COMNEXIA
Cybersecurity Threats & Defense

Why Does Phishing Training Fail and How Can Businesses Fix It?

Most phishing awareness training doesn't reduce click rates. Learn what actually works to change employee behavior and protect your business from phishing attacks.

By COMNEXIA
#phishing training#security awareness#phishing prevention#employee cybersecurity#social engineering#email security#cybersecurity training

Phishing remains the number-one initial attack vector for data breaches. According to the Verizon Data Breach Investigations Report, phishing and pretexting account for over 40% of all social engineering incidents year after year. Most businesses know this, so they invest in phishing awareness training — annual videos, simulated phishing emails, maybe a poster in the break room.

And yet click rates on phishing simulations barely move. Employees still open malicious attachments. Credentials still get harvested. The training isn’t working, and most organizations don’t understand why.

After 35 years of managing IT security for businesses across metro Atlanta and beyond, COMNEXIA has seen what separates companies that actually reduce phishing risk from those that just check a compliance box. The difference isn’t the training platform — it’s the approach.

Why Does Traditional Phishing Training Fail?

Traditional phishing training fails because it treats security awareness as an annual event rather than an ongoing behavioral change program. Most programs share the same structural problems:

Once-a-year training doesn’t build habits. A single annual session — even a good one — fades from memory within weeks. Research on the “forgetting curve” (first described by Hermann Ebbinghaus in the 1880s and validated repeatedly since) shows that people forget roughly 70% of new information within 24 hours and up to 90% within a week without reinforcement. One training session per year is essentially starting from zero every time.

Generic content doesn’t feel relevant. When a warehouse employee and a CFO watch the same 20-minute video about Nigerian prince scams, neither one learns anything useful. Modern phishing attacks are targeted, industry-specific, and role-specific. Generic training teaches people to spot attacks that no longer exist.

Shame-based approaches backfire. Programs that publicly embarrass employees who click simulated phishing links — or impose punitive consequences — create a culture where people hide mistakes instead of reporting them. A 2023 study from the SANS Institute found that organizations with punitive phishing programs had lower reporting rates for actual phishing emails, meaning real attacks went undetected longer.

Compliance-driven programs optimize for the wrong metric. If your goal is “100% training completion,” you’ll get employees clicking through slides as fast as possible. Completion rates tell you nothing about whether behavior actually changed.

What Does Effective Phishing Training Actually Look Like?

Effective phishing training is continuous, contextual, and measured by behavioral outcomes rather than completion percentages. Programs that demonstrably reduce phishing susceptibility share several characteristics:

  • Frequent, short interventions — Monthly or even bi-weekly micro-trainings of 3-5 minutes outperform annual hour-long sessions. Spaced repetition is the single most evidence-backed learning technique for long-term retention.
  • Role-based targeting — Finance teams need training on invoice fraud and wire transfer scams. HR needs training on resume-based malware and W-2 phishing. Executives need training on CEO impersonation and board-level pretexting. One size does not fit all.
  • Real-time teachable moments — When an employee clicks a simulated phish, the most effective response is an immediate, friendly explanation of what they missed — not a punitive email three days later.
  • Positive reporting culture — Employees who report suspicious emails (even if they already clicked) should be thanked, not punished. Every reported phish is threat intelligence your security team can act on.

How Often Should Businesses Run Phishing Simulations?

Businesses should run phishing simulations at least monthly, with varied difficulty levels and attack types. The key findings from industry data are clear:

Organizations that simulate phishing monthly see click rates drop from an average of 30-40% down to under 5% within 12 months, according to data published by KnowBe4 and Proofpoint across their customer bases. Organizations that simulate quarterly see slower improvement. Organizations that simulate annually see almost no sustained improvement.

However, simulation frequency matters less than simulation quality. Effective simulations should:

  1. Rotate attack types — Don’t just send fake “password reset” emails. Include invoice scams, delivery notifications, calendar invites, voicemail transcripts, IT support requests, and current-event lures.
  2. Escalate difficulty gradually — Start with obvious red flags (misspelled domains, generic greetings) and progress to sophisticated, targeted attacks that mirror what real threat actors use against your industry.
  3. Include multiple channels — Phishing isn’t limited to email anymore. SMS phishing (smishing), voice phishing (vishing), and even Teams/Slack-based attacks are increasingly common. Your simulations should reflect this reality.
  4. Track individual progress — Some employees will consistently identify phishing attempts. Others will need additional support. Aggregate statistics hide the individuals who represent your actual risk.

What Phishing Attacks Target Small and Mid-Size Businesses Most?

Small and mid-size businesses face a specific set of phishing threats that differ from enterprise-level attacks. The most common include:

Business Email Compromise (BEC) is the costliest form of phishing, with the FBI’s Internet Crime Complaint Center (IC3) reporting over $2.9 billion in BEC losses in 2023 alone. BEC attacks impersonate executives, vendors, or partners to redirect wire transfers or harvest credentials. These emails often contain no malicious links or attachments, making them invisible to traditional email filters.

Credential harvesting through fake login pages remains extremely effective. Attackers clone Microsoft 365, Google Workspace, or industry-specific application login pages and distribute links through email, SMS, or even legitimate-looking calendar invites. Once they capture credentials, they often sit quietly in the compromised mailbox for weeks, learning communication patterns before launching further attacks.

