Phishing Simulations Are Dead

A senior manager once told me something that should terrify every manager . "The only reason you're here, Michael, is so that if we get hacked, we have someone to fire."

He wasn't joking.

And if your defence against phishing is a quarterly simulation from a platform in Finland, costing you tens of thousands a year, you're not protecting the company.

You're just building the evidence trail that leads right back to your desk.

Here's the uncomfortable truth that the cybersecurity industry doesn't want you to hear.

Phishing simulations, as most organisations run them today, are dead.

The research is in. The data is overwhelming. And if you're the IT manager, IT director, or CISO still presenting click-rate dashboards to the board, it's time we talked about what's actually going on.

The Research Has Spoken — And It's Brutal

This isn't speculation. The most significant phishing training study ever published landed at the IEEE Symposium on Security and Privacy in May 2025, then made waves again at Black Hat USA in August. Researchers from UC San Diego and the University of Chicago ran an eight-month randomised controlled experiment across 19,500 employees at a major healthcare organisation.

Their conclusion was damning: "Anti-phishing training programs, in their current and commonly deployed forms, are unlikely to offer significant practical value in reducing phishing risks."

Let that sink in. No significant relationship between completing annual security awareness training and the likelihood of clicking phishing emails. None.

They found that 75% of users spent less than a minute on the embedded training materials. One-third closed the training page immediately without reading a word.

The people you're trying to educate aren't even looking at your content.

This wasn't a one-off finding. A June 2025 paper published on arXiv used the NIST Phish Scale to assess training effectiveness with rigorous methodology and concluded that requiring anti-phishing training is "costly and has minimal effect."

Their recommendation? Organisations should "emphasise technical defences rather than placing the burden on humans."

Meanwhile, ETH Zurich — our neighbours here in Switzerland — have been publishing increasingly alarming research since 2021.

Their landmark study across 14,000 employees over fifteen months found that embedded phishing training doesn't just fail to help. It actively backfires.

Employees who received post-click training became more susceptible to phishing, not less. The training created overconfidence: employees believed they could now spot attacks, and simultaneously felt that mistakes in simulations carried no real consequences.

As Kari Kostiainen, a senior scientist at ETH Zurich, put it:

"Instead of emphasising the testing and tricking aspect, the emphasis could be on reminders and reporting."

The Click Rate Lie

If you're presenting phishing simulation click rates to your board, you need to understand what that number actually represents: the most dangerous metric in cybersecurity.

Here's the trick. You run a simulation. Twenty per cent click. You send those people to training. Three months later, fifteen per cent click. Your dashboard shows improvement. You present to the board. Everyone feels safe.

But those employees didn't become better at security. They became better at recognising your simulation vendor's patterns.

A Leiden University meta-analysis in 2024 studied 69 research papers and reached a devastating conclusion: while training significantly improves employees' knowledge and attitudes about phishing, changes in actual behaviour are minimal. In their words:

"We have become extremely good at changing precursors to behaviour, but not the actual behaviour that is necessary to be secure."

You're measuring exam results. The real world doesn't hand out exams.

You're Training Learned Helplessness

Every simulation you run teaches your employees one thing: this is not my problem to solve.

They click. They get "caught." IT sends a patronising email. The phishing email disappears. No real threat materialises. It's a fire drill where the building never burns.

Eventually, people stop taking it seriously — or worse, they stop trusting you entirely.

Research from the University of Sussex, presented at the NDSS Symposium in 2025, found that deceptive security training decreases trust in leadership. Employees start wondering whether management is waiting for them to fail.

They become defensive rather than engaged. They become less likely to report real threats because they fear embarrassment or punishment.

I've seen this firsthand in Swiss industry. Staff who refuse to click legitimate password reset emails from their own IT department. Employees who won't open genuine client communications because "it might be another test."

Productivity drops. Trust evaporates. And when they eventually encounter a real BEC attack from a compromised colleague's actual email account — something that looks nothing like your simulation templates — nobody reports it.

You've trained them to spot the test. Not the threat.

The Numbers That Should Keep You Awake at Night

The Verizon 2025 Data Breach Investigations Report analysed over 22,000 security incidents and 12,000 confirmed breaches across 139 countries. Nearly 60% involved the human element. Business email compromise losses hit $6.3 billion, with a median loss of $50,000 per incident.

