Urgent! Final Notice – Phishing Training Doesn’t Actually Work (And What To Do Instead)

Phishing isn’t just one threat among many – it remains the primary entry point for many serious cyberattacks. From ransomware to data exfiltration to cryptojacking and more, much of it begins with a simple phishing email, and employees are falling for it hook, line, and sinker.

A recent study by UC San Diego Health reports 460 ransomware incidents in 2023, tied to data breach events in the U.S. healthcare sector – that’s more than once a day! Over 725 large breach events affected more than 133 million health records in that same sector. IBM’s 2023 Cost of a Data Breach Report found phishing is the single largest driver of successful breaches, responsible for about 16% of them. Given that risk, organizations have poured vast resources into phishing training – awareness modules, simulated phishing campaigns, quizzes, lectures, interactive vs static content – hoping to build better “human firewalls.” But the evidence is mounting: training alone is falling short.

What the Studies Reveal: Training Fails to Deliver

Here’s what two recent, large, empirical studies show:

1. UC San Diego Health Study: Deep Dive into Real-World Training From “Understanding the Efficacy of Phishing Training in Practice” (Ho, Mirian et al.):

Sample: 19,500 employees at UCSD Health, over 8 months, participating in 10 simulated phishing campaigns.

Result: Annual awareness training (required yearly) showed no correlation with reduced phishing failure – whether someone had done the annual training recently or long ago made almost no difference in their likelihood of clicking. Embedded phishing training (simulated lures + on-click training) produced a statistically significant reduction in failure rates, but the difference was very small, around 2%. Engagement was extremely low: over 50% of users quit the embedded training page within 10 seconds, and less than 24% formally completed the training material when they failed a simulation. Click (failure) rates varied dramatically depending on how “hard” the phishing email was: the easiest lures achieved a 1-2% failure rate, while others (e.g., vacation policy, dress code) reached a 30.8% failure rate. Over the course of the 8-month study, 56% of users clicked at least one embedded phishing link.

2. The Fintech Firm Study: Davis & Rozema on Lecture vs Interactive vs Control From “Phishing Training Still Isn’t Working, So Why Are We Still Paying for It?” by James Davis & Drew Rozema:

Sample size: 12,511 employees at a U.S. fintech firm. Compared multiple training modalities: lecture-based, interactive quizzes, and a control group.

Result: Training didn’t move the needle in a meaningful way. Employees who received lecture- or interactive-style training were about as likely to click on or report phishing emails as those in the control group. The difficulty of the phishing email (measured against the NIST Phish Scale) was the only reliable predictor of whether users succeeded or failed: easy phishing had a click rate of about 7%, while “hard” phishing emails rose to about 15%. Effect sizes for the training were very small (below 0.01 in many cases), raising questions about the cost-benefit ratio of these training programs.

The Big Picture

Combining the two studies: Even with large sample sizes and realistic settings (real employees, real simulated emails, and real organizational infrastructure), training shows only marginal benefits in reducing phishing clicks. Many employees do not engage meaningfully with training content; much of the training ends before it truly begins (e.g., quitting quickly or skipping content). Some phishing emails are so well crafted (or so familiar) that “hard” phishing lures produce high failure rates even in trained populations. Annual training, including compliance and checkbox items, doesn’t seem to correlate with better outcomes. All of this suggests that relying heavily on training is a risky approach. It might reduce risk a bit, but it’s not enough – especially when attackers adapt quickly, using more context, more convincing lures, and even AI-assisted social engineering.

Stop Training, Start Eliminating

Given that phishing attacks overwhelmingly try to steal credentials, the most robust way to defeat them is to remove the credential target. Eliminate passwords. Move to authentication methods that are phishing-resistant by design. Here are the main elements of this approach:

Certificate-based authentication: cryptographic certificates tied to devices or users, rather than passwords. There is nothing for attackers to capture with a phishing email, because no shared secret (such as a password) travels over insecure channels.

Supporting technical controls: domain-level email authentication (SPF, DKIM, DMARC), endpoint verification, zero-trust network access, etc.

Phishing is ubiquitous. It’s the leading cause of breaches and a frequent precursor to ransomware. Training your employees may check a compliance box, but it won’t stop attackers. The evidence is clear: awareness programs and simulated phishing exercises don’t deliver meaningful protection. The best path forward is architectural. Eliminate passwords, and you eliminate phishing’s prize. That’s how modern organizations can finally move beyond endless phishing campaigns – and take phishing off the table for good.