At The Identity Organisation, we're here to help!

    Or drop us a mail!

    Your privacy is important to us, and we want to communicate with you in a way which has your consent and which is in line with UK Law on data protection. As a result of a change in UK law on 25th May 2018, by providing us with your personal details you consent to us processing your data in line with current GDPR requirements.

    Here is where you can review our Privacy & GDPR Statement

    To remove consent at any time, please e-mail info@tidorg.com with the word "unsubscribe" as the subject.

    +44 (0) 1628 308038 info@tidorg.com

    Breaking the Stigma: 90% of Employees Agree that Phishing Simulations Improve their Security Awareness

    According to our independent survey of individuals across the UK, USA, Netherlands, France, Denmark, Sweden, the DACH region, and Africa who use a laptop as part of their work, 90.1% find simulated phishing tests relevant.

    What’s more, 90.7% agreed that these simulations improve their awareness of real phishing attacks.

    Clearly an overwhelming majority find phishing simulations useful in increasing their cybersecurity awareness – so why does the narrative exist that they can be a negative practice, used by organizations to ‘trick’ employees? 

    Simulated Phishing Stigma 
    Phishing simulations, which involve sending emails that mimic malicious attacks to assess employee vigilance and provide training, have been used for many years. While many view them as a valuable tool for proactive cybersecurity, some critics argue that they are deceptive, designed to trick employees and punish those who fall for them.

    There could be a couple of reasons for this. Firstly, when simulations are not aligned with employees’ job roles but are instead created to evoke certain emotional reactions, like emails about a “lost puppy in the building” or “you’ve got a raise,” rather than focusing on realistic phishing attempts that fit the profile of threats targeting the organization. 

    Secondly, the follow-up provided by employers may not be as effective as it could be. If employees are simply told they failed or face unfair repercussions as a result, without clear guidance on how to improve, the exercise becomes less helpful in raising awareness and fostering genuine learning.

    However, the most divisive stigma remains: Do phishing simulations actually improve employee security awareness? To answer this, we asked the people who actually receive them.

    Do Phishing Simulations Actually Work?
    The results across regions are clear—simulated phishing tests are seen as both relevant and valuable for improving security awareness. On average, 90% of respondents from all regions expressed positive views on their usefulness.

    The Netherlands emerged as the strongest advocate for phishing simulations, with 93% of respondents considering them relevant and 94% finding them effective. On the other hand, France had the lowest approval rate, with 87.5% of respondents finding them relevant and 86.5% recognizing their effectiveness.

    However, these numbers still reflect a strong consensus from employees. Beyond employee perception, real-world data supports this as well. Our 2024 simulation data show that before any training, the global phishing simulation click rate was 34.3%. After 12 months of ongoing training, including phishing simulations, this rate dropped by an average of 86% to just 4.6% across all types of organizations.

    So, we ask again: why do phishing simulations get such bad press? One element of our survey results may offer some insight. We asked respondents whether they received follow-up training after failing a phishing simulation, expecting the response to align as part of security best practices. After all, the effectiveness of simulations hinges on fair and constructive follow-up. However, this is where the data took a surprising turn. On average, 29.05% of employees either did not receive or were unsure if they received follow-up, with rates ranging from 15% in the USA to 42.5% in France.

    This gap in follow-up training could help explain the lingering stigma around phishing simulations. When employees don’t receive timely, constructive feedback after failing a test, it undermines the purpose of the exercise and can lead to frustration or disengagement. The variation between regions, particularly the significant gap between the USA and France, suggests that inconsistent follow-up may contribute to the varying perceptions of phishing simulations across different countries.

    Fighting the Stigma: How Can Organizations Optimize Phishing Simulations?
    There you have it—employees recognize the value of phishing simulations but this must be combined with effective follow up to ensure they are not viewed negatively in the organization. The question now is: how can organizations implement them effectively? Instead of undermining or ‘tricking’ employees, the focus should be on equipping the workforce with the skills to recognize and respond to real-world threats, without punitive consequences.

    Five meaningful ways organizations can leverage phishing simulations: 

    1. Make Simulations Relevant and Realistic: Use personalized phishing tests that reflect real-world threats employees might encounter, rather than unrealistic or overly deceptive for the sake of catching people out. 
    2. Focus on Education: Use these situations as learning opportunities by providing immediate, constructive feedback that clarifies what went wrong and how to identify similar threats in the future and implement a fair escalation process if necessary. 
    3. Provide Timely Follow-ups and Training: When an employee interacts with a simulated phishing email, offer immediate guidance and micro-training on recognizing phishing attempts. Reinforce learning with periodic training sessions, rather than just tracking failures.
    4. Ensure Transparency and Fairness: Let employees know that phishing simulations are part of the company’s security awareness program. Avoid using overly deceptive tactics that feel like entrapment and ensure the difficulty level is appropriate.
    5. Reward Security Awareness: Recognize and reward employees who report phishing attempts, whether simulated or real. This can be as simple as shout-outs in meetings, gamification, leaderboards, or small incentives to encourage vigilance.

    Turning Awareness into Action 
    Employees are the lifeblood of any organization, and strengthening their security awareness naturally reinforces the overall security culture while reducing the risk of data loss from social engineering tactics like phishing. However, the key to success lies in engaging employees in a way that empowers them—without making them feel tricked or belittled.

    Therefore, it is up to organizations to ensure that phishing simulations are used as a tool for education rather than punishment, making them relevant, fair, and followed up with timely guidance. When done right, phishing simulations don’t just test employees—they equip them to be the first line of defense.

    Request A Demo: Security Awareness Training

    New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn’t a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4’s security awareness training and simulated phishing platform and see how easy it can be

    Request a Demo!https://info.knowbe4.com/one-on-one-demo-partners?partnerid=001a000001lWEoJAAW

    PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser:https://info.knowbe4.com/one-on-one-demo-partners?partnerid=001a000001lWEoJAAW

    Sign Up to the TIO Intel Alerts!

    Back To Top