Why Your Phishing Training is Failing—and What vCSOs Can Do to Fix It

But new research tells a different story: traditional phishing training doesn’t just fail—it can actually make employees more likely to fall for phishing scams.

If you’re a vCSO, that should be a wake-up call. Because if your phishing strategy isn’t working, your company isn’t just at risk of a breach, it’s at risk of regulatory fines, lawsuits, and massive financial fallout.

The Data is Clear: Phishing Simulations Aren’t Working

A UC San Diego study of 19,500 employees over eight months confirmed what many security leaders have suspected for years: phishing training programs aren’t reducing risk.

Here’s what they found:

• Annual security training made no difference. Employees who completed required training were just as likely to fail phishing tests as those who didn’t.

• Phishing simulations barely helped. Employees who received frequent phishing tests performed only 2% better than those who had none.

• Some employees actually got worse. The more phishing tests they failed, the more likely they were to fail again in the future.

Instead of creating smarter employees, phishing simulations are creating overconfident or disengaged employees—neither of which reduces cyber risk.

This should set off alarms for vCSOs. Companies are investing time and money into training that isn’t working, while attackers are only getting better.

Phishing is Evolving Faster Than Your Training

Cybercriminals aren’t sending sloppy, typo-ridden emails anymore. Today’s phishing attacks are meticulously designed to bypass security defenses and exploit human behavior.

Just look at these recent phishing threats:

• Microsoft and Google spoofing: A 2024 report by Check Point found that Microsoft accounted for 38% of all phishing attempts, with Google at 11%. Attackers craft near-identical login pages to trick users into entering credentials.

• Tycoon 2FA phishing kit: A widely used tool that intercepts multi-factor authentication (MFA) codes, allowing attackers to bypass even strong security controls.

• Agent Tesla malware campaign: Hackers sent phishing emails disguised as legitimate bank payments—and it was devastating. One single click downloaded keyloggers and infostealers, compromising entire organizations.

• WikiLoader phishing campaign: A sophisticated attack that used PDF invoices to install malware, allowing hackers to seize control of infected systems.

These aren’t the obvious "Nigerian prince" scams of the past. They’re designed to bypass technical defenses and exploit human error. And if your phishing training isn’t keeping up, your organization is vulnerable.

Why Traditional Phishing Training Fails

The reason phishing simulations don’t work is simple: they treat the symptoms, not the disease.

Most employees aren’t falling for phishing emails because they’re reckless or uninformed. They fall for them because:

• The email looks completely legitimate—often mimicking trusted brands like Microsoft and Google.

• The email matches something they expected—a delivery notification, a password reset request, or an invoice.

• They’re busy and distracted—trying to get through their inbox quickly.

And even if they do recognize a phishing attempt, many employees don’t know what to do next.

Should they report it? Delete it? Forward it to IT? Most phishing training doesn’t cover the next steps, which leaves employees hesitant or unsure of what action to take.

Here’s How vCSOs Should Lead the Change

1. Teach Employees to Recognize the Right Behaviors, Not Just Avoid the Wrong Clicks

Most phishing training focuses on avoidance—don’t click suspicious links, don’t open attachments, don’t trust unknown senders. But what happens when an email looks completely legitimate? Employees need more than a list of "don'ts"—they need a clear process for handling suspicious emails and a culture that encourages reporting rather than punishment.

First, ensure employees know exactly where and how to report phishing attempts. If employees are unsure whether an email is malicious, they should be able to forward it to a dedicated security team for review. Without a clear process, many will simply ignore threats, leaving them unreported and unmitigated.

Second, security leaders need to demonstrate real-world consequences. Walk employees through actual phishing incidents that resulted in major breaches. Explain how a single misstep—one user clicking on a fake invoice, one employee entering credentials into a spoofed Microsoft login page—can lead to ransomware infections, data theft, and millions in damages. When people understand the stakes, they’re more likely to take training seriously.

