Sophos X-Ops

Debates around the effectiveness of phishing simulations are widespread. Supporters claim they can boost learning retention rates, help train users’ instincts, reduce risk, and contribute to developing a ‘security-first’ culture.

Detractors point to tick-box compliance, fatigue, unfair and unethical lures, punishing users who ‘fail’ phishing tests (e.g., extra-dull mandatory training, naming and shaming, disciplinary measures), and focusing on failure rather than success.

In fact, two recent (2021 and 2025) studies suggest that phishing training makes no significant difference to susceptibility, and could, counter-intuitively, make users more susceptible (although there are some important caveats to this).

But phishing is often the most prevalent entry mechanism for attackers. It’s cheap and easy, and generative AI may make it even easier. And threat actors know it works. So is there a way to make phishing exercises effective?

Oct 31 at 11:06amWeb
Show threadSophos X-OpsOct 31

At Sophos, we think there is. We’ve been running internal simulations since 2019 – but, crucially, we don’t measure by failure. We measure by success.

Click rates aren’t that helpful, because it only takes one user to click – and they frame users as potential problems rather than potential assets. Instead, our key metric is how many users report phishing emails, and how quickly.

Why? Because reports are a highly tailored source of actionable threat intelligence. They allow us to triage, and follow an established process involving detonating attachments, looking up IOCs, threat hunting, blocking malicious domains, and clawing back emails from inboxes.

And we don’t want users to simply delete/ignore phishing emails. That puts us behind the pace during a real attack. We don’t congratulate people for something they DIDN’T do, but for something they DID. This empowers users to be a crucial line of defence, not the ‘weakest link.’

Our simulations are not about trying to catch users out, but training them to remember to hit Report. We frame it like this: we’re not trying to deceive people. We’re playing a game to help refresh their memory.

Show threadSophos X-OpsOct 31

In a new blog post out today, we discuss the pros and cons of phishing simulations, and our own philosophy and approach at Sophos. We also provide ten tips for organizations when planning simulations (full details in the article, link below):

  • Find the right cadence
  • Pretexts should be realistic, but not unreasonable.
  • Reinforce positive behaviors rather than trying to catch people out.
  • Prioritize reports (and speed) over clicks.
  • Look beyond the click.
  • Doing nothing helps no one.
  • Complement simulations with novels forms of learning.
  • Use them to train security teams as well as end users.
  • Include everyone.
  • Build systems tolerant to human failure.

    • Read the full article here: https://news.sophos.com/en-us/2025/10/31/phake-phishing-phundamental-or-pholly/

    Phake phishing: Phundamental or pholly?

    Debates over the effectiveness of phishing simulations are widespread. Sophos X-Ops looks at the arguments for and against – and our own phishing philosophy

    Sophos News