Find out what this year’s Gone Phishing Tournament (GPT) revealed about the state of the industry, how likely we are to click on malicious links, and which sectors are the most susceptible.


The results are in. The outcomes of the largest phishing simulation in the world — the fifth annual Gone Phishing Tournament, hosted by Fortra’s Terranova Security — are here and ready for review.

Over 1.37 million end users across 142 countries participated in this year’s 2023 competition, and the event was offered in 31 different languages. The insights were staggering and revealed previously hidden trends about our tendency to click where we don’t belong, the types of sectors that click the most, and what we do after we’ve given our trust.


Here are four key takeaways.


  1. Click-Through Rates up to 10.4% 

It’s sad but true; we’re not getting any better at this. In fact, we’re getting worse. In this year’s tournament, 10.4% of users clicked on the phishing link in the email. That denotes a year-over-year increase of 3.4%, and last year’s numbers were already 7%. Additionally,

Users submitting a password went from 3% in 2022 to 6.5% in 2023

Users only clicking a link stayed flat (4% in 2022 vs 3.9% in 2023)

To put it in perspective, an organization with 10,000 users would have 650 credentials compromised at this rate. The same organization would also have 390 users that might have something malicious downloaded on their system due to clicking the link in the email.

  1. Education Is the Sector That Clicks the Most 

Education is key. And that includes education about which emails are safe to investigate and which aren’t. Security awareness training (SAT) is part of a mature cybersecurity strategy, and no sector is exempt.

In this past event, Education had the highest click-through rates at 16.7% (versus 6.7% last year) and the highest password submission rate at 12.2% (vs 2.7% last year). That means that those in that sector were not only most likely to click on a dangerous email but the most likely to follow its instructions and input their password (ostensibly for a login on a lookalike-legitimate site or a “routine update”) once inside. Unfortunately, following all instructions can have its downside.

Conversely, Finance had the lowest click-through rates and the second lowest rates for password submission.

While these numbers may be easy to judge, we should note that every single industry had worse click-through and password submission rates this year when compared to last.

  1. Every Region (But Africa) Did Worse This Year Than Last 

The results showed a consistent decline across geographies, too. Other than Africa, every region showed worse click-through and password submission rates in 2023’s test than in 2022. Specifically:

APAC performed the lowest, with a click-through rate of 14.9% and a 9.2% chance of submitting a password

LATAM performed the highest, with a 7.8% rate of click-throughs and a 3.9% likelihood of submitting a password

It is likely that the use of ChatGPT in phishing campaigns has led to an influx of spam emails in regions once protected, at least in part, by language barriers which made sending convincing phishing emails a challenge. Now that those divides don’t preclude persuasively written messages, it is possible that there will be a sharp learning curve for countries barraged with high-level phishing campaigns for the first time.

  1. The Size of the Organizations Did Not Impact Results 

In the phishing tournament, results were similar regardless of the organization’s size. Being a large, small, or mid-sized company did not have any apparent effect on whether an employee clicked or not. Other factors however, like the ones listed above, did. Also, click-through rates and password submissions rates were pretty evenly distributed.


What Does It All Mean?


On the surface it is concerning that click-through and password submission rates are both trending in the wrong direction from one year to the next.

However, we need to remember GenAI technologies such as ChatGPT have enabled criminals to improve the efficacy of their phishing attacks by leveraging perfect spelling and grammar in just about any language. Countries that have historically had low phishing attacks are now targets because the language barrier has been removed, and the game has been changed for everyone.

At the end of the day, even security-savvy individuals can get fooled if they let their guard down for a moment. As we strive for efficiency in the workplace, it’s all too easy to get into the habit of scanning messages quickly and taking action. Ongoing education is more critical than ever to keep employees aware, and every sector needs it. Hopefully this past Gone Phishing Tournament has been a wake-up call to all industries that the time for educating employees about phishing tactics is now. At the rate that new attacks, methods, and techniques are evolving, next year might be too late.


If this information is helpful to you read our blog for more interesting and useful content, tips, and guidelines on similar topics. Contact the team of COMPUTER 2000 Bulgaria now if you have a specific question. Our specialists will be assisting you with your query. 

Content curated by the team of COMPUTER 2000 on the basis of news in reputable media and marketing materials provided by our partners, companies, and other vendors.

Follow us to learn more


Let’s walk through the journey of digital transformation together.

By clicking on the SEND button you agree to the processing of personal data. In accordance with our Privacy Policy

15 + 10 =