Phishing across Europe: what 10 countries reveal about human behavior

At first glance, phishing might seem culturally dependent. Different languages, work norms, and security maturity should lead to different results. But when Nimblr analyzed phishing simulation data from 10 European countries, the similarities were far more revealing than the differences.

Country data

The big picture

Across Denmark, Estonia, Finland, Latvia, Lithuania, the Netherlands, Norway, Poland, Sweden, and the United Kingdom:

• Over 1,700 phishing simulations

• Sent 11 million times

• Resulted in 420,000 clicks

Despite cultural variation, the same types of emails consistently received the most clicks.

Click rates: Who performed best and worst

Average click rates showed meaningful differences:

• Poland: 3.4% (lowest)

• Sweden & Latvia: 3.7%

• Netherlands: 4.0%

• Finland & Lithuania: 4.1%

• UK: 4.5%

• Denmark & Norway: 4.9%

• Estonia: 6.1% (highest)

These differences likely reflect varying levels of maturity in awareness training and exposure, but they don’t tell the whole story.

What worked everywhere

Across all ten countries, several themes dominated top-performing phishing simulations: 

1. HR-themed emails 

HR-related simulations ranked highest in every country. Why?

• High trust

• Local language authenticity

• Requests feel normal and internal

• People are far less suspicious of HR than of “too good to be true” offers.

2. IT notifications 

Fake system alerts played on urgency and routine behavior: calendar reminders, encrypted messages, document shares. These messages interrupt work in a way that demands quick action and are familiar enough to not raise alarms. 

3. Local language matters (but English still works) 

Most high-performing simulations were in local languages, increasing credibility. However, English-language phishing still ranked highly in many countries, reflecting real-world campaigns that cross borders. 

4. iPhones and Christmas: two surprise winners 

Only some countries showed high response rates to iPhone-related scams, but when they appeared, they performed exceptionally well. These messages feel informal, low-risk, and familiar. 

Holiday-themed phishing, especially Christmas, succeeded by tapping into obligation, routine administration, and goodwill rather than greed.

Similar humans, different contexts

The data shows that human psychology is remarkably consistent across borders, while context shapes how it’s triggered. People everywhere trust internal processes, respond to urgency, and act faster when something feels familiar. 

What this means for security training 

Effective training must:

• Reflect real attack patterns with realistic simulations

• Use local language and context

• Include both internal and external-looking threats

• Reinforce learning at the moment of failure

Phishing isn’t a regional problem. It’s a human one and understanding that is the first step toward real resilience. 

To learn more about phishing trends across 10 European countries, download the latest report using real usage data from Nimblr.  

Download the report Why phishing still works in 2026.