Most phishing awareness training does not change behaviour. It records a completion, satisfies a compliance requirement, and is forgotten within a week. The result is a workforce that has technically completed training but still clicks links and submits credentials to convincing fakes. Here is what actually works.
Why most phishing training fails
Generic training has three problems. First, it teaches people to spot the obvious attacks — poorly written emails with suspicious attachments — while the real threat is polished, contextualised, and sent from compromised legitimate accounts. Second, it creates a compliance mindset rather than a security mindset. People complete it to tick the box, not to change how they behave. Third, there is no connection between training and consequence. Someone clicks a simulated phish, gets a pop-up telling them they failed, and moves on.
What good awareness training looks like
Effective training has three components: relevant simulation, immediate education, and tracked behaviour change over time.
The simulation should be hard. Not impersonating a bank with bad grammar — impersonating your IT helpdesk asking staff to verify credentials for a system they actually use. Simulations that closely mirror real attack patterns test the actual skill, not pattern recognition against obvious examples.
Immediate education matters. When someone clicks, the explanation should come in that moment — not in a debrief email a week later. The moment of failure is the highest-attention learning moment.
And the programme needs to run continuously, not once a year. A single simulation followed by training delivers no lasting behaviour change. Monthly simulations with rolling baseline tracking show you whether the programme is working.
Designing your simulation programme
A well-designed programme includes:
- Monthly simulations that vary the pretext — IT helpdesk, payroll, vendor invoice, logistics tracking.
- Difficulty that increases gradually as baseline click rates fall.
- Targeted campaigns for high-risk roles: finance, HR, executives.
- Immediate in-the-moment education on failure — not a follow-up email.
- Monthly reporting on click rate, credential submission rate, and reporting rate.
The goal is not zero click rates — it is reducing them over time while increasing the rate at which staff report suspicious emails to IT. The reporting rate is often the most useful leading indicator of culture change.
Measuring whether it is working
The right metrics are behavioural, not completion-based.
- Click rate on simulations — should decline over the programme's life.
- Credential submission rate — should be near zero for any well-run programme.
- Reporting rate — the percentage of staff who forward suspicious emails to IT.
A programme where click rates have not fallen after six months is not working. Change the simulation design, the training content, or both.
The goal is not to catch people. It is to build the habit of stopping and checking before clicking.
What Fortify includes for security awareness
Fortify includes a managed security awareness programme as part of the service. We design, run, and report on monthly phishing simulations, provide targeted training for high-risk roles, and give you monthly reporting on behaviour trends. You do not need to manage a training platform — we handle it end-to-end as part of your managed security service.
Frequently asked questions
How often should we run phishing simulations?
Monthly is the minimum effective frequency. Quarterly simulations are too infrequent to build and reinforce habits. Monthly strikes the right balance between regular exposure and not overwhelming staff.
Should we tell staff the programme exists?
Yes. Transparency about the programme's existence actually improves outcomes — it increases vigilance rather than creating distrust. Tell staff that phishing simulations run regularly and that clicking is not a disciplinary matter. The goal is improvement, not punishment.
What is a realistic click rate to aim for?
Well-run programmes typically bring click rates below 5% within 12 months. An initial rate of 20 to 30 percent is common for organisations running simulations for the first time. Reduction over time is the goal, not a specific number from day one.
