In 2025, the FBI's Internet Crime Complaint Center logged $20.9 billion in losses, a 26% jump from the year before. Business email compromise alone accounted for $3 billion. Phishing complaints stayed roughly flat at 191,561, but losses from phishing tripled to $215.8 million in a single year. AI-related complaints showed up in the report for the first time: 22,000-plus complaints, nearly $900 million in losses. [IC3 2025]
That's the size of the problem your phishing simulation program is supposed to solve. Now look at the math the program runs against it.
A simulation hits 1,000 employees. Click rate comes back at 8%. That's industry average.
Eighty people clicked.
You didn't need eighty. You needed one.
One click on a real attack and the credentials walk out the door. The attacker logs in, pivots, and starts laundering access through your environment. The breach starts with employee number one. The other 999 don't get to save you.
The math doesn't get better at smaller orgs. A hundred-person company with the same 8% rate has eight clicks. A fifty-person company has four. Whatever the headcount, the equation is the same. Any nonzero click rate is a successful attack.
So what is the simulation actually measuring?
The Wrong Problem
Phishing simulations measure how susceptible your workforce is to a generic email written by a vendor whose templates are at least a year out of date. They don't measure your exposure to what a real attacker is sending today. Those are different things, and the gap is widening.
If your security depends on every employee, every day, catching every malicious email forever, you don't have security. You have a coin flip with a thousand sides.
Phishing is a system problem, not a human problem. The right response isn't training people to do something they aren't built to do reliably. The right response is building defenses that survive a click.
That means phishing-resistant MFA, FIDO2 keys instead of SMS codes. Conditional access policies that flag impossible logins and unusual sessions. Least privilege so a compromised account can't reach the financial system. Fast incident response that turns a click into a near-miss instead of a breach.
None of that depends on Janice in accounting having a perfect Tuesday morning at 4:15 PM.
The Data Is Now In
If that sounds like a take, the data has caught up.
In 2025, researchers from the University of Chicago and UC San Diego published the largest peer-reviewed study to date on phishing simulation effectiveness. They ran ten phishing campaigns against more than 19,500 employees at UC San Diego Health over eight months. [UCSD] [Ho et al., IEEE S&P 2025]
The findings:
- Annual cybersecurity training reduced click rates by only 1.7%.
- 75% of users spent one minute or less on the post-click training material. One-third closed it immediately without engaging.
- Susceptibility got worse over time. In month one, 10% of employees clicked at least one phishing email. By month eight, more than half had clicked at least once.
The researchers' recommendation, in their own words, was to refocus on technical countermeasures: phishing-resistant MFA and password managers that only fill credentials on legitimate domains.
That is not a take. That's a peer-reviewed conclusion from a controlled study of nearly 20,000 employees.
Why Simulations Don't Get You There
They train people to detect yesterday's phishing. Today's attackers use generative AI to write grammatically perfect, contextually accurate emails. They scrape LinkedIn for org charts. They time messages to real events: a board meeting Tuesday, an RFP closing Friday, a vendor onboarding call. The simulation sends a template. The real one knows your calendar.
They miss half the attack surface. Email is no longer the only delivery vector. Vishing, voice clones of the CFO calling the AP clerk. Smishing, SMS messages spoofing UPS. Teams DMs from someone claiming to be IT. Slack messages from a compromised colleague. An email-only simulation tells the dashboard everything's fine while the rest of the attack surface goes untested.
They optimize the wrong metric. Click rate measures susceptibility to a specific lure on a specific day. It doesn't measure whether the employee learned anything durable. A program that drops your click rate from 12% to 4% looks like progress. It usually means the same 4% will fall for the next attack and the headline number on the dashboard moves to please the executive who funded the program.
They train the wrong reflex. When employees see fake phishing every month, they learn a heuristic. If it looks weird, it's probably a test. IT will sort it out. They stop reporting. They assume the suspicious email is the simulation, not the breach. The defensive habit you wanted is now the inverse of what's happening.
They damage incident response.
This is the one most people miss.
When clicking gets you written up, sent to remedial training, or named on a list, employees hide their clicks. They try to clean it up themselves. They wait to see if anything bad happens. They don't tell IT for an hour, six hours, a day.
The UK's National Cyber Security Centre has formal guidance on this. They call it Principle 2 of cyber culture: a safe, no-blame reporting environment. [NCSC] CREST research found that employees view both mandatory training and punitive simulations as unfair, and that both interventions increase state anxiety, which sustained over time becomes chronic stress and erodes the reporting behavior incident response depends on. [CREST]
The speed of the report is the only thing that matters once a click has happened. Fast reports turn breaches into near-misses. Slow reports turn near-misses into breaches. The program designed to reduce clicks is making the consequences of clicks worse.
That's not a marginal cost. That's the whole game.
Where the Money Should Go
Spend it on the system controls. Phishing-resistant MFA across every account that touches anything sensitive. Logging and monitoring that can identify a compromised session in minutes instead of weeks. Incident response capability so the click, when it happens, gets contained.
And spend a smaller, sustained amount on real awareness education. Not gotcha tests. Recurring, plain-English content that keeps your team current on what attackers are actually doing right now. The threat landscape changes weekly. Your training should too.
Measure mean-time-to-report, not click rate. Reward employees who report fast, including the ones who clicked first. Build a no-blame reporting culture so people raise their hand the moment something feels off.
That single cultural shift is worth more than any simulation vendor can sell you.
The Bottom Line
Phishing simulations test for failure. They measure a metric that doesn't matter at a scale that doesn't help. They give leadership a dashboard that looks like progress while the actual exposure stays the same, or gets worse.
The FBI says cybercrime losses jumped 26% last year. Phishing-driven losses tripled. The largest academic study on the subject says training programs reduce click rates by less than two percent. The system you're paying for isn't keeping up with the threat it's supposed to address.
Stop testing your people. Build systems where the click doesn't matter, and a culture where the report comes fast.
Stay Current. Stop Testing. Start Preparing.
Sentinel Weekly delivers plain-English cyber awareness content to your team every week. Built by working law enforcement. Written for working employees. Designed to change behavior, not to measure failure.
New threats. Current cases. Real examples. No gotcha tests. No shame.
Subscribe at weekly.sentinelvault.net.