Employee phishing tests have gained popularity as a way for organisations to gauge how vulnerable their employees are to phishing attacks and improve their awareness of cybersecurity. However, some have questioned whether it is appropriate to use fear, shame and betrayal as methods when employees fail these simulated phishing tests. Some argue that employing a positive reinforcement approach may lead to more effective outcomes.
Anna Collard, SVP Content Strategy and Evangelist at KnowBe4 AFRICA, a cybersecurity training organisation, had believed that she was immune to being fooled by a phishing test—until it actually happened. She clicked on an email because she was distracted and it looked completely legitimate.
“I was in an Uber, checking my emails as I chatted to the driver,” recalls Collard. She saw an email supposedly from Uber asking her to update her account details. “It was an incredible coincidence that I was in an Uber at the time, so without hesitating, I clicked on it.” Ultimately, she had to undergo the very cybersecurity training program she had designed.
Why do employees click on phishing emails?
According to a recent study (https://apo-opa.co/43zgZ3M), at least 14% of employees regularly click on phishing emails. Collard’s experience shows that employees are overwhelmed or distracted, and that leads to successful phishing attacks, rather than just a lack of training. Another study (https://apo-opa.co/4catV2l) conducted in the UK and US in 2020 revealed that 45% of employees click on phishing emails because of distractions. Certain approaches are more effective than others, for example employees are more likely to fall for phishing emails if they appear to be from a senior figure in the company or their direct manager.
“Phish testing is critical because the threat of a data breach for companies is very real,” asserts Collard. “It allows organisations to see how their employees respond when exposed to realistic yet fake phishing emails.” Organisations also use phishing simulations to evaluate the effectiveness of their training programs. “If you want to change human behaviour, you cannot rely on training alone. That is where phish testing plays a crucial role.”
It’s also important to consider the prevalence effect—a psychological phenomenon where people are less likely to detect something (like a phishing email) when it occurs infrequently. In other words, even well-trained employees may miss a malicious email simply because true threats are rare, and our brains become conditioned to expect safe messages. This underscores the need for continuous testing and reinforcement to keep threat detection top-of-mind, while still approaching users with empathy and understanding.
Avoid the shame game
The approach that organisations take in conducting phishing tests is equally important. “The goal should not be to shame individuals who fail the test, as this can have negative consequences,” says Collard. “It is important for employees not to feel hurt or betrayed by their employers. From the beginning, companies should establish clear communication with their staff, explaining that phishing tests are an integral part of their overall cybersecurity training,” she explains.
Using unsensitive tactics in phishing tests, such as offering bonuses during a restructuring period can damage the trust between an organisation and its employees. Research suggests that instead of perceiving cybersecurity as a protective measure, users may then view phishing simulations as harmful. Collard suggests that organisations should prioritise both cybersecurity and the well-being of their employees by finding a balance between the two.
That said, there are certain high-stakes environments—such as financial institutions, critical infrastructure, or sensitive government roles—where the consequences of a successful phishing attack are so severe that stricter policies may be justified. “I’ve seen environments where security requirements are understandably stringent, and repeated non-compliance with policy or consistently failing phishing tests can ultimately lead to serious consequences, including job loss,” says Collard. “I understand that in contexts where the stakes are extremely high, this level of enforcement may be necessary to protect the organisation and its broader ecosystem.”
Creating a positive security culture
“Instead of just punishing those who fail phishing tests, employers should be more empathetic,” suggests Collard. “Are their staff feeling stressed and overworked? Are they going through financial difficulty? Knowing this will help organisations understand what’s driving employees’ risky online behaviour.” Another approach is to survey those users who displayed the correct behaviour to understand what made them spot and report the phishing simulation.
Gamification and celebrating success are also powerful tools to foster a positive security culture at work. “You could have a cyber hero of the month for the employee who reported an email which prevented an attack,” she suggests. “Or you could have a competition for the team that reports the most phishing tests.”
When done right, phishing simulation should educate employees, rather than humiliate them. “Phishing tests should enhance their ability to detect fake and potentially threatening emails and report them straight away to their IT department,” Collard concludes. “The goal should be positive reinforcement and the reward should be intrinsic: congratulating those who’ve done a good job.”
In a recent study (https://apo-opa.co/4j9BfgJ) conducted by KnowBe4 across more than 32 million users, the data conclusively shows that the more frequently groups did phishing tests (such as weekly), the better the users performed on spotting these simulated phishing tests. Groups that did both training and simulated phishing performed the best.
Distributed by APO Group on behalf of KnowBe4.
