Why “Gotcha” Phishing Training Backfires

The standard approach

Most phishing simulation programmes follow the same script: send a fake phishing email to all staff, collect click data, then immediately confront clickers with a message like “You’ve been phished! Complete this mandatory training module.”

Security teams often share department-level click rates in all-staff meetings. Some organisations send follow-up emails from the CISO calling out behaviour. The assumption is that embarrassment creates motivation.

The research says otherwise.

What the research shows

A 2022 study published in the Journal of Cybersecurity (Lain et al.) followed 14,000 employees across a large organisation running a phishing simulation programme. Key findings:

• Employees who received immediate negative feedback after clicking showed higher security anxiety scores — but their click rates did not decrease faster than those who received neutral educational feedback.
• More critically, high-anxiety employees were less likely to report suspicious emails to the security team — fearing blame if it turned out to be legitimate.
• Employees who clicked repeatedly were often in high-workload roles, not security-unaware ones. The correlation between workload and click rate was stronger than between security knowledge and click rate.

A separate study from ETH Zurich (2021) found that embedded phishing training (the “teachable moment” shown immediately after clicking) was significantly more effective than separate mandatory training modules — but only when framed as helpful rather than punitive.

Why shame-based training backfires

The mechanism is straightforward: shame creates avoidance behaviour. When clicking a phishing link means public embarrassment, employees learn one thing — hide the fact that they clicked.

This creates a dangerous gap:

• Employees who accidentally click a real phishing link are less likely to report it
• Employees who receive a suspicious email are less likely to report it (fear of false positives being embarrassing)
• Security culture shifts from “help us stay safe” to “don’t get caught”

What actually works

The research points to three components that consistently reduce click rates over time:

1. Immediate, contextual coaching

When an employee clicks a simulated phishing link, show them immediately — on that same page — what the red flags were. Not a generic “you’ve been phished” message, but specific coaching: “Notice the sender domain was support@company-uk.net, not @company.com. Here’s how to spot this in future.”

2. Progressive difficulty

Start with obvious scenarios and increase difficulty as employees improve. Hitting someone with a spear-phishing simulation in their first test is demoralising and doesn’t teach anything. Build confidence before complexity.

3. Report-rate focus over click-rate focus

The metric that matters most for your actual security posture is how fast employees report suspicious emails. An organisation where 60% of employees click simulated phishing but 80% subsequently report it is in much better shape than one with 20% click rates and near-zero reporting.

How Phishy is built differently

Phishy is designed around these principles. When an employee clicks a simulated link, they see a personalised coaching overlay — not a punishment screen. The coaching adapts to the specific lure used and the employee’s role.

Reporting rates are tracked alongside click rates, and the dashboard shows per-employee improvement trends — not just aggregate statistics that obscure who needs help.