Security awareness training has been a staple of corporate security programs for years. Organizations run phishing simulations, send out newsletters, hold annual training, and put up posters. And yet phishing remains the most common initial access vector in data breaches, consistently accounting for more than 80% of reported incidents.
Something isn't working. Let's talk about why.
The Wrong Mental Model
Most security awareness programs treat phishing as a knowledge problem: employees fall for phishing because they don't know what phishing looks like. The solution, therefore, is to teach them.
This model is partially right but mostly wrong. Employees fall for phishing not because they lack knowledge but because phishing exploits cognitive shortcuts that exist in everyone's brain — regardless of training.
Urgency bypasses critical thinking. Authority short-circuits skepticism. Familiarity creates trust that shouldn't be there. A well-crafted phishing email is designed to trigger these responses faster than the "is this legitimate?" check can fire.
How Phishing Has Evolved
2023 phishing is not the Nigerian prince email of the early internet. Today's attacks are:
Highly targeted. Spear phishing attacks are crafted using information about the specific target — their role, their manager's name, their current projects, their communication style. LinkedIn, company websites, and previous data breaches provide this information freely.
Contextually convincing. Attackers send payroll update emails before pay periods, vendor invoice emails that match a real vendor relationship, IT password reset emails that match the actual SSO platform the company uses.
Conversation-hijacking. Business Email Compromise (BEC) attacks compromise an email account and then participate in existing email threads, making the malicious message appear in a legitimate conversation chain.
AI-assisted. Large language models make it trivially easy to produce grammatically correct, idiom-appropriate phishing content in any language, eliminating the spelling errors and awkward phrasing that used to be useful signals.
What Actually Reduces Phishing Risk
Technical controls first. Email security gateways (filtering, reputation checks, sandboxing), DMARC enforcement, and browser protections do more to reduce phishing risk than training alone. Train your humans, but filter the garbage before it reaches them.
MFA everywhere. If credentials are phished, MFA is what stops the attacker from using them. Phishing-resistant MFA (FIDO2/passkeys) is even better, as it can't be replayed against the real site.
Report and respond. Create a culture where employees can report suspicious emails without fear of being wrong or being punished for clicking something. The faster suspicious emails get reported, the faster your team can identify and block campaigns.
Simulations that educate, not shame. Phishing simulations are valuable, but the way they're run matters. If employees are embarrassed or publicly called out for failing, you create a culture of fear, not awareness. Failed simulations should trigger immediate, supportive education.
Focus on high-risk targets. Executives, finance teams, and IT administrators are disproportionately targeted. Targeted training and stronger controls for these groups makes sense.
Accepting Residual Risk
No security awareness program will achieve a zero phishing click rate. Accept that, and build your detection and response capabilities accordingly. When a user clicks something they shouldn't, the question becomes: how quickly can you detect and contain the compromise?
Train employees. Filter email. Enforce MFA. Monitor for signs of compromise. That combination is far more effective than any single control in isolation.