3 min read

Does Simulated Phishing Training Actually Work?

Does Simulated Phishing Training Actually Work?

This has been a very interesting question since we’ve started phishing training, which for me was around 2016. So, for about ten years, I’ve heard people challenge whether there is any evidence that phishing simulations reduce the likelihood that an individual will interact with a phishing email. We knew it was our largest risk and, therefore, we had to train, but as an industry, it was more common sense driving the approach vs. hard studies and numbers.

Also, studying this can be difficult to deduce because we have a big limitation, which is that we cannot predict when and where a phishing email in the wild will pop up…I suppose unless someone clicks on it. So, the best we can do is measure response to simulated phishing emails in studies. In this way, I recently came across some interesting studies that answered this question by highlighting what does and does not work.

  1. Don’t expect your phishing simulation click rate to ever really go to zero. The Verizon Data Breach Report, which studies patterns in incidents and breaches over a variety of industries, including Financial Institutions, studied the outcome of approximately 5,200 phishing campaigns in organizations that have regular training campaigns in conjunction with phishing simulation. While there are gains over time (reduction in click rate), approximately the shape of a bell curve, like a bell curve, there’s a floor, and it never really hits zero.
  2. Your chances of success increase four times by training monthly. Delving further into the data, Verizon reports that individuals who received security awareness training in the past 30 days were four times more likely to identify and report simulated phishing emails. However, this training efficacy does appear to be a slow-growing and needs to compound over time, much like muscle memory, so practice is key. Each security awareness campaign decreased the likelihood of clicking on the simulated phish by 5%.
  3. Security Awareness Training Once a Year is Not Enough. Another study (by Grant Ho et al., 2025) spanning eight months found that deploying simulated phishing campaigns with only annual awareness training did not significantly reduce the likelihood of individuals to click on a phishing simulation. They reported that individuals who took annual training in the last 30 days had a similar failure rate to those who completed the same course many months ago. However, this study found a similar result to the Verizon study by noting on page 14 that “…the only modality we identified offering significant improvements in outcomes was interactive training taken to completion….this change could produce a modest (19%) but significant improvement for all users.”
  4. All Users Are Not Equal. A fascinating study by Canham in 2023, titled Repeat Clicking, Awareness Is Not The Problem, broke down the psychology of individuals who click on 20% or more simulations, called ‘Repeat Clickers’ vs. ‘Protective Stewards’ who never fail and typically report simulations. This study highlights the different approaches of these groups and the most fascinating results survey responses in the respective groups.

The conclusion on page 15 is that Repeat Clickers have “… rigid email habits are suggestive of an underlying cognitive factor at play…” Interestingly, in the comparisons of survey responses, they reported more confidence in their ability to identify a phish than protective stewards. Further, page 16 states that “…protective stewards unquestionably had more general technology-related knowledge and were more capable at articulating technically related concepts…”

  1. Personalize the Approach. Once you’ve identified users who may need more help breaking old habits, speak with them one-on-one about what’s happening and use tools to help them, even if it’s just temporarily. In KnowBe4’s recent blog article, A Clicking Time Bomb: What To Do About Repeat Clickers, mentioned some instances where something as easy as going through email subscriptions and reducing the volume of emails helped one user. Here at Bedel, we’ve had some initial success in tailored campaigns for repeat clickers based on the simulations they’ve clicked on in the past.

Overall, the key is to approach your program with a helpful attitude and not a punitive one. Next, work toward finding the root cause, then a workable solution with individuals in mind. If you need help with your security awareness program, we would love to help you. Contact us at support@bedelsecurity.com.

 

Sources:

Grant Study: https://people.cs.uchicago.edu/~grantho/papers/oakland2025_phishing-training.pdf

https://www.verizon.com/business/resources/reports/dbir/

Canham Study: https://osf.io/preprints/psyarxiv/36eqn_v1

https://blog.knowbe4.com/a-clicking-time-bomb-what-to-do-about-repeat-clickers?utm_medium=email&_hsenc=p2ANqtz-_-0aPnpl3K38dT1qvMWubVxHJSMpWDf25aiEi7sdRquekvOp6AmQl8eWFt22h3pFdmgwzCPwtxD_6GulAcCttSbzyISQ&_hsmi=368246096&utm_content=368246096&utm_source=hs_email

 

Humans vs. Artificial Intelligence: Who is the better phisher?

Humans vs. Artificial Intelligence: Who is the better phisher?

What an interesting question and an article published recently gives us the answer, at least for today. Stephanie Carruthers, the chief people hacker...

Read More
Cybersecurity Awareness Month is around the corner, is your financial institution ready?

Cybersecurity Awareness Month is around the corner, is your financial institution ready?

Cybersecurity Awareness Month1 is an annual campaign held in October to promote awareness about the importance of cybersecurity and encourage...

Read More
AI-Driven Phishing Scams

AI-Driven Phishing Scams

As we enter the holiday season, many of us look forward to festive gatherings, shopping sprees, and, of course, sharing the season’s joy with loved...

Read More