Study Finds Employee Phishing Training Fails to Stop Attacks

A new study has cast serious doubt on the effectiveness of phishing awareness training, revealing that traditional programs do little to protect employees from falling victim to one of the most persistent cyber threats facing businesses today.

Researchers at UC San Diego Health, working with cybersecurity firm Censys, analyzed the results of 10 phishing campaigns sent to more than 19,500 employees over an eight-month period. Their findings were stark: employees who had recently completed mandatory cybersecurity training were no less likely to be duped by phishing emails than those who had not.

Training Yields Marginal Gains

Simulated phishing exercises — where organizations send fake phishing emails to employees as part of training — also showed negligible results. The study found only a 2 percent difference in failure rates between trained and untrained groups.

In one example, fewer than 1 percent of employees clicked on a link to “update their Outlook password.” But when presented with a fraudulent email about updated vacation policies, more than 30 percent fell for the ruse. Worse still, the longer the study continued, the higher the failure rate. By month eight, over half of participants were clicking fraudulent links.

“These results suggest that anti-phishing training programs, in their current and commonly deployed forms, are unlikely to offer significant practical value in reducing phishing risks,” the researchers concluded.

Rising Threat, Growing Concern

The findings come as phishing is increasingly cited as the leading cause of ransomware attacks. According to SpyCloud’s latest Identity Threat Report, 35 percent of surveyed organizations reported phishing as their most common attack vector in 2025, up from 25 percent in 2024.

Phishing campaigns often rely on psychological manipulation — triggering fear, urgency, or curiosity to trick recipients into revealing credentials, authorizing fraudulent payments, or downloading malicious software. The consequences for organizations can be severe, ranging from financial losses to reputational damage.

Why Training Doesn’t Work

The researchers point to low engagement as a key factor in training failure. Many employees spend less than a minute, if any time at all, on mandatory learning modules. Without meaningful interaction or reinforcement, training has little impact on real-world decision-making.

What Companies Should Do Instead

The study urges businesses to shift investment from ineffective training programs toward more technical defenses. Multi-factor authentication (MFA), stricter domain controls, and limits on credential sharing are all cited as stronger deterrents against phishing-related breaches.

That does not mean training should be abandoned altogether, experts say. Instead, companies should rethink their approach. More engaging formats — from in-person workshops and scenario-based discussions to gamified learning modules — may help employees internalize good security practices.

A Wake-Up Call for Employers

The results serve as a wake-up call for businesses still relying on outdated awareness programs as their first line of defense. With phishing incidents on the rise and attackers using increasingly sophisticated tactics, organizations must strengthen technical safeguards while reimagining how they engage employees in cybersecurity.

Photo Credit: DepositPhotos.com