Tailoring training to improve phishing detection rates

Training programs focused on phishing detection are effective tools in an organization's arsenal against phishing and ultimately data breaches orchestrated through human error. In one Journal of the American Informatics Association study that conducted 20 simulated phishing campaigns, click rates declined steadily across all employee groups. While only 17.9% of participants avoided clicking any phishing emails entirely, even individuals initially classified as high-risk, those who clicked five or more times demonstrated improvement before mandatory training was introduced.

Training that is embedded directly into phishing warnings has proven especially effective. Controlled experiments found that participants using interfaces with built-in training elements were better able to distinguish phishing websites during active warnings and when those warnings were removed. These gains persisted both immediately after training and one week later, suggesting that embedded instruction helps users develop transferable skills rather than short-term compliance.

Additional approaches, such as security awareness games and targeted educational interventions, further strengthen detection outcomes. Another Heliyon study reported a reduction in false-negative rates from 34% to just 6% following training, alongside an increase in the proportion of users who successfully avoided phishing, from 66% to 94%. In healthcare-specific simulations, repeated exposure to phishing scenarios lowered the likelihood of users clicking on subsequent emails. Mandatory training programs for repeat offenders were particularly effective at keeping high-risk behavior within a stable range of 10–25%, highlighting the need for reinforcement over one-time awareness efforts.

Overall, anti-phishing training has been shown to increase detection accuracy by approximately 8% and user confidence by 6% according to a research paper from Springer Nature Computer Science. While individual personality traits can influence the degree of improvement, the evidence consistently demonstrates that structured, repeated, and context-aware training plays a role in strengthening phishing detection capabilities.

The problem with evolving phishing attacks

Early phishing campaigns, as discussed in the study Why is phishing still successful? relied on “simple, straightforward, masquerading methodology” delivered through generic emails designed to capture basic login credentials. Contemporary phishing operations, however, have shifted toward far more targeted approaches.

As noted in the study, “Cyber attackers... enhanced their methodologies to include personalised attacks,” most notably spear-phishing campaigns targeting specific organizational roles, such as finance or IT personnel, as well as whaling attacks directed at “senior-level, high-value personnel such as the head of HR, C-level executives.”

The research further notes the way attacks have gone beyond email. “The aim is to lure and trick an unsuspecting victim... using SMS, email, WhatsApp and other messaging services, or phone calls that have been spoofed,” demonstrating how attackers now combine smishing, vishing, and QR code–based scams to extract payments or one-time passcodes. During the COVID-19 pandemic, threat actors capitalized on uncertainty by registering thousands of themed domains for credential harvesting.

These efforts frequently employ HTTPS-secured websites that closely imitate trusted platforms such as social media portals or corporate intranets. While modern email security tools, including the HIPAA compliant email platform Paubox, have improved detection of these deceptive techniques, human vulnerability remains central. As the study observes, “Due to [workloads], employees... make mistakes and can be deceived. No amount of training will be able to change this.”

The rise of phishing kits and ‘Phishing-as-a-Service’

According to the research paper Heuristic machine learning approaches for identifying phishing threats across web and email platforms, “Attackers can purchase or rent phishing kits as part of phishing-as-a-service models, where experts provide infrastructure, updates, and support for a fee,” effectively commercializing phishing and enabling large-scale operations. The problem is further compounded by the availability of legitimate website builders, as “criminals... able to develop their own phishing pages on sites like Weebly or Wix, often overlooked by security systems as legitimate activity.” These platforms allow malicious content to blend in with normal web traffic, reducing detection.

Financial motivation continues to fuel this expansion, particularly in high-value industries. While “phishing scams targeting the banking industry... accounted for 27.7% of all phishing,” similar techniques are easily adapted to healthcare environments where credentials carry comparable value. The speed at which these threats evolve intensifies the challenge. As noted, “The annual growth rate of phishing attacks has been over 150% since 2019,” driven by the plug-and-play nature of phishing kits and their continual updates designed to bypass defensive controls.

The cognitive barriers to phishing detection

Human information processing is constrained in ways that reduce sustained vigilance. The heuristic–systematic model helps explain this behavior, demonstrating that individuals under time pressure or cognitive load tend to rely on fast, low-effort decision-making rather than careful analysis. As Science Direct research notes, “Both domain mindfulness and trait mindfulness enhance systematic processing and diminish heuristic processing tendencies,” yet in everyday work environments, most employees default to heuristic shortcuts, increasing the likelihood of phishing oversight.

These tendencies are reflected in findings from the Phishing Email Suspicion Test (PEST), which shows that baseline suspicion levels differ widely between individuals. Decisions are also influenced by recency effects, where, according to a Behavior Research Methods study, “Emails from the recent past bias their current decision,” reinforcing habitual responses even when employees understand phishing risks in principle. Emotional context further compounds the issue. Positive emotional states have been shown to lower scrutiny, while workplace pressure intensifies errors, particularly when “workloads... [cause] employees... to make mistakes and can be deceived.”

Training alone cannot fully overcome these cognitive realities because many of the underlying traits persist after instruction. While trait mindfulness and domain-specific awareness can moderate risk, they do so only partially, reinforcing the conclusion that was echoed in the previously mentioned study, that “no amount of training will be able to change this” predisposition under stress or familiarity.

Training can temporarily increase systematic processing, but these gains erode without reinforcement as emotional heuristics and recency biases resurface. Personality-based susceptibility further limits universal outcomes, with PEST results showing that “ability to distinguish phishing from non-phishing emails” eventually plateaus unless biases are directly addressed.

Traditional awareness programs vs. adaptive phishing training

Unlike static lectures or generic awareness modules that tend to deliver only short-term improvements, adaptive training systems, often deployed alongside platforms such as Paubox, personalize content based on individual user behavior. These systems escalate scenario complexity for higher-risk staff, reinforcing the finding from the study A review of organization-oriented phishing research that “targeted simulations reduce click rates more effectively than broad awareness campaigns.”

In one healthcare simulation study from the Journal of Computer Information Systems, repeated and customized phishing emails reduced susceptibility by nearly 50% compared with baseline training. Paubox-supported environments further enhance this approach by incorporating generative AI to craft realistic, context-specific lures that resemble HIPAA workflows or familiar Paubox email interfaces, strengthening procedural memory rather than encouraging rote pattern matching.

Traditional training programs frequently underperform due to forgetting curves and entrenched heuristic behavior. Adaptive models counter these limitations through continuous feedback loops, reinforcement, and gamified elements. By integrating machine learning to predict user-specific vulnerabilities, these systems measurably improve detection accuracy.

FAQs

Why are phishing attacks effective?

Phishing attacks succeed because they exploit human psychology, such as trust, urgency, fear, or familiarity, rather than technical vulnerabilities alone.

What are common signs of a phishing message?

Common indicators include unexpected requests, urgent language, mismatched sender addresses, suspicious links, and requests for credentials or payments.

How do attackers use AI in phishing?

Attackers use AI to generate more realistic, error-free, and context-specific phishing messages that are harder to distinguish from legitimate communications.