The latest data from Verizon has revealed that phishing was the third most common method of initial access in the data breaches the firm analyzed for its 2025 Data Breach Investigations Report. Phishing accounted for 16% of all data breaches in 2025, having been overtaken by vulnerability exploitation (20%). The leading initial access method was credential misuse, which was involved in 22% of data breaches. Verizon does note, however, that while incident responders may identify compromised credentials as the cause, it is not always clear how those credentials were obtained. It is possible that they were obtained in a previous phishing attack that went undetected, so phishing may have been involved in a higher percentage of data breaches.
The report highlights the extent to which cybercriminals exploit human weaknesses. The human element was involved in approximately 60% of data breaches in 2024, down slightly from the 61% of data breaches the previous year. The human element could involve a click on a link in a phishing email, resulting in the theft of credentials, a visit to a malicious website where malware is downloaded, a misconfiguration that is exploited, or a response to a phone call or text message. In 32% of data breaches, the human element was ascertained to result in credential abuse, 23% involved social interactions, 14% involved errors, and 7% involved interactions with malware.
This year’s report delves into the importance of security awareness training and how providing regular training can really make a difference to an organization’s security posture, especially when combined with phishing simulations. Providing training to the workforce will teach employees about security best practices, which will help to eradicate risky behaviors. Employees should be taught how to identify a phishing email and be conditioned to report any suspicious emails to their security team immediately. Phishing simulations help to reinforce training and identify individuals who have failed to apply the training. If an individual fails a phishing simulation, they can be provided with additional training to help ensure they do not make a similar identification error in the future.
The report revealed that out of the companies that provided security awareness training and conducted phishing simulations, there was a much higher reporting rate when employees had received training more recently. The baseline reporting rate was 5%, which shot up to 21% with recent training.
The data shows why it is so important to provide ongoing security awareness training to keep cybersecurity matters fresh in the mind. It is also important to incentivize employees to report potential phishing emails rather than punish those who don’t, and to clearly explain that reporting suspicious emails helps security teams to contain threats more quickly and limit the damage. It is also important to make it as easy as possible for employees to report potential threats. Ideally, employees should be able to report a potential phishing or scam email with a single click in their email client.
TitanHQ offers an email security suite that includes the SpamTitan cloud-based anti-spam service and the PhishTitan phishing prevention and remediation solution for Microsoft 365 users. SpamTitan incorporates dual anti-virus engines for detecting known malware, email sandboxing for detecting novel threats, AI and machine-based learning algorithms for identifying phishing and spam emails, plus SPF, DKIM & DMARC, allow listing, blocking, greylisting, and dedicated real-time block lists. An email client add-in is also provided to allow employees to easily report potential threats.
The PhishTitan solution is based on the same engine that powers SpamTitan, incorporating AI and machine learning to detect phishing threats, and also adds banner notifications for emails to warn employees about potential threats from external email addresses. The remediation tools provided by PhishTitan allow security teams to rapidly respond to threats and eliminate them from their email system.
Both email security solutions have high detection accuracy and provide best-in-class protection from email threats. In recent independent tests at VirusBulletin, the solutions were demonstrated to have exceptional detection accuracy, blocking in excess of 99.99% of spam and phishing threats, and thanks to the email sandbox service, TitanHQ’s solutions blocked 100% of malware.
TitanHQ can also help with security awareness training and phishing simulations. The SafeTitan platform makes it easy to create and automate continuous security awareness training programs for the workforce. The training content is enjoyable and interactive and is delivered using computer-based training, with individual modules taking no more than 10 minutes to complete.
The training content is regularly updated and has been proven to improve security awareness and reduce susceptibility to cyber threats, especially when combined with TitanHQ’s phishing simulator. Internal simulated phishing campaigns can be created and automated, and will automatically generate additional training immediately in response to a security failure, ensuring training is delivered at the time when it is most likely to be effective.
Through security awareness training and phishing simulations, organizations can reduce the employee errors that cause so many data breaches, and by using TitanHQ’s email security suite, threats will be blocked before employees’ security awareness is put to the test.
Give the TitanHQ team a call today to discuss the best options for improving your defenses. All TitanHQ solutions are available on a free trial and assistance can be provided to help you get the most out of the free trial.