An eight-month study at a U.S. healthcare organization shows that traditional training has little effect on stopping phishing attacks.
Researchers from UC San Diego, University of Chicago, and US San Diego Health conducted a large-scale experiment involving 19,500 employees at a major healthcare organization. Over eight months, they launched ten simulated phishing campaigns to test whether security training improved resilience. The results showed no measurable improvement; employees who had recently completed training were just as likely to click phishing links as those who had not.
The findings suggest that standard, static cybersecurity awareness sessions may even worsen outcomes. According to the study, employees who had completed multiple training sessions showed a higher likelihood of failing phishing simulations.
The only method that offered improvement was “embedded phishing training,” where users who clicked a simulated phishing link were immediately redirected to a training page. However, the reduction in future failure was only 1.7%, a minimal gain.
Overall, more than half of employees, 56%, clicked at least one phishing link during the ten campaigns. Nearly 26% failed at least two simulations, and close to 10% failed three or more.
The researchers noted that “the absolute difference in failure rates between trained and untrained users is extremely low across a variety of training content.” They also observed that engagement with training was poor, with over half of users abandoning the embedded training page within 10 seconds, and fewer than 24% completing the material.
According to the study Understanding the Efficacy of Phishing Training in Practice, researchers concluded that “both types of training, as commonly deployed today, are unlikely to improve widespread protection against phishing attacks.” While embedded training showed “a statistical correlation with a lower phishing failure rate,” the improvement was marginal compared to the success of real phishing attempts. The authors suggested that future work should use randomized controlled studies and “training styles that provide greater opportunity for learning (e.g., interactive),” while also finding ways to increase user engagement.
Repetition without variation can cause users to disengage or tune out, leading to lower attention when facing real phishing attempts.
It is an immediate, real-time intervention that teaches users right after they click a phishing link, making the lesson more memorable because it connects directly to their mistake.
These topics are familiar, relevant to employees’ daily lives, and appear to come from trusted sources like HR, which lowers suspicion.
Because healthcare handles large amounts of sensitive data, a 15%–30% phishing failure rate poses significant risks, including potential exposure of patient records and regulatory penalties.
Experts suggest interactive, scenario-based training, stronger technical safeguards like phishing-resistant authentication, and fostering a culture of reporting suspicious messages rather than relying solely on awareness sessions.