← Wiki

Phishing Simulations

A critical look at phishing simulation programs and alternatives

Security Programs Jan 2024 (edited Nov 2025)

The Case Against

• Don’t Do Phishing Training - UK NCSC on why phishing simulations can be counterproductive
• Phishing Training is Not Effective - Bruce Schneier
• Stop Running Phishing Tests - Troy Hunt

Research

• An Inconvenient Truth: The Poor Efficacy of Phishing Training
• Does Phishing Training Work?

Alternatives

Focus on technical controls that reduce phishing risk:

• Strong MFA (hardware keys, passkeys)
• Email authentication (DMARC, DKIM, SPF)
• Link protection / URL rewriting
• Browser isolation
• Password managers

If You Must

If organizational requirements mandate phishing simulations:

• Focus on reporting behavior, not click rates
• Never shame or punish employees
• Use simulations as data collection, not training
• Pair with actual security improvements