Are Simulated Phishing Attempts Successful in Teaching People to Recognize Scam Messages?

Oct 15, 2020

Are Simulated Phishing Attempts Successful in Teaching People to Recognize Scam Messages? Image

On September 23rd employees of the Tribune Publishing Company were greeted with an email declaring a $10,000 bonus they would be receiving for their outstanding performance. The problem: these bonuses didn’t exist. The email was part of a phishing awareness training ploy deployed by Tribune to test employees on their ability to detect cyber attacks. This kind of testing is used by companies to gather a pulse on how susceptible their employees are to phishing attacks, which have skyrocketed during the COVID-19 epidemic.

This form of testing can be a useful tool if used correctly. Work published by the National Institute of Standards and Technology has found that:

“It is important to vary phishing exercises appropriately and challenge staff with contextually relevant phish of varying difficulty to provide training on new scams for which variable click rates should be expected. This should not be viewed as a negative effect but rather a positive outcome, as it means organizations are truly training their staff with phish that represents current real-world threats.”

Attackers are constantly adapting and launching more sophisticated attacks with the aid of readily available information, allowing for better contextualization and variation. Cyber criminals will go through great lengths to be as manipulative as possible. Therefore, achieving a low click through rate on tests doesn’t always correlate with training effectiveness, but may indicate problems with the test itself. Simulations which are too easy, not contextually relevant for most staff, or repeated/very similar to previous exercises can create blind spots and give companies a false sense of security. Employers goals are probably not to trick as many employees into clicking, but creating trickier and more manipulative could help raise awareness for employees.

More effective than simulations alone, regular and consistent training has been shown to have the greatest effect on employees when it comes to identifying phishing attempts. According to a study conducted by Usenix, video-based training and interactive exercises have the longest-lasting influence on participants. This influence lasted on average only 6 months after being conducted, however. This indicates that in order to be effective, these initiatives must be repeated at regular intervals.

“We find a significantly improved performance of correctly identifying phishing and legitimate emails directly after and four months after the program’s deployment. This was not the case anymore after six months, indicating that reminding users after half a year is recommended.”


When conducted properly, simulated phishing emails can be an effective tool to maintain vigilance, assess risk, and detect areas of vulnerability; however, consistent training and exercises have been shown to be more effective. This is why Secuvant offers a managed information security awareness and anti-phishing training solution. We custom-tailor solutions to meet consumer’s needs in terms of training modules based on industry, or anti-phishing training based on the specific platforms an organization uses.

About Secuvant

Located in Salt Lake City, Utah, Secuvant is a global leader in integrated cyber threat analytics and risk advisory services, built on a value system of client focus, integrity, accountability, execution, and teamwork. Secuvant’s mission is to provide clients with a Clear Path Forward in their pursuit of establishing an acceptable security risk posture. Secuvant’s success is built upon strict adherence to its values, a functioning world-class advisory board, the unique combination of cybersecurity expertise and industry / vertical specialization, and a team of experts that repeatedly deliver best-in-class managed and advisory cybersecurity and risk services. Secuvant understands Cyber Risk is Business Risk™ and uses methodologies and metrics aimed at minimizing business risk. Services include, but are not limited to, Security Gap and Risk Assessments, Risk Program Management, Executive and Board Cyber Advisory, Penetration Testing, Security Monitoring, Managed Detection and Response and Incident Response services. To learn more visit