Skip to content

Phishing Simulation Click Rates Are Not Evidence of Lower Risk

The strongest recent evidence points away from fail-then-train remediation and raw click rates, and toward realistic practice, reporting culture, and technical controls.

Vlastimil Sindelar
Vlastimil Sindelar

10 min read


If you ask a security lead how the last phishing simulation went, they can pull up a click-rate dashboard in minutes. Ask whether their people would handle a real phish better than they did a year ago, and the honest answer is usually a guess.

For years that gap was filled with faith: run more simulations, watch the click rate fall, call it risk reduction. The academic record has now caught up with that faith, and the results are uncomfortable.


Do phishing simulations work?

Not reliably in the form most organisations use them. Three of the largest peer-reviewed field studies of common anti-phishing training approaches, covering more than 46,000 employees, found little or no practically meaningful improvement in simulated-phishing outcomes. Embedded training delivered after an employee clicked produced, at best, an improvement of around two percentage points, while other widely used training formats showed no significant effect.

This does not mean that every phishing exercise is useless. It means that uncalibrated click rates and fail-then-train remediation are weak evidence that risk is falling. A stronger programme combines realistic decision practice, detailed feedback, spaced reminders, fast and non-punitive reporting, and technical controls that make a single mistake survivable.


What does the research actually say?

Three independent field studies, each in a real organisation, each peer-reviewed, each testing a different piece of the standard model.

ETH Zurich, 2022. Researchers followed 14,733 employees of a large company for 15 months (IEEE Symposium on Security and Privacy 2022) through ongoing simulated phishing, with voluntary embedded training shown to anyone who fell for a test. That flow did not make employees more resilient. Employees who went through it subsequently fell for more phishing, not less; the authors warn that this industry-standard combination "can make employees even more susceptible to phishing" and point to a false sense of security as the likely mechanism.

UC San Diego Health, 2025. An 8-month randomised controlled experiment across more than 19,500 employees (IEEE Symposium on Security and Privacy 2025) found no significant relationship between having recently completed annual security awareness training and the likelihood of failing a phishing simulation, and embedded training after a failure reduced failure rates by only about two percentage points. The engagement data explains why: in over 75% of training sessions, employees spent less than one minute on the training page, and roughly a third closed it immediately. By the end of the study, 56% of employees had clicked at least one simulated phish.

The reproduction, 2026. A study of 12,511 employees at a US financial technology firm, published at the ACM Web Conference 2026, compared lecture-based and interactive training formats and then evaluated employees with simulated phish rated on the NIST Phish Scale. Neither format produced a significant effect on click rates or reporting rates. What did predict behaviour was the difficulty of the lure: click rates ran 7% for easy lures and 15% for hard ones.

The literature is not unanimous. Smaller studies and research reviews have found short-term improvements from well-designed phishing education, especially when it is interactive and feedback-rich. The narrower conclusion supported by the recent large field trials is that common training and remediation formats do not reliably produce meaningful, durable improvements, and that raw click rates should not be treated as proof of lower risk.


Why do simulation click rates look so reassuring?

Because click rates cannot be interpreted without knowing how difficult the email was.

Verizon's 2026 Data Breach Investigations Report puts the median click rate of email phishing simulation campaigns at just 1.4%. The UC San Diego study saw per-email click rates range from 1.8% to 30.8% across different lures within the same workforce and programme, illustrating how strongly campaign design can influence the result. A click rate measures the interaction between the workforce, the lure, and the surrounding context. Without controlling for lure difficulty, comparisons across campaigns or organisations are weak evidence of changing resilience.

This is exactly why NIST built the Phish Scale, a method for rating how hard a phishing email is to detect. In NIST's own words, click-rate data "can create a false sense of security if click rates are analyzed on their own without understanding the phishing email's difficulty."

A falling click-rate trend line is easy to produce: send easier lures, or repeat a familiar template. A metric that can improve without the underlying exposure changing is not proof of risk reduction. It is a reporting metric, not a risk metric.

Meanwhile, the broader human element remained present in 62% of breaches in the 2026 DBIR. That figure does not measure the effectiveness of phishing simulations, but it reinforces the need for human-risk programmes to demonstrate more than a low score on an artificial campaign.


The cost nobody puts on the dashboard: trust

The UK's National Cyber Security Centre is unusually blunt in its phishing guidance: no training package, including phishing simulations, can teach users to spot every phishing attempt, and user training is the layer organisations most often over-emphasise in their phishing defences. On punishing clickers, its wording is hard to improve: "Since no one can be expected to spot all phishing emails, punishing people for clicking on emails you've sent starts to resemble entrapment."

The entrapment line is not hypothetical. In December 2020, GoDaddy sent employees an email promising a $650 holiday bonus; around 500 people who filled in their details were told they had failed a phishing test and would be assigned remedial training. In 2024, UC Santa Cruz simulated an Ebola outbreak on campus and had to apologise for undermining trust in public health messaging. Each of these organisations bought a security control and produced a trust incident.

And trust is not a soft cost. The NCSC again: "Users who fear reprisals will not report mistakes promptly, if at all." An employee who hides a real click because the last fake one got them a reprimand is a detection gap you created yourself.

A 2026 study in MIS Quarterly also challenged point-of-failure remediation. Across three randomised field experiments, delayed feedback distributed to all employees was more promising than immediate training shown only to people who clicked. The finding points to a basic limitation of embedded training: it reaches only the people who fail, at a moment when many of them do not meaningfully engage with the material.

Google's security team reached a similar conclusion. In On Fire Drills and Phishing Tests, Google's incident responders write that "there is no evidence that the tests result in fewer incidences of successful phishing campaigns," and compare deceptive phishing tests to the early era of surprise fire drills: safety improved through engineering and calm, announced rehearsal, not through tricking occupants into failing.


