Phishing simulations are now standard in most security awareness programs. Platforms like KnowBe4, Proofpoint Security Awareness, SANS, and others have made it easy to send simulated phishing emails, track who clicks, and report click-through rates to management.
But do they actually reduce phishing susceptibility? The research is more nuanced than the vendor case studies suggest.
What the Research Says
Studies on phishing simulation effectiveness produce mixed results. Some show meaningful reduction in click rates over time. Others show minimal sustained behavior change, or behavior change in simulation scenarios that doesn't transfer to real phishing attempts.
The key variables that separate effective programs from ineffective ones:
Immediacy of follow-up training. Research consistently shows that training delivered immediately after a failed simulation (within 30 seconds to a few minutes) is significantly more effective than training delayed by hours or delivered in a separate scheduled session. The moment of failure creates receptivity to learning. Missing that window substantially reduces training impact.
Simulation realism. Generic templates (50% off Amazon!) produce different results than contextually relevant, targeted scenarios that match actual threats your organization faces. Employees who fail on realistic scenarios learn more than those who fail on obviously fake ones.
Psychological framing. Simulations designed to catch people and produce embarrassing metrics have measurable negative effects on security culture and reporting behavior. Simulations designed to identify who needs help and provide that help produce better outcomes.
Frequency and spacing. Annual simulations produce modest, short-lived effects. Monthly simulations with varied scenarios maintain alertness more effectively — though frequency needs to be balanced against simulation fatigue.
What happens to "clickers." In many programs, people who click receive an immediate training module and nothing else. Research on learning science suggests that spaced repetition, different content formats, and follow-up testing produce better retention than a single training event.
What the Click Rate Actually Measures
Click-through rate in simulations is a proxy metric. It measures susceptibility to the specific simulation scenario delivered in a controlled context. It doesn't directly measure:
- Whether employees would recognize real phishing attempts (which differ from simulations in important ways)
- Whether employees would report real phishing attempts
- Whether organizational detection and response capability is improving
Report rate — the percentage of simulation recipients who report the email through the proper channel — is often a more useful metric. High report rates indicate a healthy security culture. Employees who actively report are contributing to organizational defense, not just avoiding individual failure.
Designing a Better Program
Use realistic, targeted scenarios. Research threat reports for your industry. What are the actual phishing campaigns targeting organizations like yours? Build simulations from those.
Automate immediate follow-up. Every platform that runs simulations should be configured to deliver training the moment someone clicks — not in a separate email, not at a scheduled time.
Make reporting easy and obvious. A one-click "Report Phishing" button in the email client eliminates friction. If reporting requires forwarding to an email address and including specific information, most people won't bother.
Treat failures as learning opportunities, not gotchas. The post-click training content should be educational, not punitive. "Here's how to recognize this type of attack next time" produces better outcomes than "you clicked a phishing email."
Track trends, not snapshots. What matters is whether click rates are declining and report rates are increasing over time — not whether any individual month's numbers look good.
The Honest Assessment
Phishing simulations are one component of a security awareness program that also needs to include education, culture building, and technical controls. They're not a substitute for any of these, and their isolated effectiveness is limited.
Run them thoughtfully, use the data to identify who needs help rather than to generate performance metrics, and pair them with broader security culture investment. That combination produces meaningful risk reduction.