For years, organizations have relied on fake email phishing simulations to measure employee resilience to phishing. But what if the very tools we’re using to train our teams are doing more harm than good?
New research presented at Black Hat USA 2025 by security experts from the University of Chicago (UC) and University of San Diego (USD) delivers a clear message: “Phishing training doesn’t work”, at least not the way most companies are doing it today.
What are we to do?
CyberHoot’s latest phishing whitepaper picks up where this research leaves off, showing how our HootPhish product turns the conventional approach on its head, leveraging positive reinforcement to increase employee engagement that builds lasting behavioral change.
What the Black Hat Study Reveals
The empirical study, summarized here in the Black Hat presentation (slides available for download), examined the long-term effectiveness of phishing awareness training and came to a sobering conclusion:
“Traditional phishing simulations, especially those that rely on shame and punitive measures, don’t actually reduce phishing vulnerability.”
Instead, these tests often lead to:
- User fatigue and disengagement
- Desensitization to phishing cues and disengagement
- Workplace resentment and fear of failure and disengagement
In other words, the “gotcha” approach may make your users more anxious, fearful, and that leads to them giving up or disengaging from the learning process.
Read the full article on Dark Reading
What Makes HootPhish Different?
At CyberHoot, we’ve always believed there’s a better way based upon 75 years of psychological research. That’s why we built HootPhish, a next-gen phishing simulation platform that eliminates punishment and instead focuses on positive reinforcement and rewards within the education exercises. This in turn leads to employee engagement, empowerment, and ultimately, what we all want, intrinsic behavior change.
Here’s how HootPhish solves the problems exposed by the Black Hat researchers from USD and UC:
1. Positive Reinforcement Over Punishment
Instead of shaming users who fail, HootPhish passes users by providing them immediate, friendly education, in the moment, that reinforces what users need to know, making it a positive experience and learning moment, not a disciplinary event.
2. High Engagement User Participation
Unlike traditional tests that only track only user email opens and clicks, HootPhish includes all users in your results. Every last user is followed until they complete their phishing training. This allows security teams and leadership to understand the full picture, including who may be performing sub-optimally.
3. Gamified Challenges
With our optional HootPhish Challenge, users receive randomized phishing simulations and leaderboard-based scoring, driving real engagement through healthy competition — not fear.
4. Gamification
In addition to the HootPhish Challenge, we provide Avatars representing Cyber Literacy knowledge and progress. This can lead to friendly competition and enhances overall enjoyment and engagement within cybersecurity assignments as users Avatar journey’s from an Owl Hatchling to a Wise Owl Sage.
5. Measured Behavior Change
We don’t just test users. We train them. And we track their improvement over time, helping organizations prove ROI and meet compliance mandates.
Pro HootPhish Benefit: HootPhish assignments are chosen for you (no configuration, allow-listing, needed) making this one of the most automated solutions on the market for administrators!
Download the Whitepaper: Why Traditional Phishing Tests Fail and How HootPhish Succeeds
We’ve compiled everything you need to know into a single, easy-to-read whitepaper.
Inside you’ll learn:
- Why click-based metrics are dangerously incomplete
- How 6 or 7 visual cues are used in every HootPhish simulation teaching a rubric
- The science behind positive reinforcement in security awareness
- Real-world data showing better engagement and improved outcomes
Final Thoughts
The evidence is clear: fake email phishing simulations rely on fear, punishment, and lead to employee disengagement. They simply do not work. The Black Hat research confirmed it. Our patent-pending approach represents a new, and better way, based upon 75 years of psychological research studies on behavior change.
If you’re ready to move beyond old-school testing and towards a smarter, more effective phishing defense, we’re here to help.
Learn more about HootPhish at cyberhoot.com
Sources and Additional Reading:
- DarkReading – We’ve All Been Wrong: Phishing Training Doesn’t Work
- CyberHoot’s Whitepaper – Why Traditional Phishing Tests Fail and How HootPhish Succeeds
Secure your business with CyberHoot Today!!!
The post Why Traditional Phishing Tests Fail — And How the Latest Research Proves It’s Time for a Change appeared first on CyberHoot.