Every quarter, thousands of companies send fake phishing emails to their staff, tally up who clicked, and then wonder why the numbers barely improve. Phishing simulations have become a compliance checkbox rather than a genuine security improvement tool, and it’s costing organisations more than they think.
The simulation itself isn’t the problem. Testing your people against realistic social engineering attacks gives you useful data. But data without action is just a number on a dashboard. What you do after the simulation matters far more than the simulation itself.
Why Click Rates Don’t Tell the Whole Story
A 15% click rate sounds bad, but what does it actually mean? If those 15% clicked a link but didn’t enter credentials, the risk is different from 15% handing over their passwords on a fake login page. Most simulation platforms track the click, but fewer measure what happened after the click.
Did the user report the email? How quickly? Did they enter credentials? Did they download an attachment? These granular data points matter because they shape the follow-up training. A user who clicked but immediately reported the email to IT needs a very different conversation from someone who typed in their domain credentials without hesitation.
Training That Actually Changes Behaviour
Generic cybersecurity awareness training bores people. They click through the slides, answer the quiz questions from memory, and forget everything within a fortnight. Effective training needs to be specific, timely, and relevant to what just happened.
When someone falls for a phishing simulation, the follow-up should arrive within hours, not weeks. Show them the specific email they fell for. Walk through the red flags they missed. Give them practical techniques for evaluating suspicious emails in the future.
William Fieldhouse, Director of Aardwolf Security Ltd, comments: “Running phishing simulations and then just publishing the click rate is a waste of everyone’s time. The value comes from what happens next. Tailored training based on the specific lures that caught people out, combined with technical controls that reduce the impact of successful phishes, is what actually moves the needle.”
Technical Controls Do the Heavy Lifting
Even the best-trained workforce will occasionally fall for a well-crafted phishing email. Humans aren’t firewalls, and expecting them to catch every attack is unrealistic.
That’s why technical controls need to back up your training programme. Deploying DMARC, DKIM, and SPF reduces the volume of spoofed emails reaching inboxes. Web filtering can block known malicious domains. And multi-factor authentication ensures that stolen credentials alone aren’t enough to compromise an account.
Engaging a best penetration testing company to conduct web application penetration testing on your email handling and web applications reveals whether your technical controls hold up against real-world attack techniques.
Building a Culture, Not a Programme
Security awareness needs to become part of your company culture rather than a quarterly interruption. Encourage reporting without punishment. Share anonymised results openly. Celebrate improvements rather than shaming failures.
The goal isn’t a 0% click rate. That’s unrealistic and probably means your simulations are too easy. The goal is a workforce that recognises something suspicious and reports it quickly enough for your security team to act before damage is done.
