Phishing simulations: What works and what doesn’t

Phishing is one of the oldest and most effective scams used by cybercriminals. No one is immune to them, not even internet security experts, as seen in the case of Troy Hunt, who recently fell for a phishing email.

Before AI became mainstream, phishing emails often gave themselves away. They were full of grammar mistakes and awkward wording, making them easier to spot. That’s changed. Today’s phishing attacks are much more convincing, often looking just like real messages.

That’s why many companies are using phishing simulations to train employees to recognize and avoid these kinds of attacks.

HR teams are often involved in rolling out these programs, especially when it comes to employee training, compliance, and awareness. While IT or security teams usually handle the technical side, HR plays a key role in making the training stick.

How well do these simulations actually work?

Researchers conducted a study on the real-world effectiveness of common phishing training methods. They found that the absolute difference in failure rates between trained and untrained users was small across various types of training content.

However, we should take this with caution, as the study was conducted within a single healthcare organization and focused only on click rates as the measure of success or failure. It doesn’t capture the full picture.

Matt Linton, Google’s security manager, said phishing tests are outdated and often cause more frustration among employees than actually improving their security habits.

On the other hand, companies that use adaptive phishing simulations and behavior-based training, especially during onboarding, have seen phishing risk drop by 30% among new hires.

While no training is perfect, educating employees to recognize phishing remains a key part of a good security strategy.

The truth is, phishing tactics evolve all the time. A simulation that felt relevant a few months ago might already be outdated. If training doesn’t keep up with new threats, employees may not be ready for what’s out there.

That’s why phishing simulations work best when they’re part of a bigger strategy. For HR, that means focusing on continuous education, communication, and creating a workplace culture where reporting suspicious emails feels safe.

The downside of phishing simulations

Employee fatigue

The whole point of phishing simulations is to train employees to spot real threats. But if employees become tired of the tests, they might also stop noticing genuine phishing attempts. That’s the opposite of what organizations want.

Negative impact on morale

When someone clicks on a fake phishing email, they often feel embarrassed or blamed. Sometimes employees worry that management will punish them or that their coworkers will judge them. This negative feeling can lower their confidence and willingness to learn.

Generic tests that miss the mark

Not all phishing tests hit the mark. Some companies use generic, outdated examples that don’t reflect real threats employees see. When that happens, people tend to tune them out.

Steps to make phishing training work for your team

For any training program to work, you first need to understand your organization’s risk. Which employees are most at risk? What do they already know about phishing?

Next, work closely with your IT or security teams to create phishing tests that match current threats.

Tell employees what to expect. Explain why these tests matter and how they help stop problems.

Don’t play the blame game. If someone fails a test, treat it as a chance to learn, not to punish. When you do this, employees are less likely to hide mistakes or avoid reporting phishing emails.

When picking a vendor, focus on content and realistic simulations. The system should be easy to use and provide helpful reports.

Finally, ask employees for feedback. Find out what works and what doesn’t, and use what you learn to make the training better over time.

“While traditional security awareness training is essential for establishing a shared foundation of knowledge across an organization, it’s important to recognize that employees will differ in both specific knowledge and reliability. As a first step, companies should use phishing simulation testing to establish a performance baseline for each employee. From there, organizations can offer more targeted training simulations tailored to each employee, based on their experience, knowledgeability, department, title, and so on,” said Eyal Benishti, CEO of IRONSCALES.