Benchmark 2025: Sectors most affected by AI-phishing and countermeasures

The phishing you knew is dead. Forget emails with misspellings and genericgreetings; Artificial intelligence has refined attacks to an extent almostindistinguishable from legitimate communication. Generative AI creates atype of phishing that is not a future threat, but a reality that is alreadybypassing your defenses with unprecedented customization and scale.

Foryou, as a senior manager or security manager, the NIS2 Directive elevates themanagement of this new level of digital human risk to an inescapableresponsibility. It is no longer enough to react; It is mandatory to anticipate.

Thisarticle provides you with a  clearand straightforward AI-phishing benchmark for 2025, identifying themost exposed sectors and offering you an action plan to turn human risk intoyour most active defense. Take an in-depth look at new trends in advanced phishing to understand the full picture of threats thatare already here.

Why an AI-Phishing Benchmarkis Critical to Your 2025 Strategy

Taking a proactive stance against AI-phishing is not just a best practice, it's astrategic and regulatory necessity. An industry benchmark provides you with the risk map you needto navigate this new environment, allowing you to move from a generic defenseto an accurate and justified cybersecurity strategy 2025.

The qualitative impact of AI-phishing: beyond metrics

Thereal danger of  AI phishing is notits volume, but its quality. This technology overrides the "gut" youremployees relied on to detect fraud. The AI creates hyper-realistic lures, withperfect context and tone, and without the mistakes that previously gave themaway.

Imaginean email that references a conversation from last week or a confidentialinternal project. AI doesn't just automate phishing; it makes itvirtually indistinguishable from reality, turning your most attentiveemployees into potential victims.

Accordingto IBM's latest report on the Cost of a Data Breach, the average global cost ofan incident already exceeds 4 million euros, a figure that shows the need toanticipate increasingly sophisticated attacks.

NIS2 and the Demand for Risk-Based Cybersecurity

The NIS2 Directive imposes a structural change: it requires senior management tomonitor and approve cybersecurity measures based on a continuous anddemonstrable risk assessment. It is no longer enough to "makesecurity"; Now you must prove that your actions are appropriate andeffective.

Thisis where an AI phishing benchmark 2025 becomes your best ally. Itallows you to:

• Justify  investments: Use the data from this 2025 benchmark to demonstrate to the board that investing in human risk management is a priority based on objective data about your industry.
• Demonstrate due diligence: Prove to regulators that you have conducted a specific risk assessment and     are implementing proportionate countermeasures.

Havinga risk-based cybersecurity strategy is not an option, it is the corerequirement of NIS2 compliance.To learn more about your obligations, you can consult the primary source onENISA's official page on the NIS2 Directive.

2025 Ranking: The 4 Most Vulnerable Sectors to AI Phishing

Althoughall organizations are targeted, sectoral vulnerability is not uniform. Our AI-phishing benchmark for 2025 identifies four areas where the risk is exponentially greater. This ranking ofsectors, at the core of our AI-phishing benchmark 2025, is basedon the value of their data, the criticality of their operations and theintensity of regulatory pressure.

1. Financial Sector and Insurance (Banking, Fintech)

Thefinancial sector remains the main target for a very simple reason: it offersthe most direct access to capital. AI allows attackers to overcome traditionaldefenses and execute spear-phishing attacks  on a massive scale. Imagine hundreds ofpersonalized emails sent to account managers or executives, each with theperfect context to authorize a fraudulent transfer. Here, the goal is directaccess to funds, and AI is the tool that makes that possible at scale.

2. Healthcare sector(hospitals, pharmaceuticals)

Therichness and sensitivity of Personal Health Information (PHI) data makethis sector a prime target for ransomware and extortion attacks.The high-pressure environment and operational urgency inherent in thehealthcare sector create the ideal scenario for social engineering. Thecombination of extremely valuable data on the black market and overworked staffcreates a maximum risk scenario for AI-phishing. An urgent email about apatient, generated by AI, can be the perfect bait.

3. Critical Infrastructures(Energy, Water, Transport)

Inthis case, the motivation for the attack often transcends the financial tofocus on operational disruption. A successful AI-phishing attack targeting anengineer or operations manager can be the entry vector for compromisingOperational Technology (OT) systems. Here the risk goes beyond data leakage;it is the potential paralysis of essential services for society.

