The weakest security link at most companies is the human element. Workers can be phished, tricked, and scammed into downloading a virus a lot more easily than hackers can figure out a password or bypass a computer’s security system.
To combat the issue, businesses often rely on employee training courses and phishing tests that involve sending their employees a trick email to see if they fall for it.
The problem? Those types of tests barely make a difference in shoring up security at all, a new study has found.
Phishing Tests Only Reduce Successful Scams by 2%
Researchers at the University of California, San Diego, recently released the results of a study, titled “Understanding the Efficacy of Phishing Training in Practice,” which delivered one impressive and somewhat demoralizing statistic: The variety of different phishing training sessions resulted in just a 2% reduction in the success rates of actual phishing scams.
Other studies back this up, too.
This just in! View
the top business tech deals for 2025 👨💻
According to the Wall Street Journal, which recently covered both studies, a 2021 study of 14,000 corporate workers — conducted by researchers at ETH Zurich university — found that phishing tests and other voluntary employee training actually made employees more likely to fall for future scams, “possibly by giving trainees a false sense of security.”
Phishing Tests Make Employees Mad
On top of barely working to make employees more vigilant about the threat of scammers, phishing tests tend to demoralize the employees. After all, if they fall for an internal phishing email, they’ve just been scammed by their own company — and now the company is calling them out for it.
Speaking to the Wall Street Journal, cybersecurity specialist Matt Linton notes that: “Phishing education is good. Tricking people into falling for a phish so you can lecture them that they failed, that’s the part that is terrible. […] They’re more receptive to the education if they feel like you haven’t just made them a fool.”
Some scams named in the article include a false claim that a lost puppy was wandering the parking lot, and a lie about a free trip to the Kennedy Space Center that made a NASA staffer cry.
No Great Solution to the Phishing Epidemic
Based on these studies, it’s easy to make the case against internal phishing test emails. They’re undermining trust in the organization, yet they’re failing to deliver the results that they’re designed to do.
But how can businesses stay safe amid a steady stream of scams and ransomware threats?
Well, the typical range of software solutions and general data safekeeping advice all still applies: Use multi-factor-authentication and password management tools, consider antivirus software, try passkeys, conduct vendor risk assessments at your business, and keep all your operating systems updated.
Employee training is still useful, too, just go easy on the phishing emails themselves, and don’t cry wolf. Or lost puppy, for that matter.
