04 December 2024
Jemma Davis, CEO of Culture Gem
I am still baffled by the continued use of phishing simulations, and even more so that we are still debating their value. If you are on the fence, let me explain why they do not work.
What is a phishing simulation?
A phishing simulation is a training exercise where employees receive fake phishing emails that mimic real attacks. The goal is to test their ability to recognise and report suspicious messages, helping to improve cybersecurity awareness and reduce the risk of falling victim to actual phishing scams.
The Results Are Flawed
Phishing simulations produce numbers, but those numbers are meaningless. You can manipulate the data to tell whatever story you want. Want to show progress over time? Start with an impossibly complex phishing email, then roll out progressively easier ones. The result will be a plummeting click rate that looks impressive on paper but says nothing about actual improvement.
Even worse, these exercises focus on negative metrics like click rates, which only tell us who failed. What about the people who did the right thing? Reporting and deleting phishing attempts are the behaviours we should encourage. Rewarding whistleblowers creates a culture where people feel confident to act. Penalising clickers only fosters resentment and fear.
In the real world, we want people to talk about scams and share their knowledge. Yet phishing simulations often discourage this, punishing employees for warning colleagues about a simulation. It is counterproductive and harmful.
The damage to culture
Cybersecurity teams already have to work hard to be seen as allies. Phishing simulations, which often “trick” employees, only worsen this perception. The result is predictable: less trust, less cooperation, and less willingness to follow cyber-safe practices.
In some unionised organisations, phishing simulations can even lead to disputes. Did you know that you often need union consultation before rolling one out?
The science behind the failure
Phishing simulations rely on pattern recognition, which primarily engages the occipital lobe, the part of the brain that processes visual information like shapes and patterns. While this can teach employees to spot phishing attempts, it does not help them develop deeper, transferable skills.
Anti-simulation training takes a different approach. It engages the prefrontal cortex, which handles abstract thinking, problem-solving, and planning. Instead of spotting phishing attempts, participants are asked to create them.
Why creating beats spotting
In our anti-simulation, employees step into the shoes of a cybercriminal. They are given phishing elements—like dodgy links, fake email attachments, and suspicious subject lines—and asked to craft the most convincing phishing email they can.
This challenges them to think critically and creatively. It helps them analyse the tactics used in real-world attacks, understand why they work, and internalise those lessons. Spotting relies on recognising existing patterns, while creating demands the synthesis of new ones. The result is a more engaging and rewarding experience, one that builds skills that actually stick.
A better way forward
Phishing simulations rely on outdated methods and reinforce negative behaviours. Anti-simulation turns the concept on its head. It is rewarding, engaging, and builds confidence and competence.
