to be fair, some of that concern is justified.

But when we step back and look at the data over time, another story appears.

Across more than 600,000 phishing simulations, we see a slow but consistent trend: people get better.

performance-across-all-customers

It doesn’t happen overnight. People don’t suddenly stop clicking on everything. But what we do see is that they get better at recognising familiar patterns, slowing down, and stopping before submitting information.

And while curiosity may win more clicks today, experience still wins in the long run.

 

Free phishing campaign Your first one is on us!    Book 15 minutes with Benjamin, our product owner, and we’ll create a custom campaign to give you clear insights into your security level.   We’ll run the campaign and send you a detailed report. All it takes is a quick chat and a little bit of your time.  

Remember, that if you want to test your company and compare your performance to all over the above stats. You can read more on our phishing training page on how to get started. 
Back to blog
Recent articles
Cyber Security, Phishing Training Big Data Study: What the data from +200.000 phishing emails learns us

We've sent more than 200.000 phishing emails. Here's what we've learned from them and what you can do to avoid becoming a victim of them.

Anders Bryde Thornild 6 min read - By Anders Bryde Thornild
Cyber Security How to handle and spot phishing mails with Microsoft Defender

We've sent more than 200.000 phishing emails. Here's what we've learned from them and what you can do to avoid becoming a victim of them.

Anders Bryde Thornild 5 min read - By Anders Bryde Thornild
Awareness training, CyberPilot Platform Here's our new CyberPilot platform!

Our new platform is here! Here's what we've done and how we made it easier and better for you to do Awareness Training!

Anders Bryde Thornild 2 min read - By Anders Bryde Thornild