Traditional phishing training doesn’t work: we’ve been saying this for years — now the science proves it

A groundbreaking real-world study by UC San Diego and the University of Chicago — the largest of its kind — tested over 19,000 employees for eight months. Presented at the Black Hat 2025 security conference (slides - 5-minute read), the results were clear and conclusive, reinforcing earlier findings from ETH Zurich: Phishing simulations and embedded trainings, in their current and commonly deployed form, have no impact.

It’s exactly what we wrote back in 2021 in our blog The Secret to not Getting Phished? Stop Relying on Just Phishing Simulations, where we warn that phishing simulations had no real impact, and where we explain you need a holistic training approach to truly change employee behavior. Companies who have been running the traditional simulation campaigns are still ending up with persistent high-risk users such as repeat offenders, people entering sensitive data as well as first-time clickers, keeping click-through rates at an average of 10%, no matter how many simulations you run.

What’s needed, first of all, is a holistic approach — one that goes beyond the failed “teachable moment” of embedded training. The study shows that most people close inbox-based training pop-ups within ten seconds; they simply don’t want to spend time on cybersecurity training while managing their emails. That’s why Phished doesn’t interrupt employees mid-task. Instead, we deliver structured, risk-based learning sessions that truly engage learners and help knowledge stick.

We reinforce positive behavior through our Behavioral Risk Score™ (BRS), giving employees and teams a clear way to track and celebrate their progress. We also strengthen overall resilience through cyber hygiene practices that secure both personal and professional apps and devices — which is crucial, as roughly 50% remain unsecured.

And because cybercriminal tactics evolve constantly, our Cyber Newsroom keeps employees up to date with the latest threats and provides clear, actionable guidance.

Around 95% of companies rely on Microsoft 365 or Google Workspace spam filters, often with an additional layer for extra safety. But these systems were originally designed to block marketing or bulk spam—not highly targeted, AI-powered phishing attacks. And even with training, employees can’t be expected to compensate for what technology fails to block.

That’s why organizations need to combine holistic, risk-based training with real zero-incident email protection to prevent breaches caused by human error.

Zero-trust email security starts from a simple principle: trust nothing by default. Every message, link, and attachment must be verified before delivery or access. This includes domain authentication (SPF, DKIM, DMARC), mandatory encryption, real-time content inspection, and strong identity checks (like MFA) for anyone accessing email.
But even these controls aren’t enough. Traditional zero-trust never worked well against real-world phishing. That’s why employees receive awareness training - but the numbers make one thing clear: training on its own doesn’t prevent incidents.

This is exactly why Phished developed Zero Incident Mail™ (ZIM): a breakthrough real zero-trust layer that neutralizes risky clicks instantly, ensuring that even when employees make mistakes, no harm ever reaches your infrastructure. It aligns perfectly with one of the study’s key recommendations: combine education with real protection.

In short, we’re already doing what the science now validates: don’t blame people—protect

and guide them. Turn human error into a safe, positive learning moment instead of a moment of shame.

Jo Vandebergh

CEO, Phished