My Employees are Clicking on Phishing Emails… What Do I Do Now?

By Nitzan Gursky
image May 30, 2022 image 3 MIN READ

It’s natural to feel like employees who click on phishing simulation emails are a liability for your company, and to want to know exactly who is clicking so that you can address the risk. At CybeReady we work with hundreds of customers with hundreds of thousands of employees – and here’s what we’ve learned from all of that data.

1. The system works – give it time!

First and foremost, trust that the CybeReady platform works, and take a look at this data to back it up! Here is an example of the trends that we see over time when companies use CybeReady’s continuous training platform. The cohort of high-risk employees, those who click on dangerous phishing simulations, reduces as employees become trained. In short, most clickers stop clicking on their own. Give it a couple of months and then look back at the data – you’re overwhelmingly likely to see the needle being moved on this high-risk group.

My Employees are Clicking on Phishing Emails

2. Consider your turnover

Also, think about the makeup of your employees, and what turnover has been like at your company recently. It makes sense that veteran employees will learn over time, while new hires will be more susceptible to phishing scams. That’s why with a high turnover, you’ll see your curve decrease at a slower rate. New employees will always bring new risks. That’s ok! They haven’t been trained via the platform yet. These employees are at the start of their Security Awareness Training, while longstanding employees have had more exposure to simulations so are less likely to fall victim to the emails that the platform sends.

3. Zero click rate may not be your goal

There’s also a balance to consider when it comes to offering Security Awareness Training. While employees who continually click for more than a year is obviously not a great sign, a zero-click rate is also problematic. After all, what if the phishing simulations are too easy or obvious? Then the low click rate doesn’t mean you’re doing a fantastic job with your awareness training; it’s actually a sign that your employees are missing the opportunity to learn. When an employee incorrectly clicks on a phishing simulation, this can be a good thing in their learning journey. They are being given a powerful “in the moment” instance of training, where they see their mistake and are taught where they went wrong. This is phishing education and means the platform is doing its job.

Confronting employees causes unnecessary friction


4. Education is the answer

Of course, in some cases, you will find that certain employees don’t stop clicking, even once you have given the continuous training method a chance to work. If you believe that reprimanding them isn’t helpful, (and trust us, see point #5 – it isn’t!) what should you do next? We can provide extra content that you can use to share with your high-risk employees on how to identify phishing scams before the click. Reach out to the Customer Success team directly to discuss what content would be useful for your specific requirements. 

5. Confronting employees causes unnecessary friction

The important thing to remember is, that while it might be tempting to negatively confront employees who have clicked on phishing simulation links, our experience tells us that this isn’t helpful. In fact, when managers berate employees about their activity with phishing simulations, we’ve found that this has the opposite impact of what businesses initially hope for. Employees regularly get defensive and even deny clicking on the links, and trust is broken down between managers and their staff. After all – nobody likes a pointed finger in their direction! 

No matter what, be supportive and positive, and don’t call employees out in a negative way either in private or in public.

Want to learn more about the psychology and technology behind CybeReady’s continuous training platform? Read our ultimate guide to phishing protection.