Are Phishing Simulations Obsolete?
How To Stop Tricking and Start Empowering Your Workforce
HuFiCon Management Memo:
Journey with the CISO
A mountain climb to cyber security resilience. Find out how to get to the summit of cyber security resilience in Inge van der Beijl's management memo, from her presentation at the Human Firewall Conference (HuFiCon) on the 14.11.2024.
The climb will take you from the base camp of foundational security to the high-camp of a security conscious culture, all the way to the summit consisting of strategic security integration.
Inge van der Beijl
Director Innovation
Have you heard the news? Phishing simulations are pointless.
Research presented at Black Hat 2025 concluded that phishing training barely works. So this means we should (finally) lay phishing tests to rest, right? Not so fast. This topic isn’t as black and white as the headlines would suggest.
Before deciding whether phishing simulations are pointless or productive, it’s worth assessing their purpose in your organisation and whether they’re being implemented to add real value.
What the phishing research suggests
Over a period of eight months, researchers analysed the impact of annual phishing training, embedded training, and phishing email simulations on 19,000 employees of a US healthcare organisation. Based on the results of their study, the researchers concluded that:
- Annual security training shows no clear benefit. Employees who recently completed awareness training were just as likely to click on phishing links as those who hadn’t.
- Embedded phishing training has limited impact. It only reduced failure rates by about 2% for the study participants.
- Phishing simulations fail to train most users. Only a small portion of the employees failed the simulations. For those that did and received follow-up training, most didn’t engage. More than half abandoned the training within 10 seconds.
Notably, the researchers also said the type of phishing training can make a difference, but only if employees engage. They found that interactive, context-specific training can reduce phishing risk by 19%, but low completion rates limit its overall effectiveness.
This is one reason why, instead of declaring phishing training and simulations “dead”, we see an opportunity to give them new life by designing them to make a meaningful impact on the organisation’s cyber security. Here are three key ways to get started.
Which Phish?
There are many different terms used for a variety of phishing trainings. Here’s how Northwave defines three common approaches:
Annual Phishing test
Purpose: Fulfil a regulation requirement to measure an individual’s or organisation’s susceptibility to phishing attacks at a single point in time.
How it works: Employees receive a single phishing email simulation. If they click the link, they will be directed to a landing page where they receive instructions on how to recognise phishing.
Goal: Maintain compliance with legal requirements and measure results.
Outcome: A single phishing simulation (or test) is only a snapshot of the current awareness level and it is not continuous learning. Northwave does not find this strategy effective in training employees to recognise phishing attempts or respond appropriately.
Phishing Simulations
Purpose: To build resilience through repeated exposure and testing over time.
How it works: Employees receive a series of phishing emails throughout a year. These vary in complexity and style.
Goal: Reinforce awareness through repetition and measure awareness levels during a specific period of time.
Outcome: Provides data on trends in recognising phishing who fell for the simulated attack, helping organisations target further training. Often, employees who fail a simulation are automatically enrolled in additional e-learning training.
Embedded Phishing Training
Purpose: Educate employees about phishing threats and how to recognise social engineering techniques, such as phishing.
How it works: This broader training programme includes communication, interactive modules, guidance from the organisation and best practices for identifying and reporting phishing attempts.
Goal: Build long-term awareness and behavioural change.
Outcome: Employees have an understanding of the cyber security threats. One of the specific things they learn is to recognise and respond appropriately to real phishing attempts.
1. Determine the objectives of your phishing simulations
To use phishing simulations effectively, one of the first things to identify is the actual risk you are trying to mitigate with the email lures. Often, other tactics are more effective risk mitigations, for example:
- Technical controls to block malicious content
- “Fire drills” that test reporting processes instead of just detection
- Spear phishing simulations to target the increase in highly personalised phishing attacks
- Training focused on broader digital hygiene (e.g. secure document sharing, account management)
As the recent research suggests, if your main concern is keeping employees from clicking on phishing links, generic email simulations may not be the best solution. But these tests can move the needle on other goals, such as:
- Encouraging timely reporting of suspicious emails
- Creating ongoing awareness touchpoints
- Supporting a broader behavioural programme
Considering that many employees don't know how the reporting process works within their organisation, a phishing drill triggers the employee to explore or carry out this process. So instead of a simple, pass-or-fail test, a drill tests to see if the understand the reporting process and that becomes part of their learning journey in a broader training programme.