Invoice and payment redirection scams target accounts payable departments with emails that appear to come from existing vendors, requesting updated bank account information. These attacks succeed because they exploit established business relationships and the routine nature of payment processing.

IT support impersonation has surged since the shift to remote and hybrid work. Attackers pose as internal IT staff or managed service providers, requesting remote access credentials or directing employees to install “support tools” that are actually remote access trojans.

For industries like automotive dealerships — where COMNEXIA has deep expertise — phishing attacks increasingly target DMS (Dealer Management System) credentials, which provide access to customer financial data, inventory systems, and manufacturer portals. The FTC Safeguards Rule now explicitly requires dealerships to implement security awareness training as part of their information security programs.

How Should Businesses Measure Phishing Training Success?

Measuring phishing training success requires looking beyond click rates to a broader set of behavioral metrics:

Phishing click rate is the most obvious metric, but it’s only useful as a trend over time. A single simulation’s click rate can vary wildly based on the lure quality, timing, and current events. Track the 6-month rolling average.

Report rate is arguably more important than click rate. If 10% of employees click a phish but 60% report it, your organization can respond quickly. If 5% click but only 2% report, you have a blind spot. The goal is a report rate that exceeds your click rate.

Time to report measures how quickly employees flag suspicious emails after receiving them. Faster reporting means faster incident response. Organizations with mature security cultures see average report times under 5 minutes.

Repeat clicker rate identifies the employees who consistently fall for simulations despite training. These individuals need targeted, one-on-one coaching — not another generic video.

Credential submission rate is more specific than click rate. An employee who clicks a link but recognizes the fake login page and backs out demonstrates partial awareness. Track how many employees actually enter credentials versus just clicking.

What Technical Controls Should Complement Phishing Training?

Training alone is never sufficient. A layered security approach combines human awareness with technical controls:

  • Email filtering and anti-phishing gateways catch the majority of phishing attempts before they reach inboxes. Modern solutions use machine learning to detect zero-day phishing URLs and impersonation attempts.
  • Multi-factor authentication (MFA) ensures that stolen credentials alone aren’t enough to compromise an account. Hardware security keys (FIDO2) provide the strongest protection against phishing, since they verify the legitimacy of the login page before releasing credentials.
  • DNS filtering blocks connections to known malicious domains even if an employee clicks a link. This provides a safety net for the inevitable human errors.
  • Email authentication protocols — SPF, DKIM, and DMARC — make it harder for attackers to spoof your domain when targeting your employees, customers, or partners.
  • Endpoint detection and response (EDR) can catch malware delivered through phishing even after an employee opens a malicious attachment.

A comprehensive managed IT services provider will implement all of these layers alongside your training program, ensuring that no single point of failure can lead to a breach.

How Do You Build a Phishing-Resistant Culture?

Building a phishing-resistant culture goes beyond training and technology. It requires organizational commitment:

Leadership participation matters. When executives visibly participate in phishing simulations and security training — and share their own near-misses — it signals that security is everyone’s responsibility. In organizations where leadership is exempt from simulations, employees view security as a compliance burden rather than a shared value.

Make reporting easy. A one-click “Report Phish” button in the email client removes friction from the reporting process. If employees have to forward suspicious emails to a specific address or fill out a form, they won’t bother.

Celebrate catches, not just compliance. Publicly recognize employees and departments that report phishing attempts. This reinforces the behavior you want to see and creates positive peer pressure.

Integrate security into onboarding. New employees are prime targets because they don’t yet know internal communication patterns. Security awareness training should be part of day-one onboarding, not something scheduled for “when they settle in.”

Run tabletop exercises. Beyond individual phishing simulations, conduct team-level exercises where departments practice responding to a simulated breach that started with a phishing email. This builds the organizational muscle memory needed for real incidents.

Frequently Asked Questions

How much does phishing training cost for a small business? Most phishing awareness platforms charge between $15-$25 per user per year for small businesses. Many managed cybersecurity providers include security awareness training as part of their service packages, which can be more cost-effective than purchasing a standalone platform.

Is phishing training required by law? Several regulations require or strongly recommend security awareness training, including the FTC Safeguards Rule (mandatory for auto dealerships and financial institutions), HIPAA (healthcare), PCI DSS (payment card handling), and various state data protection laws. Even where not explicitly required, training is considered a reasonable security measure under most data breach liability frameworks.

Can AI-generated phishing emails bypass training? AI tools have made phishing emails more convincing by eliminating the spelling and grammar errors that employees were trained to spot. This makes it even more important to train employees on behavioral indicators (unexpected requests, unusual urgency, out-of-band verification) rather than just visual red flags.

What should an employee do if they already clicked a phishing link? Report it immediately to your IT team or managed service provider — even if it’s embarrassing. Time is critical. Change any passwords that may have been compromised, enable MFA if it isn’t already active, and monitor accounts for unusual activity. The worst thing an employee can do is stay silent and hope nothing happens.

How long does it take to see results from phishing training? Organizations that implement monthly simulations with real-time feedback typically see measurable improvement within 90 days and significant click-rate reductions within 6-12 months. Programs that rely on annual training alone rarely show sustained improvement regardless of timeline.

Back to Insights

Need Expert Technology Guidance?

Don't navigate complex technology decisions alone. Our consulting team provides the strategic guidance you need to make informed technology investments.

Schedule Consultation
Call (877) 600-6550