@Newk @mrclark I think you should not attack the problem from the angle of who is being targeted: it's pretty easy to see it's everyone. IME you can get to an actual victim with one handshake, maybe two if you don't work in infosec.
It's more important to make people realize that they have shit to loose: enumerate critical assets, create estimations what damage can be done (which is what banks do as part of their compliance process). Many businesses (manufacturing is a typical example) don't realize how much they rely on IT these days.