Overall, it’s important to be specific. Are you testing if employees can spot common lures or if they can follow your organisation's procedures for reporting a suspicious email? Without clear objectives, a simulation becomes a compliance tick-box with little or unclear impact.
2. Integrate phishing simulations into a broader Human Risk Management strategy
If regulatory compliance is the only goal, a single annual training will only serve to fulfil the requirement and measure awareness at a single point of time. It will not improve behaviour. On the other hand, overwhelming employees with monthly phishing simulations could desensitise them. The optimum frequency depends on the organisational culture and risk appetite, so you need to find the right balance.
With a strategic approach, email phishing simulations serve as moments of reflection—reminding employees how easily human behaviour can be exploited and reinforcing the importance of vigilance. These tests should be part of their continuous cyber safety learning, supported by other measures such as:
- Contextual, relevant training
- Technical safeguards (MFA, filtering, segmentation)
- Clear communication about risks · Supportive feedback instead of punishment
In this way, phishing tests become part of a training ecosystem that can actually influence human behaviours.
3. Ensure training supports a learning culture
During the eight-month phishing training experiment at the US healthcare organisation, more than 50% of employees clicked on a simulated phishing email link at least once. The researchers noted that: "Given enough time, most people get pwned.”
The high likelihood that people will eventually fall for a phishing lure is just one reason cyber behaviour campaigns shouldn’t be punitive. Tests can also backfire when employees who “fail” are called out or reprimanded. Trust is broken when employees feel tricked by security teams. They may become less likely to report clicking on a suspicious email or take other necessary security actions. Instead of a culture of learning and engagement, you create fear and resistance.
Organisations that prioritise cyber safety turn mistakes into learning opportunities. Phishing simulations serve as entry points for tailored follow up behaviour interventions and training focusing on common risky behaviours—such as mixing work and personal accounts, avoiding password managers, downloading unauthorised apps, or sharing documents insecurely. After all, even the most robust technical defences can be undermined if employees don’t understand how to use them.
Phishing For Impact
An annual phishing test or stand-alone phishing simulations, as traditionally conducted, aren’t a silver bullet that will prevent employees from clicking suspicious email links. In fact, Northwave’s human behaviour experts often recommend alternatives that more effectively address underlying organisational risks. However, we do not support the blanket statement that phishing simulations are never useful. The value depends on:
- Organisational maturity: Organisations with low cyber security maturity may benefit from basic, infrequent email simulations. On the other hand, organisations with high maturity generally need more advanced interventions because their technical measures tend to block basic phishing attempts.
- Training goals: Effective cyber behaviour campaigns are data-driven, based on actual risks you want to mitigate and behaviours you need to influence.
- Security relevance: Generic phishing exercises aren’t valuable for teams like IT, who already know how to spot scams. They can also give a false sense of security while leaving more pressing risks unaddressed. By tailoring training to behaviours that matter most for each role, organisations make better use of employees’ time and strengthen security where it counts.
To truly address human behaviour risks, organisations must go beyond generic training strategies and compliance-driven approaches. It's time to channel training efforts into risk-based contexts, designed to engage employees and support a broader cyber security strategy.
Instead of tricking employees, empower them to be your organisation’s cyber heroes.
Ready to take your next strategic step in Human Risk Management? Northwave’s human behaviour experts can help you implement value-adding, data-driven interventions that really change behaviour. Get in touch with us today to start customising your approach.
We are here for you
Need help with your cyber security or wondering how secure your business really is?
Get in touch and we will help you find the best solution.