2. Show Employees How Phishing Attacks Target Their Personal Lives

Security awareness is far more effective when it feels personal. Employees often view cybersecurity as an IT problem rather than something that affects them directly. The best way to change this mindset? Make training personal first, then extend it to the workplace.

Start by showing them how phishing tactics are used against them personally. Most people have seen fake Amazon delivery notifications, bogus Apple ID login alerts, or PayPal fraud warnings. Explain how these scams work, how cybercriminals steal banking credentials, and how stolen passwords lead to identity theft.

Next, highlight how attackers use personal accounts to infiltrate corporate systems. Phishing emails targeting personal Gmail or Outlook accounts often lead to corporate credential theft—especially if employees reuse passwords across personal and business accounts.

Finally, educate them on how modern phishing attacks bypass MFA. Tools like the Tycoon 2FA phishing kit trick users into entering authentication codes, allowing hackers to hijack legitimate sessions even when MFA is enabled. If employees think MFA makes them invincible, they’ll lower their guard. Teaching them how MFA bypass techniques work will encourage them to stay vigilant.

The more employees see phishing as a direct risk to their finances, identity, and personal security, the more seriously they’ll take it at work.

3. Ditch Monthly Phishing Simulations—Adopt Ongoing, Real-World Training

Many organizations treat phishing training as a one-and-done exercise. They send out a few fake phishing emails each month, track failure rates, and assume that repeated exposure will improve security awareness.

But as the UC San Diego study proved, this approach doesn’t work. Employees don’t just need to recognize phishing emails—they need to develop long-term security habits.

A more effective approach is structured, ongoing security training that focuses on real-world attack scenarios.

• Monthly interactive training: Instead of repetitive phishing simulations, implement short, engaging sessions that focus on new and emerging threats. Show employees how phishing attacks evolve and how attackers exploit emotions, urgency, and authority.

• Live attack debriefs: Whenever an actual phishing attack is detected—whether successful or not—review the incident with employees. Explain what the attacker was trying to do, how they got past filters, and how employees could have detected the threat sooner.

• Role-based security awareness: Different employees face different phishing threats. Finance teams are targeted with wire transfer fraud emails, executives face whale phishing scams, and IT teams may receive malware-laced fake software updates. Customize security training to match employees' job roles, ensuring they understand the specific risks they’re most likely to face.

When training is consistent, relevant, and engaging, employees are more likely to retain knowledge and apply it when it counts.

4. Integrate Phishing Training into Business Risk Discussions

One of the biggest reasons phishing training fails is that executives don’t take it seriously. Many see it as a low-priority IT initiative rather than a critical business risk. As a vCSO, your job is to bridge that gap—connecting phishing risks to financial, operational, and compliance consequences.

• Tie phishing risks to financial impact: Don’t just report "X% of employees failed a phishing test." Translate that failure into real business costs. How much did similar phishing attacks cost companies last year? What would a single successful phishing attack cost your organization in legal fees, regulatory fines, or lost business?

• Make phishing training a compliance requirement: Highlight how poor security awareness can violate regulatory obligations, invalidate cyber insurance claims, and increase legal liability. The SEC has already penalized companies for failing to document cybersecurity efforts—poor phishing defenses can put an organization at risk of lawsuits and regulatory action.

• Involve leadership in security awareness: Security isn’t just an IT responsibility. Executives, department heads, and board members need to understand how phishing impacts the business—and take an active role in reducing risk. When leadership prioritizes security awareness, employees will follow their lead.

The Bottom Line: Phishing Training Must Evolve

Phishing simulations aren’t enough.

If your organization is still relying on outdated training methods, you’re setting employees up to fail—and opening the business to devastating security breaches, legal liability, and compliance failures.

As a vCSO, your job isn’t just running phishing tests—it’s transforming how security is understood at every level. Because phishing isn’t an IT problem. It’s a business risk. And the companies that fail to adapt will be the next breach headline.

The question isn’t whether your employees will be targeted. It’s whether they’ll be ready when it happens.