← Back to Blog
Awareness2026-02-14· 6 min read

Why Your Phishing Simulations Aren't Working - And What to Do Instead

The Simulation Trap

Most organizations run monthly phishing simulations, track click rates, and assign remedial training to employees who fail. After a year of this, many find that click rates haven't meaningfully improved. Some even see rates increase as simulation fatigue sets in.

The problem isn't the simulations themselves - it's how they're designed and what organizations measure.

Why Simulations Fail

Problem 1: Gotcha Culture - When simulations are designed to trick people rather than educate them, employees feel punished rather than supported. This breeds resentment and disengagement, not security awareness.

Problem 2: Wrong Metrics - Click rate is a vanity metric. A 5% click rate sounds good, but it means nothing if those 5% aren't reporting the phishing attempt. The metric that matters is report rate - the percentage of employees who use the phishing report button.

Problem 3: No Context - Sending generic "click here to update your password" simulations doesn't prepare employees for the sophisticated, context-aware phishing attacks they'll actually face. Real attackers research their targets.

Problem 4: Annual CBT as Remediation - Forcing employees through a 45-minute computer-based training module after they click a simulation link doesn't change behavior. It wastes time and builds resentment.

A Better Approach

Shift from punishment to education. When someone clicks a simulated phishing email, show them an immediate, friendly explainer: "This was a simulation. Here's what to look for next time." Two minutes, no judgment.

Measure report rates, not click rates. Make the phishing report button prominent and easy to use. Celebrate teams with high report rates. The goal is to build a culture where reporting is reflexive.

Use realistic, graduated scenarios. Start with obvious phishing attempts and gradually increase sophistication. Match simulation difficulty to the employee's role and access level.

Positive reinforcement. Recognize employees who report phishing attempts - real or simulated. A simple "thank you for reporting" email from the security team goes further than any training module.

Supplement with micro-learning. Short, focused security tips delivered weekly via Slack, email, or internal comms. Three sentences about a current phishing trend is more effective than an annual hour-long training.

The Goal

The goal of a phishing program isn't to catch people failing - it's to build organizational muscle memory for recognizing and reporting threats. Measure what matters: are more people reporting suspicious emails this quarter than last?