Inflection Point: Does Traditional Phishing Training Protect Your Business?
Remember when I told you about that ETH Zurich study showing phishing training might actually make people more susceptible to phishing?
Well, now we have even stronger evidence.
Researchers at Purdue University just completed the largest study ever on anti-phishing training effectiveness. They tested 12,511 employees at a fintech company.
The results are brutal for the training industry.
Here’s what they found:
👉 Control group (no training): 9.8% clicked on phishing emails
👉 Lecture-based training group: 10.5% clicked on phishing emails
👉 Interactive training group: Same story
In other words, traditional training didn’t help. At all.
The study used the NIST Phish Scale to test employees with easy, medium, and hard phishing emails. Easy emails fooled 7% of people. Hard emails fooled 15%.
But here’s the kicker: Training made no difference at any difficulty level.
The researchers were thorough. They measured three things: How many people opened the emails, how many clicked malicious links, and how many reported the emails to security.
Traditional training failed on all three measures.
Now, this doesn’t mean all training is worthless. But it does mean we’re teaching the wrong things.
Most phishing training focuses on spotting suspicious links and sender addresses. That’s like teaching someone to identify a pickpocket by their clothing.
The real problem is emotional hijacking.
Successful phishing attacks trigger strong emotions: Fear, urgency, curiosity, excitement. When we’re emotionally hijacked, our rational thinking shuts down.
That’s when we click without thinking.
The training we need teaches people to recognize when they’re being emotionally manipulated. And more importantly, how to reset their mental state.
Here’s what effective training looks like:
👉 Teach people to pause when they feel sudden urgency or fear from an email
👉 Show them how to take three deep breaths and ask “Why am I feeling this way?”
👉 Train them to verify requests through a different channel before acting
👉 Practice recognizing the physical sensations of being emotionally hijacked
But even the best training won’t work 100% of the time.
That’s why we need technical controls that catch us when we’re having a bad day:
👉 Passwordless authentication so stolen credentials don’t matter
👉 AI-enhanced email filtering that blocks most phishing attempts
👉 Zero-trust networks that limit damage from compromised accounts
👉 Behavioral analytics that spot unusual activity
The winning combination is modest training focused on emotional awareness plus strong technical controls.
Think of it like airline safety. Pilots get excellent training. But planes also have multiple backup systems because humans make mistakes.
Your current phishing training might check compliance boxes. But it’s probably not protecting you from real attacks.
Instead of teaching people to be perfect email detectives, teach them to recognize when they’re being emotionally manipulated.
And build systems that work even when emotions get the better of us.
👇 Hit comment and tell me one thing you’re going to do differently to help people recognize emotional hijacking.
I read every message you send me.
-Kip
P.S. Please forward this "Inflection Point" to someone you care about.
🟠🔵🟠🔵 Subscribe here! 🟠🔵🟠🔵
Current Podcast Episode: “Fire Doesn’t Innovate” Second Edition
The second edition of “Fire Doesn’t Innovate” has dropped. What’s new? Why it was updated? How can different types of readers get the most value from it?
Let’s find out with your hosts Kip Boyle , CISO with Cyber Risk Opportunities LLC , and Jake Bernstein, CISSP, CIPP/US , Partner with K&L Gates .
Kip Boyle is a husband, dad, entrepreneur, and experienced cyber risk manager. He founded Cyber Risk Opportunities LLC in 2015, after seven years as the CISO of PEMCO Insurance in Seattle. As a captain on active duty in the US Air Force, he served in the Combat Archer and F-22 Stealth Fighter programs where he was the director of enterprise network security. These days, he serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!
113 Cherry St #92768, Seattle, WA 98104-2205
Training Vendor Management Teams To Avoid Fraud, Fines and Bad Vendor Data | Plug Up the Gaps in Your Vendor Process
1moI agree to avoid payment fraud as a result of a fraudulent email/call/video, technical controls need to be implemented. Also, at the user level add internal controls, authentication techniques, best practices and validations so even if a fraudulent request gets through - it won't result in a fraudulent payment.
Such an eye-opening takeaway, Kip. Emotional awareness training plus smarter controls just makes sense. Thanks for sharing it so clearly!