Your Anti-Phishing Strategy Isn't Working: Here's What to Do Instead

One of the most frustrating patterns we see at Agency is companies that have invested three or four years in anti-phishing training, spent significant money on simulation platforms, and still have click rates that refuse to drop below 10 percent. When they come to us asking what they are doing wrong, the answer is usually the same: they are treating phishing as a training problem when it is actually a systems problem. Here is what we mean by that and what to do about it.

Phishing remains the number one initial access vector for data breaches, accounting for over 36 percent of all breaches according to the Verizon Data Breach Investigations Report. This statistic has barely moved in a decade despite billions of dollars spent on security awareness training. The industry's response — more training, more simulations, more awareness campaigns — has not solved the problem and is not going to. Not because training is useless, but because training alone is insufficient to counter an attack vector that exploits fundamental human psychology with increasingly sophisticated techniques.

What we tell clients is that effective anti-phishing requires a multi-layered strategy where technical controls do the heavy lifting, human controls focus on detection and reporting rather than prevention, and metrics measure actual risk reduction rather than training compliance.

Why Awareness-Only Approaches Fail

Click Rates That Do Not Improve

In our experience, the typical anti-phishing program looks like this: the company deploys a simulation platform, sends monthly phishing tests, tracks click rates, and provides remedial training to people who click. After an initial improvement — click rates typically drop from 25 to 30 percent down to 12 to 15 percent in the first three months — progress stalls. The click rate oscillates between 8 and 15 percent indefinitely, regardless of how much additional training is provided.

This plateau is not a failure of effort. It is a predictable consequence of human cognitive limitations. What we tell clients is that there is a floor below which click rates will not drop through training alone, and that floor is higher than most organizations find acceptable.

Time Period	Typical Click Rate	What Is Happening
Before any training	25-35%	Baseline — no awareness program in place
After 3 months of simulations	12-18%	Initial improvement — easy-to-spot phishing is caught; awareness is heightened
After 6-12 months	8-15%	Plateau — the most susceptible employees improve; others resist further improvement
After 2+ years	8-15%	Persistent plateau — click rates oscillate but do not meaningfully improve
After sophisticated simulation	15-25%	Regression — AI-generated, context-aware phishing defeats training-based defenses

The last row is the most concerning. As phishing attacks become more sophisticated — incorporating AI-generated personalization, real-time context, and multi-channel approaches — the gains from training are erased. Employees who learned to spot generic phishing are vulnerable to attacks that reference their actual projects, colleagues, and recent activities.

The Psychology Problem

What we tell clients is that phishing works because it exploits cognitive biases that training cannot override — not because employees are careless or unintelligent.

Authority bias. Emails that appear to come from executives, clients, or authority figures trigger compliance responses that bypass analytical thinking. An employee who can identify a generic phishing email in a training module will still respond to an urgent request that appears to come from their CEO during a stressful moment.

Time pressure. Phishing emails create urgency — "respond within 24 hours," "your account will be locked," "the wire transfer deadline is today." Under time pressure, the brain defaults to System 1 thinking: fast, intuitive, and error-prone. Training operates on System 2: slow, analytical, and easily overridden by stress.

Context matching. Modern phishing attacks are contextually relevant. An email about an invoice during accounts payable's busiest period, a password reset notification the day after a system migration announcement, or a meeting invite from a new vendor during procurement season — these attacks match the employee's context so closely that suspicion never triggers.

Cognitive load. Employees process hundreds of emails daily. Expecting them to critically evaluate every single email for signs of phishing is unrealistic. Even highly trained employees will miss indicators when they are tired, distracted, or overwhelmed — which is most of the time in a modern work environment.

Habituation. Ironically, frequent phishing simulations can reduce vigilance over time. Employees who receive monthly simulations learn to expect them, develop pattern recognition for their company's simulation platform, and become less rather than more alert to novel phishing techniques that look different from the simulations.

