Many companies focus on awareness training and phishing training. Their hope is to transform employees into “human firewalls.” New, scientifically based findings from a large-scale study conducted by a US healthcare company show, however, that this belief is mistaken.
Eight months, 19,500 participants, minimal impact
A current study by IT security researchers Ariana Mirian and Christian Dameff clearly shows that phishing training courses are of minimal benefit to companies.
Over a period of eight months, more than 19,500 employees were regularly confronted with phishing simulations. Five groups of participants received no training in advance, while others received interactive, context-based training modules. The disappointing results show that all groups fall for phishing and that training only brings about a marginal improvement of 1.7%. The presentation published by the two researchers at Black Hat 2025 is already available to the public.
In addition, around 50% of participants clicked on a phishing email at least once during the study, regardless of their training status.
Training sessions are ignored – commitment is lost
According to the US researchers, the fundamental problem is that there was no effective engagement because many participants closed their training materials too quickly. The majority even finished the lessons within seconds. As a result, training sessions often proved ineffective.
Another fact: the success of phishing depends heavily on the content of the bait emails. While tricky Outlook password requests were almost always spotted (error rate 1–4%), topics such as vacation entitlement or internal company protocols resulted in clicks in around 30% of cases. Particularly alarming was the finding that, over a longer period of time, almost everyone falls for a phishing attempt at some point.
The researchers concluded that whoever controls the bait controls the error rate. But how can this be done successfully?
Companies are investing millions that offer little protection!
The study concludes that the belief that phishing training and traditional awareness campaigns are sufficient is both incorrect and dangerous. More is needed—more efficiency and less false security.
Companies and organizations need a practical way to make their security measurable and sustainable.
The solution: multi-factor authentication (MFA)
If we learn one thing from this and many previous studies, it is that humans remain the weakest link in the chain. Companies can only achieve real protection through technical measures that are independent of individual behavior.
The most effective measure is called multi-factor authentication (MFA). It ensures that a compromised password alone is no longer sufficient to take over an account or system. Even if employees fall for a phishing email, the attack will fail at the latest when the additional security query is triggered.
This is exactly where our expertise lies: we are specialists in multi-factor authentication. We provide strategic advice, implement tailor-made solutions for your company, and also provide follow-up support.
Ist Phishing auch bei Ihnen präsent?
Sie möchten Ihr Unternehmen oder Ihre Organisation effizient vor Phishing-Angriffen schützen? Kontaktieren Sie uns für ein unverbindliches Beratungsgespäch.