Imagine you’re trying to teach someone to swim. But instead of giving them lessons, showing them how to float, or even letting them practice in the shallow end, you just shove them into the deep end, over and over, and hope they figure it out before they drown.
Eventually, they might learn. But more likely? They panic, flail around, and start to believe that water is the enemy.
Wait a minute! You’ve also seen those viral videos of babies learning to swim by getting dropped straight into the deep end of the pool. The idea is that panic turns into instinct, and instinct turns into skill. But what you don’t see? The studies showing that this kind of training can actually make kids overconfident in the water—leading them to take risks they aren’t prepared for, and in the worst cases, to drown.
This is exactly what’s happening with simulated phishing training.
For years, businesses have been using simulated phishing emails as their primary defense against social engineering attacks. Send fake phishing emails to employees, wait for them to screw up, and then hit them with training after they fail. Sounds logical, right? If they experience the attack in a “safe” environment, they’ll be better at spotting the real thing.
Except… it doesn’t work.
The UC San Diego Study Just Proved It
The largest real-world study on phishing training just came out, and the results are not good. Researchers at UC San Diego studied 19,500 employees over eight months to see whether phishing simulations actually reduced risk.
Here’s what they found:
- Annual cybersecurity training made no difference. Employees who completed their required security training were just as likely to fail a phishing test as those who hadn’t.
- Phishing simulations barely helped. Trained employees only performed 2% better than those who received no training at all.
- Some employees actually got worse. The more phishing training they received, the more likely they were to fail future phishing attempts.
Let that sink in.
Companies are pouring money into phishing simulations, spending hours running tests, tracking failures, and scolding employees… only to make the problem worse.
If this were any other part of your business—if you spent months training your sales team only to have their close rate drop—you’d pull the plug immediately. So why are we still running phishing simulations?
Because Phishing Simulations Treat Symptoms, Not the Disease
Phishing simulations don’t create security-conscious employees. They create paranoid, frustrated, and disengaged employees.
The reality is that most employees aren’t clicking on phishing emails because they’re reckless or stupid.
They’re clicking because:
- The email looks completely legitimate.
- It matches something they were expecting.
- They’re busy and moving too fast to second-guess every message.
And here’s the worst part: Even if they do spot a phishing attempt, many don’t actually know what to do next.
Do they report it? Delete it? Call IT? Ignore it and move on?
Phishing simulations don’t teach them how to react to a real threat. They only teach them that if they click the wrong thing, they’re going to get hit with another mandatory training session.
And that’s why failure rates aren’t improving.
The Fix: Make Security Personal
If you really want to change security behavior, stop treating it like a corporate compliance checkbox.
Research from the Infosec Institute shows that the best way to make security stick is to make it personal. People don’t change their habits because of a corporate policy. They change when they realize how security affects their lives.
- Show them how attackers steal bank account logins from weak passwords.
- Teach them how social engineering works on their personal social media accounts.
- Walk them through how SIM swapping can let a hacker take over their phone.
If they learn to protect themselves, they’ll start applying those same defenses at work.
Security needs to be personal, not punishment.
What This Means for MSPs
If you’re an MSP, your clients are looking to you to make security easy. But if all you’re doing is running phishing simulations and hoping they “get smarter,” you’re doing them a disservice.
Instead of training people to avoid the wrong clicks, train them to make the right security choices.
- Make sure they know what to do when they see a phishing attempt. If they don’t know the process for reporting a suspicious email, what’s the point of recognizing one?
- Give them real training that matters. Show them how attackers target their personal lives first, then apply that knowledge to the workplace.
- Stop using failure as a teaching tool. If your security training only kicks in after a mistake, you’re setting your clients up to fail.
The Bottom Line
Phishing simulations are not the answer.
They’re like a fire drill where, instead of teaching people where the exits are, you just set off the alarm at random times and hope they figure it out.
If you’re still running phishing simulations and calling it “security awareness,” it’s time to rethink your approach. Because the data is clear—this isn’t working.
Want to See What Actually Works?
You’ve seen the data. Phishing simulations aren’t cutting it.
If you’re still relying on them, you’re wasting time and exposing your clients to unnecessary risk.
Here’s what actually changes behavior—not just another phishing test that employees ignore.
And if you’re a partner, good news: this is already included in your subscription. No extra cost, no excuses. Just real training that protects your clients—and protects you.
Even better? When your clients complete the training, we collect the evidence and automatically add it to their WISP. No chasing users, no guessing who actually did it. Just proof that you’ve done your job.
If you want to stop playing security theater and start actually reducing risk, let’s talk.
