Why Phishing Simulations Alone Aren’t Enough

Over the past decade, phishing simulations have become a mainstay in organisational cybersecurity awareness efforts. These controlled tests aim to educate users on recognising malicious emails, providing hands-on experience in spotting red flags before it's too late. While phishing simulations certainly have value, relying on them as the cornerstone of a security awareness strategy is not only short-sighted, it’s potentially dangerous.

The Illusion of Readiness

One of the most common issues with phishing simulations is that they can create a false sense of security. If staff consistently pass simulations, leadership may assume the organisation is well prepared for real attacks. But simulated attacks often lack the sophistication, pressure, and nuance of real-world phishing campaigns.

Real phishing emails evolve constantly. Cybercriminals now use AI-generated content, deep personalisation, and credible spoofing tactics to increase success rates. A monthly simulation, built from a template, cannot possibly keep pace with that level of ingenuity.

Compliance ≠ Culture

Too often, phishing simulations are treated as a compliance checkbox. Users are "trained" by clicking through a short module after a failed test, and the incident is logged. But ticking boxes doesn’t change behaviour. Security culture is about continuous learning, shared responsibility, and empowerment, not fear of getting caught by IT.

If users see security training as punitive or performative, the result is disengagement. Worse, it could discourage them from reporting genuine incidents for fear of judgment or blame. That's the opposite of what we want.

Humans Are Just One Layer

Phishing simulations assume that user awareness is the last line of defence, and sometimes the only line of defence. But in reality, modern security strategy must be multilayered. Technical controls such as email filtering, domain monitoring, endpoint detection, and behavioural analytics are crucial in detecting and preventing threats that slip past users.

Equally important are response processes. Do employees know what to do if they do fall for a phishing email? How fast can your SOC act? Simulations rarely test this incident response element, yet response time is critical in minimising damage.

Rethinking Awareness

A more holistic approach to awareness and resilience is needed. This includes:

• Contextual education: Tailored training for different roles (e.g., finance vs. sales) with relevant threat examples.
• Psychological safety: Encouraging openness and learning from mistakes without fear.
• Real-life storytelling: Sharing anonymised incidents from your own organisation or peers to build practical understanding.
• Simulated incident response: Running tabletop exercises to test not just user awareness, but organisational readiness.

Final Thoughts

Phishing simulations are useful tools, but they are only tools. Used in isolation, they offer limited insight into actual risk and can even backfire if not integrated thoughtfully into a broader security programme.

As information security leaders, our job is not to train staff to avoid failing tests; it’s to build a culture of vigilance, resilience, and response. Let’s move beyond the checkbox and towards something genuinely effective.