Improvement of only 1.7 percent: phishing training almost always ineffective

A new study by IT security researchers has come to a sobering conclusion for the IT security industry: the practical benefit of common phishing training programs in companies is abysmal. Over a period of eight months, more than 19,500 employees of a large US healthcare provider were confronted with ten differently designed phishing simulations in a large-scale field test. The results show that neither the completion of regular IT security training nor the so-called “embedded phishing training,” where a training offer follows directly after misconduct, significantly reduce the risk of falling for phishing.

Hardly any improvements, learning offers are often not accepted

According to the researchers, the absolute difference in the error rate between trained and untrained people in the tests was just 1.7 percent. Another fundamental problem is that only a small proportion of participants actually paid attention to or completed the training material after a misclick. More than half finished the learning offer within ten seconds, and less than a quarter completed the lesson to the end. Very perfidiously designed mail lures achieved a click rate of up to 30 percent. Alleged changes to vacation entitlements or internal protocols were particularly successful. Overall, 56 percent of participants clicked on a phishing link—at least once during the study, regardless of their training status.

Hence another finding: the usual annual mandatory IT security training had no measurable impact on susceptibility to phishing attacks. Whether and how long ago training had taken place correlated neither with fewer false clicks nor with increased awareness. The type of training also only played a subordinate role. Only interactive forms of training specifically tailored to the concrete phishing email led to a moderate risk reduction of around 19 percent. However, here too, the overall effects remained marginal due to low completion rates.

Current offers are expensive and bring nothing

All in all, the authors of the study show that traditional awareness campaigns and phishing training in their current form hardly reduce the real risk in companies. This means that an industry worth millions is facing a massive credibility problem. The results were presented at the Black Hat 2025 security conference, among others, and confirm a long-term trend from previous studies: without a real change in learning motivation or fundamental improvements in training design, humans remain the biggest gateway for cyber attacks of this kind.

Interested readers can find the study on the website of participating author Ariana Mirian. Her and Christian Dameff's presentation at Black Hat 2025 is also publicly available.

(fo)