← Back to all posts

The Phishing Test Your Employees Just Failed

March 6, 2026

The Phishing Test Your Employees Just Failed

The Phishing Test Your Employees Just Failed

I ran a phishing simulation for a 150-person professional services firm last month. The results were depressing—and entirely typical.

  • 34% clicked the link in the phishing email
  • 18% entered their credentials on the fake login page
  • 12% downloaded the "document" (which would have been malware)
  • Only 8% reported the email through the proper channel

The CEO was shocked. "We did phishing training six months ago!" he said. "Everyone watched the video!"

Yeah. They watched a video. That doesn't mean they learned anything.

Here's why most phishing simulation training fails—and what actually works to change behaviour.

The "Gotcha" Approach Does More Harm Than Good

Many phishing simulation programs are designed to catch people out. They send tricky emails. They punish failures. They create a "wall of shame" for people who click.

This is counterproductive.

When employees feel like security is trying to trick them, they:

  • Become defensive rather than cooperative
  • Hide mistakes instead of reporting them
  • Resent security measures
  • Disengage from training

I've seen organisations where people won't report suspicious emails because they're afraid it's another test. That's the opposite of what you want.

Why People Fall for Phishing (It's Not Stupidity)

Before we talk about solutions, let's understand the problem. People fall for phishing because:

Phishing is Designed to Exploit Normal Human Behaviour

Phishing emails work because they trigger normal, helpful responses:

  • Urgency ("Your account will be suspended today")
  • Authority ("From the IT Department")
  • Curiosity ("You have a new secure message")
  • Fear ("Unusual activity detected")
  • Helpfulness ("Can you quickly check this invoice?")

These aren't stupid reactions. They're human reactions. Attackers know this and exploit it deliberately.

People Are Busy and Distracted

Most phishing clicks happen when people are:

  • Rushed (checking email between meetings)
  • On mobile (harder to spot red flags on a small screen)
  • Multi-tasking (half-attention on email, half on a call)
  • Tired (end of day, low energy)

A person who would never click a phishing email at 10am on a Tuesday might click the exact same email at 5pm on a Friday.

The Stakes Feel Low

From the user's perspective:

  • Clicking a link is low-effort
  • The potential harm is abstract and delayed
  • The immediate benefit (checking that message) is concrete
  • They've clicked thousands of links before without problems

Humans are terrible at evaluating low-probability, high-impact risks. We just are.

What's Wrong With Most Phishing Simulation Training

Let's break down the typical approach:

The Annual Training Video

Once a year, everyone watches a 20-minute video about phishing. It covers:

  • Check the sender address
  • Look for spelling errors
  • Hover over links before clicking
  • Don't download unexpected attachments

Then everyone takes a quiz. Most pass. Nothing changes.

Why it fails: Information alone doesn't change behaviour. Everyone knows they should exercise more and eat less sugar too.

The Random Phishing Test

Every few months, IT sends a fake phishing email. People who click get "trained" (usually another video). People who don't click feel smug.

Why it fails:

  • No context or immediate feedback
  • Punitive framing creates fear
  • Doesn't teach recognition skills
  • Easy to dismiss as "I was busy/rushed/tired"

The Fear-Based Approach

Training focuses on scary statistics and consequences. "One click could cost the company millions!" "You could lose your job!"

Why it fails: Fear motivates short-term avoidance, not long-term skill development. And it creates anxiety without providing solutions.

Phishing Simulation Training That Actually Works

Here's the approach I've seen work in practice:

1. Make Reporting Easy and Rewarded

Your goal isn't zero clicks. Your goal is fast detection.

If someone reports a phishing email within minutes, that's a win—even if they clicked first. Early detection limits damage.

Make reporting trivial:

  • One-click reporting button in email client
  • Clear, visible reporting process
  • Mobile-friendly reporting (people check email on phones)

Reward reporting:

  • Thank people who report (personally, not just auto-response)
  • Share positive examples ("Sarah spotted this sophisticated phish and reported it immediately")
  • Never punish honest reporting

Track the right metric: Not click rate, but reporting rate. That's what matters.

2. Immediate, Contextual Feedback

When someone clicks a simulated phishing email, don't wait days to tell them. Give immediate feedback:

"You just clicked a simulated phishing email. In a real attack, this could have compromised your account. Here's what to look for: [specific red flags in this email]. Here's how to report suspicious emails: [one-click button]."

Make it educational, not punitive. Teach them what they missed and how to spot it next time.

3. Varied, Realistic Simulations

Don't use the same old "Your package delivery failed" template over and over.

