Why Companies Shouldn’t Try to Catch Employees With Fake Phishing Emails

Real phishing messages can be dangerous to companies, leading to millions of dollars in losses and damages. Designed to trick people into downloading malware or divulging sensitive information, these scams are on the rise: In 2021, the FBI received more than 300,000 complaints about phishing attacks, up more than 30% from the year before.

To fight the problem, many corporate IT security teams use mock phishing campaigns (also called phishing simulations) in which they send deceptive emails to employees to gauge how many will take the bait. The goal is to educate and train employees to detect and resist phishing, and help IT security teams measure how vulnerable their organizations are to such attacks.

But recent research suggests these phishing simulations can do more harm than good—angering employees without significantly improving an organization’s defenses.

Here is a closer look at some of the problems.

They don’t strengthen defenses

One reason IT departments conduct mock phishing campaigns is to train employees. When employees do something they aren’t supposed to do, they feel bad. That creates a “teachable moment" when the employee becomes more receptive to learning how to avoid the same mistake in the future. Sure enough, research has found that people spend significantly more time reading training messages that are presented just after they have clicked on a simulated phishing email.

But when it comes to actually getting employees to resist future phishing attacks, these campaigns aren’t that effective. While early research suggested that phishing simulations could reduce click rates on subsequent fake phishing emails by about 50%, more recent studies in more realistic settings and with larger groups found little to no improvement in click rates after mock campaigns were conducted.

I conducted a simulated phishing campaign involving almost 2,000 employees in one organization. My team compared the effectiveness of four different training messages presented after employees clicked on fake phishing emails. Specifically, we wanted to know whether people were less likely to click on subsequent phishing emails after getting one of the messages, versus not getting any training at all. Only one training message led to fewer clicks than no training; the other three messages led to more clicks. And the message that led to an improvement only reduced the overall click rate by 1 to 2 percentage points.

Other studies have produced similar findings. A team of researchers working with the health industry, for example, found no difference between people who received training through one of these campaigns and people who didn’t. And most recently, a research team from Germany found that any improvement was gone after four to six months.

They aren’t a good measure of risk

Many chief information security officers and IT security teams conduct phishing simulations to measure how vulnerable their employees are to such scams—and whether it is getting better or worse.

The problem is, the data collected from phishing simulations aren’t always reliable. For starters, it can be difficult to determine whether all of the employees who took the bait thought the test message was genuine. One company I talked to reported seeing more people click on phishing links after they had received training. It was because the company made a new training video each month, and some employees intentionally clicked on phishing links hoping to see it.

The wording of the email message also can skew the results of a mock phishing campaign. Researchers like myself have found that the actual click rate depends more on how the message is written and the context of the message than on the company, the employees or the training they previously received.

In my study, I did a lot of testing to try to make sure all four emails I sent were equally difficult to detect. Still, one of the four emails was about twice as difficult to detect as the other three. This particular email suggested that employees could get more email storage. More employees clicked on it because it happened to be sent around the same time the company was actually upgrading email accounts.

So, if an organization chooses to test with an easy message, the click-through rate will look good. If it uses a particularly tricky or difficult message, the numbers will look bad. And it is often hard to know ahead of time which is which, because timing and context can make phishing emails more or less effective.

They create stress and distrust

Many employees hate fake phishing emails.

They resent being tricked and feel that the simulations are unfair. In one phishing simulation that I ran, I received multiple complaints after the employees learned the emails they received were fake and not actually dangerous. When I talked to one of those employees, she said that she didn’t like feeling that she was being tested.

Some employees also say the advice companies provide on how to fight phishing—like checking every link before clicking or never opening attachments—is impractical and difficult to follow. Even security employees sometimes struggle with it. One IT employee I interviewed who tries to follow all suggested precautions says she has frequently missed important emails because she deleted them. She also has gotten in trouble with her boss for not visiting links or being willing to open attachments she was sent.

The whole point of a mock phishing campaign is to scare employees who fall for it in the hopes they will be more careful in the future. But research shows that creating fear doesn’t actually help people be more vigilant about cybersecurity or make it easier for them to distinguish good emails from bad ones. It just makes them more anxious.

As a result, the people subjected to these tests often experience unnecessary stress and learn to distrust their IT team, whose purpose is to protect the company and its employees.

Companies should consider the broader impacts of mock phishing campaigns before deciding whether and when to use them. While there is no surefire way to teach employees how to detect and stop phishing, there are alternative approaches that don’t lead to distrust and resentment.