What should replace click-and-remediate simulations?

The literature challenging fail-then-train simulations also points toward several more promising practices.

Scenarios with explanations, practised before the attack. A 2024 scoping review of 42 phishing-training studies in Computers & Security concluded that active engagement, repeated practice, and process-based feedback improve outcomes. A field study of 409 public-administration employees found that knowledge-based anti-phishing training measurably improved the ability to distinguish phish from legitimate mail, that the effect decayed after about six months, and that short refreshers restored it. A CHI 2024 experiment found that group discussion and role-playing raised anti-phishing self-efficacy and made people more likely to report.

Spaced reminders over one-off content. A follow-up ETH study (ACM CCS 2024, Distinguished Paper) found that whatever effectiveness embedded training has comes from its nudging effect, the periodic reminder that the threat exists, rather than from content that is rarely read. Phishing, the authors conclude, is "an attention problem, rather than a knowledge one." Attention is maintained by rhythm, not by ambush.

A reporting culture that welcomes bad news. The one unambiguously positive result in the ETH Zurich study was crowdsourced detection: employees reported over 14,000 suspicious emails with 68% accuracy, fast enough to detect new campaigns, at an operational cost of roughly 1.5 emails per day for the security team. Your workforce is a working phishing sensor, if reporting is fast, praised, and never punished.

Technical controls that remove the single point of failure. The UC San Diego authors' own recommendation is to refocus on technical countermeasures: hardware multi-factor authentication and password managers that only fill credentials on the correct domain. No amount of training substitutes for controls that make one wrong click survivable.

On measurement, NIST SP 800-50r1, the 2024 rewrite of NIST's guidance on security learning programmes, points beyond clicks: incident-reporting rates, longitudinal behaviour change, and knowledge-retention checks months after training. It is also explicit that exercises "should not be punitive, nor should any employee be called out for their response."


Do NIS2, ISO/IEC 27001, SOC 2, or NIST CSF require phishing simulations?

These frameworks do not prescribe deceptive phishing simulations as the required method for delivering or evaluating security awareness.

NIS2 Article 20 requires members of management bodies to undertake cybersecurity training and encourages entities to offer similar training regularly to employees, and Article 21 includes basic cyber hygiene and cybersecurity training among the required risk-management measures. ISO/IEC 27001 expects organisations to implement appropriate awareness, education, and training and to evaluate whether their information-security controls and management system are effective. Neither specifies that employees must be tested using deceptive emails. SOC 2 audits look at awareness and competence through the Trust Services Criteria (commonly CC1.4), and NIST CSF 2.0 covers this ground in its Awareness and Training category (PR.AT); neither names a method. Specific regimes can differ: Google notes, for example, that FedRAMP requires annual phishing exercises, which is one reason announced, non-deceptive drills are worth understanding.

Auditors generally need evidence that the organisation's selected awareness controls are implemented, appropriate to its risks and roles, and evaluated. That evidence can include participation records, knowledge assessments, scenario performance, retention checks, reporting behaviour, and documented follow-up actions. A simulation click rate is one possible input. It is neither the required one nor, on current evidence, a particularly meaningful one on its own.


The alternative: scenarios with explanations

This evidence base is what SafeHabits is built on, so we should say plainly what we do differently.

We never send deceptive emails to your employees. Instead, employees work through short, role-relevant security habits built around realistic decision scenarios: the CEO email demanding an urgent wire transfer, the caller who claims to be from IT and needs your password, the coordinated attack that arrives by email, SMS, and phone at once. Every decision comes with an explanation of why the answer is right or wrong. The evidence favours active practice and detailed feedback over point-of-failure pages that most employees barely read.

Measurement follows the same logic. Instead of a click rate that tracks lure difficulty, we capture understanding per concept alongside completion, and self-rated confidence alongside performance, so you can see where confidence and competence diverge. The output is framework-aligned evidence that supports NIS2, ISO 27001, SOC 2, and NIST CSF. No leaderboards. No naming clickers. No entrapment.

Phishing simulations promised a measurable human layer, and that promise was right even though the instrument was wrong. We have written before about why the human layer needs real measurement. Human risk should be managed with the same discipline as technical risk: realistic practice, honest metrics, and a culture where bad news travels fast.


Common questions about phishing simulations

What is a good click rate for a phishing simulation?

There is no meaningful universal benchmark, because click rates are driven heavily by lure difficulty; the same workforce can score 1.8% on one lure and 30.8% on another. Rate the lure with the NIST Phish Scale before interpreting any number, and give reporting rate and reporting speed more weight than clicks.

Are phishing simulations required for NIS2, ISO 27001, or SOC 2?

No. These frameworks require awareness training, cyber hygiene practices, and evidence that controls are implemented and evaluated; none of them mandates simulated phishing as the method. Evidence of understanding, participation, and reporting behaviour can support the same controls without the trust cost.

Should we cancel phishing simulations entirely?

Do not use deception-based simulations as your primary human-risk control or treat their click rates as proof that risk is falling. If you retain them, use them sparingly, calibrate lure difficulty, avoid punitive remediation, and focus the exercise on reporting speed and response procedures. Announced phishing drills may provide a better way to rehearse the behaviour you actually want.

What should we run instead?

Scenario-based practice with explanations, spaced over time rather than delivered annually; a reporting channel that is fast, praised, and never punitive; technical controls that make single clicks survivable; and metrics built on understanding, reporting, and retention rather than clicks. That combination is what the evidence currently supports, and it is the model SafeHabits delivers as a managed programme.