Singapore phishing drill cuts clicks as training pays
Thu, 30th Apr 2026 (Today)
KnowBe4 has supported Singapore's second annual business phishing exercise under Exercise SG Ready 2026, which involved nearly 140 businesses across several sectors.
The simulation was run by the Singapore Business Federation in partnership with Nexus, the Ministry of Defence and the Digital and Intelligence Service, with support from KnowBe4 and Sekuro.
Over five days, organisers sent more than 8,500 phishing emails to employees at companies in retail, industrial, healthcare and financial services. The programme included 25 businesses that had also taken part the previous year.
Results showed that 37.5% of the emails were opened, up from about 30% a year earlier. The share of recipients who clicked phishing links fell to 7.4% from 17% in the earlier exercise.
The data also highlighted patterns in how staff responded to different types of messages. Emails framed as internal communications and file-sharing requests recorded the highest click rates at about 11%, while external alert messages recorded around 8%.
Desktop computers accounted for most phishing link clicks, representing 72.5% of cases. Mobile devices made up 22.4%.
Training effect
The findings suggest repeated awareness training is having an effect, but also show that staff behaviour remains a weak point for businesses facing evolving cyber threats. KnowBe4 cited its Asia benchmarking report, which found that organisations in the region face an initial 28.6% likelihood of an employee clicking a malicious link.
According to the report, the average risk drops to 5.2% after a year of frequent security awareness training, a reduction of 81.8%. Those figures broadly align with the results from the Singapore exercise, which measured repeat participants alongside new entrants.
Business phishing drills have become a more visible part of broader resilience planning in Singapore as cyber attacks increasingly target routine workplace habits such as document sharing, invoice handling and internal messaging. The latest exercise used realistic phishing simulations designed to mirror current attack methods and common email threats.
That focus on routine office activity appeared to matter. Participants were more likely to click messages that seemed to come from colleagues or were tied to everyday collaboration than messages presented as external warnings.
Dr Kawin Boonyapredee, CISO Advisor at KnowBe4, said the exercise highlighted the broader importance of cyber resilience.
"Cyber resilience is not just an IT responsibility - it is a business and national priority," he said.
"While technology provides essential safeguards, human judgment remains the final line of defence. Exercises like this help organisations identify behavioural risk patterns and strengthen them before real threats strike."
Business response
The Singapore Business Federation said the results showed improvement but also underscored the need for more regular reinforcement. The business group has been working with government and security partners on preparedness measures tied to national resilience.
Chief executive Kok Ping Soon said the outcome showed more work is needed to raise employee vigilance.
"Phishing emails are getting far more realistic and this year's results show that more can be done to increase employee vigilance," he said.
"Cyber threats are evolving quickly, and businesses cannot rely on once-a-year training. Continuous vigilance, regular refreshers, and a strong reporting culture are essential to staying ahead. SBF will keep working with MINDEF and our partners to strengthen the cyber resilience of Singapore's business community."
The exercise adds to growing evidence that phishing attacks rely less on technical sophistication than on trust, habit and speed of response. In this case, the strongest lure came from messages designed to resemble ordinary internal collaboration, a reminder that familiar workflows remain a common route for attackers.
The drop in click rates from last year suggests that repeated exposure to simulations and awareness programmes can reduce risky behaviour, even as the volume and realism of phishing attempts continue to increase.