4. Public Administration and Defense

Witha massive attack surface and invaluable strategic data, the government is ahigh-profile target. Attackers can use AI to impersonate senior officials andgain access to classified information. However, the biggest challenge isinternal: the active commitment of officials to cybersecurity is the primaryelement of protection for national security. Fostering a culture ofconstant alert in this environment is as crucial as it is complex, but it is aprerequisite for mitigating risk.

Formore in-depth analysis and empirical data on how attack patterns vary byindustry, Verizon's Data Breach Investigations Report(DBIR) is a critical source ofexternal consultation.

Essential Countermeasures and Strategic Recommendations

Identifyingthe risks in your sector in an AI phishing benchmark is the first step. The next, and most important, is to act. A strong defense against AI-phishing is articulated in three interconnected components: technology,processes, and, crucially, people.

Technology: AI-augmented emaildefenses

Yourtraditional email defenses or Secure Email Gateways (SEG) are no longerenough. They are designed to stop known threats, but AI-phishing is a zero-daysocial engineering attack. Your first layer of defense should be only assmart as the attack you're trying to stop. You need solutions that use AIto:

• Analyze the context and intent of the message, not just signatures or reputation.
• Run dynamic sandboxing that scans links and     attachments in a secure environment before they reach the user.
• Perform real-time URL analysis to block newly created malicious     domains.

Processes: Strengthen your incident response chain

Technologywill detect many attacks, but some will reach the employee. Your goal is forthat employee to act as an effective threat sensor. To do this, you mustestablish channels for reporting suspicions that are extremely simple and thateliminate the fear of reprisals. An agile, frictionless reporting processturns every employee into a threat sensor for your SOC. Integrating thesereports into your security workflows is key to a rapid response that containsimpact.

People: Cybersecurity Culturein the Company and Human Risk Measurement

Thisis the core of your defense and the determining factor in success againstsocial engineering. Forget about the annual theoretical training. Cybersecurityculture is the defining challenge in human risk management; you don't imposeit, but you build it with continuous awareness and measurement of realbehavior.

• Implement an ongoing program of phishing simulations, including AI-phishing scenarios.
• Customize attacks by role, department, and risk level.
• It measures actual behavior (reporting rate vs. click-through rate), not just theoretical knowledge.

Todo this, it is essential to have defenses against advanced phishing and other threats that focus on human resilience.

Allof these countermeasures help strengthen your defenses against the InitialAccess tactic, which frameworks like MITRE ATT&CK® defineas an industry standard.

Drives a Continuous Awareness Program Tailored to NIS2

Toeffectively protect against AI-phishing, a threat whosecriticality is detailed in this 2025 benchmark, and to comply with NIS2, your approach to awareness must evolve. It abandons the idea of theisolated event and adopts a model of continuous resilience, measurable anddefensible in the face of any audit.

From one-off training tomeasurable safety culture

An annual course is not enough to demonstrate compliance. NIS2's mandate is notbased on a training event, but on a cyclical process of continuous improvement.Adopt a strategic cycle that allows you to demonstrate real risk reduction:

• Assess: Identify your baseline risk level.
• Form: Provides specific and contextual knowledge.
• Simulate: Measure behavior with realistic attacks.
• Measure: Analyzes the results to adjust and restart the cycle.

Thisproactive approach requires planning effective simulation campaigns throughout the year, not just as a complianceexercise, but as a strategic risk management tool.

Measure what matters:Behavior, not just clicks

Click-throughrate is an incomplete metric that only measures failure. To demonstrate a realimprovement in your security posture, you need to focus on behavioral metricsthat reflect the maturity of your culture. It measures resilience, not justerror; reporting rate is the truest indicator of a strong safety culture.

Theseare the KPIs (Key Performance Indicators) that, as a CISO, youmust present to management: the phishing reporting rate, the average time ofdetection by the employee and the resilience index.

Thishuman risk management model not only responds to NIS2, but aligns perfectlywith the principles of Information Security Management Systems defined in theglobal standard ISO/IEC 27001.

‍