You've been running phishing simulations for months, but the click rate isn't dropping. Here are the 6 most common reasons security awareness programs stall — and exactly what to fix.
You set up phishing simulations. You ran campaigns. You enrolled people in training. And three months later, the click rate is almost exactly where it was. This is more common than most security teams admit — and it has specific, fixable causes.
1. You're Using the Same Templates Repeatedly
If employees have seen the same template three times, they've learned to recognize that specific template — not phishing in general. Rotate across categories: invoice fraud, HR communications, IT alerts, executive requests, delivery notifications.
2. Training Happens Days After the Click
Immediate enrollment matters
Configure your platform to redirect users to training the instant they interact with a simulation. The teachable moment is the 30 seconds after they realize they clicked.
3. Training Modules Are Too Long
- Under 10 minutes per session
- Specific to the exact type of attack the employee fell for
- Interactive — quizzes, identify-the-phish exercises — not passive video
4. Simulations Are Too Easy or Too Hard
Ideal first-campaign click rate: 15–35%. After 3–4 cycles: under 10%.
5. You're Not Segmenting by Department
- Finance: invoice fraud, wire transfer requests
- HR: fake resumes with malicious attachments
- IT: fake vendor security alerts, VPN update prompts
- Executives: personal bank account alerts, board document requests
6. No Positive Reinforcement for Reporting
Build a reporting culture: monthly leaderboard of top reporters, certificates for zero-click quarters, team-level recognition when department PPP drops.
Written by
Vikram Nair
CISO Advisor at PhishShield