Use varied scenarios:

  • Spear phishing (personalised to individual/role)
  • Executive impersonation (fake CEO requests)
  • Vendor compromise (fake invoices from real suppliers)
  • Current events (tax time, newsworthy topics)
  • Platform-specific (Office 365, DocuSign, LinkedIn)

Make them realistic. If your company uses Slack, simulate Slack notifications. If you work with specific vendors, create fake emails from them.

4. Teach Recognition, Not Rules

Rules don't work because attackers adapt. "Check for spelling errors" doesn't help when the phishing email is perfectly spelled.

Instead, teach recognition patterns:

  • Does this email create artificial urgency?
  • Is it asking me to do something unusual?
  • Would this person normally contact me this way?
  • Does the sender address match the display name?
  • Can I verify this through another channel?

Give people mental models, not checklists.

5. Practice Regularly (But Not Too Often)

Monthly simulations are about right for most organisations. More frequent than that causes fatigue. Less frequent and people forget.

Vary the timing. Don't always send tests on Tuesday mornings when people are alert. Send some on Friday afternoons. Some on mobile-only. Some during busy periods.

Real attackers don't wait for convenient times.

Securing your workplace? You're probably your family's IT person too.

The same principles that protect enterprise data—recognising phishing, verifying requests, staying alert—work just as well at home. But most families have none of it.

Get my Personal Security Quick-Start Guide — the 193-page practical handbook for busy people who want to protect their families without becoming cybersecurity experts.

Plus: Join 158+ Australians getting one 5-minute security briefing every Friday.

Get The Free Guide →

The Metrics That Matter

Stop obsessing over click rates. Here are better metrics:

Reporting Rate

What percentage of phishing emails get reported? This is your early warning system. Higher is better.

Target: 50%+ of phishing emails reported within 1 hour

Time to Report

How quickly do people report suspicious emails? Faster reporting limits damage.

Target: Median time under 15 minutes

Repeat Clickers

What percentage of people click multiple times? This identifies people who need additional support.

Target: Less than 5% of staff are repeat clickers

Department Variations

Are some departments more vulnerable? This helps target training.

Finance and HR are often high-risk because they handle sensitive requests regularly.

Supporting High-Risk Users

Some people will always be higher risk:

  • Executives (high-value targets, often exempted from controls)
  • Finance staff (handle money, get invoice-related phishes)
  • HR staff (open attachments from strangers, handle sensitive data)
  • New employees (don't know normal communication patterns yet)
  • Remote workers (isolated, less able to verify)

Give these groups extra support:

  • More frequent simulations
  • One-on-one coaching for repeat clickers
  • Additional technical controls (email filtering, application control)
  • Easy escalation paths ("Forward suspicious invoices to finance@company.com before paying")

The Technical Side Matters Too

Training alone isn't enough. You need technical defences:

Email Filtering

Good email security catches most phishing before users see it:

  • SPF, DKIM, DMARC enforcement
  • Link protection and rewriting
  • Attachment sandboxing
  • Machine learning classification

Browser Protection

Even if users click, you can limit damage:

  • Safe browsing filters
  • Download scanning
  • Application control
  • Network segmentation

Credential Protection

If users do enter credentials, limit the impact:

  • MFA (stops 99% of credential-based attacks)
  • Leaked credential monitoring
  • Unusual location/device alerts
  • Automatic blocking of suspicious logins

The goal is defence in depth. Training catches some. Technical controls catch others. MFA stops the ones that get through.

Dealing with the "I Would Never Fall For That" Crowd

Every organisation has people who insist they're too smart for phishing. They don't need training. They don't need MFA. They know what they're doing.

These people are often your highest risk, because:

  • Overconfidence leads to complacency
  • They won't report mistakes (would damage their image)
  • They resist security controls
  • They set a bad example for others

Handle them carefully:

  • Show them real examples of sophisticated attacks
  • Share stories of smart people who got phished
  • Make it about protecting others, not themselves
  • Use simulations that are genuinely hard to spot

Sometimes you need to let them fail a simulation to break through the arrogance.

The Family Phishing Problem

Your employees go home to families who are also phishing targets. Their parents get calls from "Telstra" about internet problems. Their kids get DMs from "friends" who need account recovery codes.

The phishing simulation training you provide at work doesn't just protect your business. It equips people to protect their families too.

Make that connection explicit. "The skills you're learning here apply at home too. Teach your parents to verify calls. Help your kids spot social media scams."

Security awareness is a life skill, not just a job requirement.

Want to learn more about building a security-aware culture? Check out our guide to effective security awareness training.

Mathew Clark
Founder, SecureInSeconds
Currently: Analysing my own phishing simulation results and realising I clicked a fake LinkedIn notification last week (it was very convincing)

Further Reading: