New research from KnowBe4 has revealed that nearly half of IT decision-makers in Singapore find it difficult to tell the difference between legitimate emails and phishing scams. The study shows that 46% of those surveyed admitted they struggled to identify scam or phishing emails.
The research highlights that phishing attacks are becoming more advanced and harder to detect. Worryingly, 72% of IT leaders mistakenly identified a real email as a phishing attempt. This suggests that as phishing tactics become more deceptive, even experienced IT professionals are finding it increasingly challenging to spot the difference.
When asked to review examples of scam and legitimate emails, only just over half (54%) correctly identified a scam or phishing email. On the other hand, 39% thought it was genuine, and 7% said they were unsure.
Despite this confusion, fewer IT decision-makers now consider phishing and business email compromise (BEC) to be a serious threat to their organisation. Only 36% view it as a major risk, a drop compared to previous years — 2021, 2022, and 2024. This declining concern raises red flags, as it could lead businesses to lower their guard against potentially costly cyber-attacks.
Accountability for cybersecurity is declining
The findings also show a worrying trend in how responsibility for cybersecurity is perceived within organisations. Currently, only 36% of respondents believe that protecting their organisation from cyber threats is a shared responsibility. This is down from 40% in 2024, 60% in 2022, and 46% in 2021.
This year-on-year decline in individual accountability leaves businesses more exposed to cyber risks. As employees become less engaged in cybersecurity efforts, companies face a greater challenge in building a strong security culture.
Dr Martin Kraemer, Security Awareness Advocate at KnowBe4, warned, “Business email compromise (BEC) remains one of the most financially damaging cyber threats facing Singapore organisations today with the country’s high digital connectivity and its role as a global financial and business hub. These latest insights are deeply concerning, as organisations see a decline in individual accountability for cybersecurity, the risk of BEC attacks only grows.”
The study also found a growing shift in responsibility towards IT teams. Nearly half (47%) of respondents believe cybersecurity is the IT department’s responsibility, a significant increase from 42% in 2024, 25% in 2022, and 34% in 2021.
At the same time, over two in five (42%) say the government should take responsibility for protecting organisations from cyber threats. This is up from 37% in 2024 and 14% in 2022, though slightly down from 25% in 2021.
Only 31% of employees recognise their own role in cybersecurity, which is only a small increase from 28% in 2024, 23% in 2022, and 24% in 2021.
Another concerning trend is the decreasing belief in the role of technology in protecting organisations from cyber-attacks. In 2025, only 19% said there are technologies in place to protect against attacks, continuing a steady decline from 24% in 2024, 25% in 2022, and 28% in 2021.
Singaporeans want stronger government action on cyber protection
The research also reveals strong public demand for greater government action to protect businesses from cyber-attacks. A striking 89% of respondents believe the government should do more to safeguard businesses. This is up from 84% in 2024, 72% in 2022, and 71% in 2021.
Among the top requests from IT decision-makers are:
- Better public education and awareness about cyber risks and how to stay safe online. This was highlighted by 61% of respondents, a sharp increase from 48% in 2024, 48% in 2022, and 44% in 2021.
- Increased funding to help businesses strengthen their cyber defences, with 51% calling for more financial support. This is up from 40% in 2024, 42% in 2022, and 40% in 2021.
- More training and resources for businesses on managing cyber risks, requested by 52% of respondents. While still high, this represents a slight drop from 54% in 2024, 42% in 2022, and 47% in 2021.
Dr Kraemer stressed the importance of building a culture of cybersecurity awareness and responsibility across all levels of an organisation. He said, “The findings underscore the urgent need for companies to reinforce a culture of cybersecurity awareness and shared responsibility to mitigate cyber threats. Gen AI tools are rapidly making phishing emails more dangerous for organisations being more advanced, frequent and harder to spot. Now more than ever, businesses must prioritise comprehensive email security, employee training, and multi-layered defences to prevent costly breaches and safeguard critical assets, and leverage employees as the organisation’s greatest asset in preventing cyber-attacks.”
