Phishing Simulations: What Works and What Doesn’t
Phishing is one of the oldest and most effective techniques used by cybercriminals . No one is immune to them, not even internet security experts, as seen in the case of Troy Hunt, who recently fell for a phishing email . Before AI became mainstream, phishing emails often gave themselves away . They were full of grammar mistakes and awkward wording, making them easier to spot . That's changed . Today's phishing attacks are much more convincing, often looking just like real messages .
That's why many companies are using phishing simulations to train employees to recognize and avoid these kinds of attacks . HR teams are often involved in rolling out these programs, especially when it comes to employee training, compliance, and awareness . While IT or security teams usually handle the technical side, HR plays a key role in making the training stick .
However, the effectiveness of these simulations is being questioned . Researchers conducted a study on the real-world effectiveness of common phishing training methods . They found that the absolute difference in failure rates between trained and untrained users was small across various types of training content . However, we should take this with caution, as the study was conducted within a single healthcare organization and focused only on click rates as the measure of success or failure . It doesn't capture the full picture .
Matt Linton, Google's security manager, said that phishing tests are outdated and often cause more frustration among employees than actually improving their security habits . On the other hand, companies that use adaptive phishing simulations and behavior-based training, especially during onboarding, have seen phishing risk drop by 30% among new hires .
While no training is perfect, educating employees to recognize phishing remains a key part of a good security strategy . The truth is, phishing tactics evolve all the time . A simulation that felt relevant a few months ago might already be outdated . If training doesn't keep up with new threats, employees may not be ready for what's out there . That's why phishing simulations work best when they're part of a bigger strategy . For HR, that means focusing on continuous education, communication, and creating a workplace culture where reporting suspicious emails feels safe .
Artificial Intelligence (AI) has made it easier for cybercriminals to carry out phishing attacks by writing believable phishing messages, mimicking people's voices, researching targets and creating deepfakes . Phishing attacks occur when cybercriminals trick their victims into sharing personal information, such as passwords or credit card numbers, by pretending to be someone they're not . By using AI in these attacks, cybercriminals can appear more credible and trustworthy, leading more victims to send them private information or money .
With generative AI, scammers can now send phishing emails to remove language barriers, reply in real time, and almost instantly automate mass personalized campaigns that make it easier to spoof domains and gain access to sensitive data .
It is important to note that simulated phishing attacks are designed to automate phishing training and deliver learning experiences directly to employees . To get the most out of a phishing test you should follow these steps: All good phishing tests are based on solid preparation work . The goal of phishing simulation campaigns is to educate employees on how to spot a phishing scam and to change the “urge to click” behaviour that fraudsters rely on .
In conclusion, phishing simulations are a critical tool in the cybersecurity arsenal, capable of significantly enhancing or damaging an organization's culture and security posture . When conducted responsibly, these simulations can bolster organizational culture, enhance security awareness, and equip employees with the skills needed to combat real-life threats .