In today’s digital threat landscape, phishing remains one of the most persistent and costly forms of cyberattacks. Despite significant investments in firewalls, antivirus software, and endpoint detection, attackers continue to bypass technical defenses – not by hacking systems, but by deceiving people.
Human error plays a role in the majority of cybersecurity incidents, and phishing is at the core of many. 95% of breaches can be traced back to human mistakes [1] – whether it’s clicking a malicious link, falling for a spoofed email, or mishandling sensitive data.
Why are employees the primary target?
- People are predictable.
Phishing works because it plays on human psychology [2] – urgency, authority, curiosity, or fear. Attackers impersonate executives, HR reps, IT staff, or vendors. A well-crafted email can trick even experienced professionals.
- Email is the universal attack surface.
Employees engage with dozens of emails per day. Amid this flood of information, a single misplaced click can lead to credential theft, malware infection, or data exfiltration. In fact, over 90% of successful cyberattacks [3] begin with phishing emails.
- Not all employees are equally prepared.
New hires, non-technical roles, and overworked teams are more susceptible. Attackers take advantage of onboarding periods or peak workload times – knowing that stress and multitasking reduce vigilance. One report [4] found new employees are 44% more likely to fall for phishing within their first three months.
Why traditional training falls short – and overconfidence is a risk
Annual or quarterly cybersecurity training simply doesn’t cut it anymore. Slide decks, one-size-fits-all videos, and generic quizzes may check compliance boxes, but they fail to prepare employees for the complexity of today’s phishing threats. Employees may assume these threats are either too obvious or too rare to affect them.
But the data tells a different story.
A recent study explained with numbers and facts that when phishing training is sporadic and impersonal, only 7% of employees report simulated attacks.
Moreover, in today’s environment, the attitude of “it won’t happen to me” is no longer realistic. Cybersecurity is no longer just an IT responsibility. It’s a shared, everyday task.
How to build real resilience
When organizations use engaging training, reporting rates increase to over 60% [5] within a year. To reduce phishing risk, organizations need to move towards behavioral change. That means creating a culture of security where employees become active participants.
Here’s what works:
- Regular simulated phishing.
Phishing simulations that mirror real-world tactics (e.g., invoice scams, QR-code traps, credential theft emails) are among the most effective ways to build response reflexes. - Immediate feedback.
When users fall for simulated phish, timely feedback helps them learn. Short, relevant explanations improve retention. - Role-based training.
Employees in finance, HR, or executive roles face different phishing threats than those in engineering or support. Tailoring training to roles increases relevance and impact. - Positive reinforcement.
Celebrating safe behavior – like identifying and reporting suspicious emails – encourages ongoing vigilance. - Data-informed decisions.
Tracking not just click rates, but also reporting rates and response times, helps organizations focus their efforts where needed.
Turn awareness into action
Platforms like Phish Enterprise help organizations shift from one-off training to continuous practical learning. By simulating real threats – like QR phishing or credential theft – and delivering instant feedback, they help employees recognize risks before it’s too late. Role-specific scenarios and clear reporting metrics also make it easier to identify weak spots and improve where it matters most.
What’s the way forward?
With the rise of AI-generated content and deepfakes, phishing attacks are becoming harder to detect. But while we can’t eliminate the threat, we can strengthen our defenses – starting with the people on the front lines.
Creating a resilient workforce requires commitment, realistic practice, and the recognition that security is a shared responsibility. By treating employees not as risks, but as partners in defense, organizations can shift from reactive to proactive [6] – and turn their greatest vulnerability into their strongest shield.
References
[1] Security Magazine [2025]. 95% of Successful Security Attacks are the Result of Human Error. https://www.securitymagazine.com/articles/85601-of-successful-security-attacks-are-the-result-of-human-error
[2] Phish Enterprise [2025]. Hooked by deception: the psychology behind phishing clicks. https://phish-enterprise.com/hooked-by-deception-the-psychology-behind-phishing-clicks/
[3] Cybersecurity and Infrastructure Security Agency [2025]. Shields Up: Guidance for Families. https://www.cisa.gov/shields-guidance-families
[4] Keepnet [2025]. The 2025 New Hires Phishing Susceptibility Report. https://keepnetlabs.com/reports/new-hires-phishing-susceptibility-report
[5] Hoxhunt [2025]. Phishing Trends Report (Updated for 2025). https://hoxhunt.com/guide/phishing-trends-report
[6] Phish Enterprise [2025]. Protect yourself from phishing attacks: a comprehensive guide to online safety. https://phish-enterprise.com/protect-yourself-from-phishing-attacks-a-comprehensive-guide-to-online-safety/
Cluj IT will not be liable for any false, inaccurate, inappropriate or incomplete information presented, as the authors are free to choose their approach and relevant topics, within the general guidelines of the newsletter. The opinions expressed by the authors and those providing comments are theirs alone, and do not reflect the opinions of Cluj IT.
Certain links in the articles or comments may lead to external websites. Cluj IT accepts no liability in respect of materials, products or services available on any external website which is not under the control of Cluj IT.
