Phishing simulations are often viewed as a negative practice used to “trick” employees, but a new survey by KnowBe4 Africa has found that 90,1% of users find simulated fishing tests relevant – and 90,7% agree that they improve their awareness of real phishing attacks.
The independent survey was conducted among laptop-using employees across the UK, US, Netherlands, France, Denmark, Sweden, the DACH region, and Africa.
Phishing simulations involve sending emails that mimic malicious attacks to test employee awareness and provide training. While many regard them as a valuable cybersecurity tool, some critics argue they are deceptive or punitive.
There may be several reasons for this. Firstly, simulations are sometimes designed without considering employees’ roles – using emotionally charged bait like “lost puppy” alerts or false promises of pay increases. These unrealistic hooks detract from the real-world applicability of the training.
Secondly, follow-up support is often inadequate. If employees who fail simulations are only told they did something wrong – with no clear path to improve – the exercise becomes a demotivating experience rather than a learning opportunity.
The most divisive question remains: do phishing simulations actually improve awareness? To find out, the survey asked the people who receive them.
Across all surveyed regions, the verdict is clear: simulated phishing tests are both relevant and effective. In the Netherlands, 93% of respondents consider them relevant and 94% say they help improve awareness. Even in France – the region with the lowest approval rate – 87,5% find them relevant and 86,5% effective. These are still strong endorsements.
Real-world data supports this. According to the 2024 study from KnowBe4 Africa, global phishing simulation click rates averaged 34,3% before any training. After 12 months of training, including phishing simulations, the rate dropped by 86% – down to just 4,6%.
So why the persistent scepticism? A deeper dive into the data offers a clue. Nearly 29,1% of employees say they either didn’t receive or weren’t sure if they received follow-up after failing a simulation – with variation ranging from 15% in the US to 42,5% in France.
Without timely and constructive feedback, the purpose of phishing simulations is undermined. It creates frustration and may fuel the stigma. The regional differences in follow-up also likely contribute to mixed perceptions across markets.
Employees largely see the value of phishing simulations – but they must be implemented thoughtfully. Here’s how organisations can optimise them:
- Make simulations realistic: Focus on phishing attempts that reflect real-world threats employees might encounter rather than emotional bait designed solely to elicit a click.
- Use failures as learning opportunities: Provide immediate, constructive feedback. Explain what went wrong and how to spot similar threats in future. Escalate fairly where necessary.
- Ensure consistent follow-up: Offer training and guidance directly after a failed simulation. Reinforce learning with regular refreshers rather than relying solely on failure metrics.
- Promote transparency and fairness: Let staff know simulations are part of a broader awareness programme. Avoid excessive trickery and keep difficulty levels appropriate.
- Recognise and reward vigilance: Celebrate employees who report phishing attempts, whether real or simulated. Use incentives, gamification, or simple recognition to promote proactive behaviour.
Employees are any company’s first line of defence against cyberthreats. Strengthening their awareness directly supports the broader security culture.
But success depends on how simulations are used. They must empower rather than punish. When done right, phishing simulations shift from being seen as a “test” to becoming an effective tool for education and resilience.