Why Phishing Training Alone Won’t Protect Your Team Any More

Picture the scene: you’ve run your annual security training. Your team knows the signs, suspicious links, odd sender addresses, requests that feel a bit off. You send the test emails. Some people fail, you remind everyone to stay sharp, and the box gets ticked for another year. Problem sorted, right?

Not quite. Research published via Entrepreneur makes a telling point: most people click on phishing emails not because they’ve forgotten their training, but because of the conditions they’re working under when the email arrives.

AI has made the old warning signs useless

For years, the advice was simple: look for bad spelling, clunky phrasing, and generic greetings. Those giveaways are largely gone now. AI-generated phishing emails can mirror your director’s writing style, reference a real project, and land in your inbox looking completely legitimate. The same research found 72% of workers say phishing attempts feel more convincing than they did a year ago, and AI-written language is the main reason.

If the email looks exactly like something your boss would send, no amount of awareness training helps you spot it.

The real problem is how people work, not what they know

When researchers asked workers what made them most likely to make a mistake, 55% pointed to rushing between tasks. Only 7% said the problem was not knowing how to identify a phishing attempt.

That gap matters. A staff member juggling a client call, a full inbox, and a deadline at half four on Friday isn’t going to pause and interrogate a plausible-looking email asking them to approve a payment. They’re going to click.

What actually helps is changing the conditions, not just the training:

• Build in a second check for anything high-stakes. A request to change a bank account, approve a transfer, or reset login details should always require a quick phone call to confirm. Urgency and pressure are what phishing relies on. A thirty-second call kills both.
• Make verification feel normal. Staff should feel comfortable ringing someone to double-check an unusual request, without worrying they’re being awkward or slow. That culture doesn’t happen by itself.
• Think about when risky decisions happen. The “urgent” email that lands at five to five on a Friday, the out-of-hours message demanding immediate action, these are the moments people make mistakes. If something is genuinely urgent, it deserves a proper channel. Organisations that tie security training to real culture change, rather than annual tick-box exercises, see significantly better results. The difference is that the training connects to actual systems and working habits, not just awareness.

Your staff aren’t the weak link here. The conditions they work under are. Clear processes, a culture that rewards checking, and systems that slow down high-risk decisions will do more than any annual refresher. Worth thinking about, especially as phishing emails increasingly impersonate people inside your own organisation.