Cybersecurity Training Programs Don’t Prevent Employees from Falling for Phishing Scams

That was the headline announcing the results of a large 2025 study by UC San Diego Health that included a series of phishing campaigns that involved nearly 20,000 students.

Researchers found that there was no significant relationship between whether users had recently completed an annual, mandated cybersecurity training and the likelihood of falling for phishing emails.

They also found that the difference in failure rates between employees who had completed the training and those who did not was extremely low.

Other findings included:

• Overall, 75% of users engaged with the embedded training materials for a minute or less.
• One-third immediately closed the embedded training page without engaging with the material at all.
• Embedded phishing training only reduced the likelihood of clicking on a phishing link by 2%. This is particularly striking given the expense in time and effort that these trainings require, the researchers noted.
• More employees fell for the phishing emails as time went on. In the first month of the study, only 10% of employees clicked on a phishing link. By the eighth month, more than half had clicked on at least one phishing link.
• Some phishing emails were considerably more effective than others. For example, only 1.82% of recipients clicked on a phishing link to update their Outlook password. But 30.8% clicked on a link that purported to be an update to UC San Diego Health’s vacation policy.

“Taken together, our results suggest that anti-phishing training programs, in their current and commonly deployed forms, are unlikely to offer significant practical value in reducing phishing risks,” said Grant Ho, co-author of the study.