At first glance, phishing might seem culturally dependent. Different languages, work norms, and security maturity should lead to different results. But when Nimblr analyzed phishing simulation data from 10 European countries, the similarities were far more revealing than the differences.
Across Denmark, Estonia, Finland, Latvia, Lithuania, the Netherlands, Norway, Poland, Sweden, and the United Kingdom:
Over 1,700 phishing simulations
Sent 11 million times
Resulted in 420,000 clicks
Despite cultural variation, the same types of emails consistently received the most clicks.
Average click rates showed meaningful differences:
Poland: 3.4% (lowest)
Sweden & Latvia: 3.7%
Netherlands: 4.0%
Finland & Lithuania: 4.1%
UK: 4.5%
Denmark & Norway: 4.9%
Estonia: 6.1% (highest)
These differences likely reflect varying levels of maturity in awareness training and exposure, but they don’t tell the whole story.
Across all ten countries, several themes dominated top-performing phishing simulations:
1. HR-themed emails
HR-related simulations ranked highest in every country. Why?
High trust
Local language authenticity
Requests feel normal and internal
People are far less suspicious of HR than of “too good to be true” offers.
2. IT notifications
Fake system alerts played on urgency and routine behavior: calendar reminders, encrypted messages, document shares. These messages interrupt work in a way that demands quick action and are familiar enough to not raise alarms.
3. Local language matters (but English still works)
Most high-performing simulations were in local languages, increasing credibility. However, English-language phishing still ranked highly in many countries, reflecting real-world campaigns that cross borders.
4. iPhones and Christmas: two surprise winners
Only some countries showed high response rates to iPhone-related scams, but when they appeared, they performed exceptionally well. These messages feel informal, low-risk, and familiar.
Holiday-themed phishing, especially Christmas, succeeded by tapping into obligation, routine administration, and goodwill rather than greed.
The data shows that human psychology is remarkably consistent across borders, while context shapes how it’s triggered. People everywhere trust internal processes, respond to urgency, and act faster when something feels familiar.
What this means for security training
Effective training must:
Reflect real attack patterns with realistic simulations
Use local language and context
Include both internal and external-looking threats
Reinforce learning at the moment of failure
Phishing isn’t a regional problem. It’s a human one and understanding that is the first step toward real resilience.
To learn more about phishing trends across 10 European countries, download the latest report using real usage data from Nimblr.
Download the report Why phishing still works in 2026.