User awareness training has been the default response to phishing for years. The training tends to focus on visible indicators. Suspicious sender addresses, urgent language, misspelt domains and unexpected attachments. Modern phishing campaigns have largely moved past the indicators that traditional training teaches users to spot. The result is an awareness programme that produces high quiz scores and modest improvements in actual click rates, which is not really the outcome anyone was hoping for.
The Lures Have Improved Considerably
Modern phishing emails are well written, plausibly contextualised and increasingly delivered through compromised legitimate accounts of business partners. The sender address is genuine. The grammar is professional. The lure references real corporate context, real projects or real upcoming events. A user trained to look for spelling mistakes finds none. A user trained to verify the sender address finds the address legitimate. The training failed at the technical level, not the user level. A capable external network pen testing engagement that includes phishing simulation should reflect modern lure quality, not the 2015 standards that easy templates still produce.
Multi Channel Attacks Bypass Single Channel Training
Awareness training usually focuses on email. Modern phishing campaigns also use SMS, voice calls, instant messaging platforms and increasingly even physical mail with QR codes leading to phishing sites. Each channel needs its own treatment in training. More importantly, technical controls that limit the consequences of a successful phish matter more than ever, because no realistic training programme will eliminate clicks entirely.
Expert Commentary
William Fieldhouse, Director of Aardwolf Security Ltd
The metric that actually matters is not whether users can identify a phishing email in a classroom exercise. It is whether the controls behind them survive a successful click. Phishing resistant MFA, conditional access policies, robust browser isolation and good detection coverage all matter more than the click rate.
Defence In Depth Around The Click
Phishing resistant MFA, conditional access policies that block authentication from unfamiliar contexts, endpoint detection that catches post-compromise activity and clear incident response playbooks all matter more than the click rate. Invest in the controls behind the click rather than only the click rate itself. The economics favour assuming some clicks will succeed. Worth measuring the controls behind the click as deliberately as the click rate itself. The metrics that matter are the ones that demonstrate the consequences of a successful phish are bounded, not the metric that says the team has fewer successful phishes than last quarter.
Make Reporting Cheap And Useful
Users who suspect a phishing attempt should have a one click path to report it. The reports should reach a team that actually triages them. The team should provide feedback to the reporting user, even briefly, so the user learns whether they caught something real. Pair this with a regular best pen testing company that includes targeted phishing campaigns in its scope and the entire programme becomes measurable.
Awareness training has its place. Pretending it solves phishing on its own is what gets organisations into trouble. Phishing remains a serious threat and a manageable one. The controls behind the click matter more than the click rate itself. Phishing is one of those threats that combines social and technical elements in ways that pure technical defences cannot fully address. The combination of cultural and technical investment produces measurably better outcomes than either approach pursued in isolation.
