First publication date: 04.10.2023
A report by Hoxhunt from 2025, which analyzed 50 million phishing simulations and real attacks, confirms this: Executives are significantly more likely to click on malicious content than employees - a human risk factor that remains.
An investigation by the Financial Times also confirms the rise in AI-generated spear phishing attacks on executives: hyper-personalized, credible emails that easily bypass traditional filters.
While managers used to be around four times more likely to fall victim to phishing than employees(Ivanti, 2023), this gap has barely narrowed: the global base value of the click rate in simulations only fell by half a percentage point in 2024-2025 and remains at a high level of around 30-34%.
The development of phishing is increasingly being driven by AI:
Phishing is often the gateway to more serious attacks:
In addition to data encryption, these losses also include system failures (an average of USD 53,000 per hour), recovery costs, reputational damage, possible fines and the loss of customers.
This makes spear phishing and whaling more difficult:
Standard training courses are not enough. Modern programs must include AI-supported simulations that realistically simulate deepfakes, quishing and BEC.
Combat overconfidence ("I recognize phishing") with behavioral science-based measures - to close the gap between perceived and actual vulnerability.
Use UEBA (User & Entity Behavior Analytics) to detect anomalies. Use post-delivery threat detection tools that rely on behavioral patterns instead of just signatures (e.g. Cofense).
Introduce multi-factor authentication for high-risk communication. In addition, call-back protocols should become mandatory for bank transfers.
Cybersecurity needs support from the very top: 72% of IT service providers will increase their security budgets in 2025. Explicit support from top management correlates measurably with better results.
Regular, independent audits and alignment with NIS2/DORA or national standards are essential.
As ransomware payments continue to be widespread, companies need to focus more on prevention: Incident response, backups, cyber insurance and segmented recovery plans are critical.
Phishing remains the number one gateway for cyber attacks. The threat of hyper-targeted, AI-supported campaigns against executives continues to grow - as does the financial damage: millions lost per incident and sharply rising ransomware costs.
As budgets increase, strategic, AI-sensitive training combined with behavioral analytics and board-level support is becoming more important than ever.