The median time for a user to fall for a phishing email? Less than 60 seconds — faster than any automated security system or SOC analyst can react.

And here's what should terrify every IT manager in an SME: 88% of breaches in small and medium-sized businesses involved ransomware.

Third-party compromise doubled year-on-year. Stolen credentials were used in 22% of all breaches. Attackers are now bypassing the intermediate step of credential theft entirely and going straight for the money through BEC.

Your phishing simulation didn't prepare anyone for that.

The Scapegoat Problem

Here's where this gets personal. If you're the IT manager or IT director at a company with 50 to 500 employees, the CEO probably doesn't fully understand your security programme. What they understand is: "We paid for phishing training. If we still got breached, someone didn't do their job."

That someone is you.

When the breach happens — and according to the data, it's when, not if — your click rate dashboard won't be your defence. It'll be your fault. "Look, we told them not to click. We trained them. We tested them. The IT manager was responsible for this programme."

The phishing simulation vendor won't be sitting next to you in that meeting.

What Actually Works

I'm not arguing we should ignore social engineering. I'm arguing we need to stop pretending that gotcha tests are a security strategy.

Invest in systemic controls. Phishing-resistant MFA — hardware security keys, passkeys — prevents automated attacks entirely. DMARC, DKIM, and SPF authenticate email at the protocol level. Browser isolation protects high-risk users. These are engineering solutions to an engineering problem. The Verizon DBIR data shows that organisations with phishing-resistant authentication dramatically reduce their breach surface. That's not a training win — that's a technology win.

Build a reporting culture, not a compliance culture. The ETH Zurich research found one genuinely effective practice: crowd-sourced phishing detection. When employees have a simple "report phish" button and actually use it, organisations detect real phishing campaigns faster than technical controls alone. The Verizon DBIR found that organisations investing in regular reporting-focused training saw a fourfold improvement in employee phishing reporting rates. Stop punishing clicks. Start rewarding reports. An employee who clicks a phishing link but reports it within two minutes is infinitely more valuable than one who ignores 200 emails because they're afraid of being tested.

Teach decision-making, not pattern recognition. Don't teach people to spot phishing. Teach them what to do when something feels wrong. "Stop. Verify through a different channel. Report it." That's a learnable, repeatable behaviour. "Identify this one sophisticated social engineering email hidden among your 200 daily messages" is not. The Verizon data shows that attackers are now exploiting trust and helpfulness rather than fear and urgency — the old "recognise the red flags" training doesn't cover the attacks that are actually landing.

Invest in real nudges, not gotcha tests. The ETH Zurich 2024 study found that regular reminders about phishing dangers — simple nudges — were more effective at driving behaviour change than the actual content of training modules. The most susceptible participants described the training content as unhelpful. What helped was being reminded that the threat was real and ongoing.

The Uncomfortable Maths

Organisations spend €50,000 annually on simulation platforms while refusing to spend €5,000 on hardware security keys that would actually eliminate automated credential phishing. Companies pay for elaborate quarterly gotcha campaigns while running Exchange servers with no DMARC enforcement.

That's not a security strategy. That's security theatrics.

If your approach relies on every employee, every time, correctly identifying increasingly sophisticated AI-generated social engineering attacks — attacks the Verizon DBIR confirms are now using deepfake audio and hyper-personalised content — you've already lost.

Humans will click things. That's not a training failure. It's a system design failure.

The Bottom Line

Phishing simulations exist because they're measurable, they're sellable, and they make everyone feel like something is being done. But feeling busy and being effective are not the same thing.

The research from IEEE Oakland, ETH Zurich, Leiden University, the NDSS Symposium, and the Verizon DBIR all point in the same direction: stop testing humans and start protecting them. Invest in technical controls. Build reporting cultures. Teach decision frameworks. And for the love of operational security, stop spending your budget on platforms that make your employees distrust their own inbox.

Because when the breach comes, your simulation vendor's dashboard won't save your job. Your security architecture might.

If you're an IT manager or CISO who's seen phishing simulations genuinely reduce actual security incidents — not click rates, real incidents — I'd love to hear your comments. Because five years of peer-reviewed research says otherwise. Comment below.