After years of slideshows, quizzes and inspirational posters, a clear picture is emerging: Even the most widely accepted computer-based strategies — which are used by the entire Fortune 500, among other organizations — do not change behavior. There is increasing evidence that the average employee learns next to nothing that significantly affects outcomes, even as phishing continues to be a primary door-opener for data breaches and ransomware.
New research from UC San Diego Health and Censys, an internet security data service, found a plurality of the more than 19,500 employees who received simulated phishing emails never went through mandated cybersecurity training that is supposed to train users to discern such attacks.
Embedded click-and-learn modules themselves experienced only a minimal lift, about a 2% decrease in failure rates — far from the return on investment security leaders are looking for.
This isn’t an academic quibble. Industry studies such as the Verizon Data Breach Investigations Report persist in asserting that a majority of breaches continue to be with the human component — phishing being dislodged is at least recognized as one example. SpyCloud’s findings also connect phishing to scaled ransomware and account takeover. If the dominant control lever targeted at individuals isn’t moving behavior — rewrite the playbook.
What the new research reveals about phishing training
The study from UC San Diego Health highlights that training plays second fiddle to topic relevance. Virtually no one clicked a request to “update your Outlook password,” but more than 30 percent of people clicked an email that looked like an employer update to vacation policy. The longer campaigns ran, the more unsuccessful outcomes there were: Failures climbed from about 1 in 10 participants to over half by month eight. That’s not learning — that’s fatigue, normalization.
Minimal interaction with mandatory e-learning, which was frequently just a number of seconds, was also observed by the researchers. Retention is predictably at around zero when employees binge-read content just to check off that compliance box. Yearly monolithic modules don’t recognize how adults really learn: in small, context-rich bites that are relevant and subject to feedback today.
Where classroom-based training fails to change behavior
Employees overfit to checklists. They’re instructed to search for spelling mistakes and bizarre domains, but today’s phishing emails are grammatically pristine, rely on HTTPS and check out on basic email authentication. Attackers can convincingly mirror brand voice, design systems and sender names — particularly with generative AI at their fingertips.
Context beats content. Clicks are more likely under pressure, like when we’re fatigued or in a rush, from a boss or system notification. In the real world of workflow — approving invoices, processing patient records, administering benefits — split-second decision-making reigns. Training separated from those moments can’t stand up to urgency and cognitive load.
The wrong incentives also backfire. Punitive “gotcha” drills erode trust and decrease reporting. Employees quickly learn to mistrust security entirely, delaying incident response and obscuring valuable telemetry. Worse, companies appear to pat themselves on the back for lower simulated click rates without focusing on more important metrics that they can measure, such as time taken to report real attacks.
Attackers are quicker to adapt than lesson plans
Phishing has outgrown email. Campaigns now blur QR code bait on printed signs, SMS “package” notifications, direct messages in collaborative tools and OAuth consent phishing that dupes victims into granting token-based access. Adversary-in-the-middle kits steal creds and OTPs via weak MFA implementations.
And the content is as good as it has ever been. Communities of bad actors can draft localized, on-brand copy at scale the moment a new corporate announcement or HR policy trend springs up; large language models can help perpetuate it in ways that are much more diffuse. And training that is refreshed on an annual basis simply cannot keep up with a threat landscape that refreshes daily.
What really cuts your odds of being phished
- Adopt phishing-resistant MFA. Passkeys and FIDO2 security keys protect against credential replay and man-in-the-middle attacks by linking authentication to the real domain. Microsoft says that almost all of the compromised accounts had none whatsoever, so closing that down is a quick win.
- Harden email and identity layers. Enforce DMARC, DKIM and SPF to reduce spoofing; turn off legacy protocols that circumvent modern controls; apply conditional access and token protection policies; leverage password managers which only autofill when the page domain matches your identity store. These are steps that block entire categories of attacks before they get to a human.
- Contain the inevitable. Browser and email link isolation, attachment detonation and just-in-time URL analysis reduce the blast radius if someone does click. Streamline your phishing-takedown playbooks, and as you pull back tokens and reset credentials automatically, the mistakes become simply incidents instead of crises.
- Make reporting effortless and rewarded. This is where a “single click to report phishing” option that can sit inside ticketing and SOC workflows can turn employees into early warning detection sensors. Of note, fast reporting should be celebrated, not perfect detection. The pace at which the first person flags a campaign usually determines how many others are shielded.
Rethink training, don’t cancel it — make it work
Replace annual marathons with microlearning linked to real work: 60-second nudges while processing the inbox, short scenario drills for finance approvals, and role-based coaching for executives, HR and IT. Tabletop exercises and peer-led walk-throughs build a practical intuition that slide decks will never deliver.
Personalize and time-box. Provide just-in-time reminders during high-risk days — travel days, payroll runs, vendor onboarding — and cycle through themes to keep players engaged and avoid simulation fatigue. Work from both academic labs and national cyber agencies in behavioral science shows that reasoned signals, as well as clear, actionable options, beat scare tactics.
Finally, fix the scorecard. Track time-to-report, real phish reported by employees, token revocations in minutes, and percentage of phishing-resistant MFA adopted. Use control groups and A/B trials for banners, warnings and policies. If a change doesn’t result in quantifiable real-world compromise reduction, keep changing it.
The takeaway is an uncomfortable but liberating one: people are not the problem; the system is. When organizations move from teaching users to spot every trick to erecting systems that make the right thing easy, phishing ceases being an endless game of whack-a-mole and becomes a tractable engineering problem.