Technical Controls That Actually Work

In our experience, the most effective anti-phishing strategies shift the primary defense from human judgment to technical controls. Humans become the detection and reporting layer, not the prevention layer.

Email Authentication: DMARC, SPF, and DKIM

What we recommend to every client is implementing full email authentication as the foundation of their anti-phishing program. This is the single most impactful technical control for preventing impersonation-based phishing.

SPF (Sender Policy Framework) specifies which mail servers are authorized to send email for your domain. When properly configured, receiving mail servers can reject emails that claim to be from your domain but originate from unauthorized servers.

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails that receiving servers can verify. This ensures that the email content has not been tampered with in transit and confirms the sending domain.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together with a policy that tells receiving servers what to do with emails that fail authentication. A DMARC policy set to "reject" means that emails spoofing your domain are blocked before they reach anyone's inbox.

Implementation Stage	DMARC Policy	Effect	Timeline
Stage 1: Monitor	p=none	No blocking; generates reports on authentication failures	2-4 weeks
Stage 2: Quarantine	p=quarantine	Failing emails go to spam/junk	After 4-8 weeks of monitoring
Stage 3: Reject	p=reject	Failing emails are blocked entirely	After confirming no legitimate emails fail authentication

What we tell clients is that DMARC at reject policy eliminates an entire category of phishing — emails that spoof your own domain to impersonate internal senders. This is the attack type most likely to succeed because it appears to come from a trusted colleague.

Advanced Email Filtering

Beyond authentication, modern email security solutions provide multiple layers of phishing protection.

URL sandboxing detonates links in a safe environment before the email is delivered, detecting malicious redirects, credential harvesting pages, and drive-by downloads. What we recommend is a solution that rewrites URLs and re-checks them at click time, not just at delivery time, since many phishing URLs activate hours after the email is delivered to evade initial scanning.

Attachment sandboxing opens attachments in an isolated environment to detect malicious macros, exploit payloads, and obfuscated malware before the attachment reaches the recipient.

AI-powered content analysis evaluates email content for social engineering indicators — urgency language, impersonation patterns, unusual request types, and behavioral anomalies. These systems learn from your organization's normal communication patterns and flag deviations.

Impersonation protection specifically targets business email compromise by detecting when external emails impersonate internal executives or known vendors. What we tell clients is that this feature alone can prevent the highest-cost phishing attacks — the ones that result in fraudulent wire transfers.

Browser and Endpoint Controls

DNS filtering blocks access to known phishing domains at the network level, preventing employees from reaching credential harvesting sites even if they click a malicious link. Services like Cloudflare Gateway, Cisco Umbrella, and Zscaler provide this at the organizational level.

Browser isolation renders web content in a remote environment, preventing malicious websites from executing code on the employee's device. This is particularly effective against drive-by download attacks and zero-day browser exploits.

Credential phishing detection tools like Microsoft Defender SmartScreen and Google Safe Browsing warn users when they attempt to enter corporate credentials on websites outside of approved domains. This provides a critical last line of defense when an employee clicks through to a credential harvesting page.

Human Controls That Work

While technical controls should carry the primary prevention burden, human controls play a critical role in detection, reporting, and response.

Building a Reporting Culture

What we tell clients is that the most valuable human behavior in an anti-phishing program is not avoiding clicks — it is reporting suspicious emails quickly. A company where employees reliably report phishing within minutes has a distributed threat detection network that catches attacks that technical controls miss.

The phish alert button. Deploy a one-click reporting mechanism in the email client — a button that sends the suspicious email to the security team for analysis and removes it from the reporter's inbox. Make it as easy as possible. Every click of friction between suspicion and reporting reduces the likelihood of a report.

Positive reinforcement. Every reported email should receive an acknowledgment. Reports that identify genuine threats should be celebrated (anonymized if the reporter prefers). What we recommend is a monthly recognition program that highlights the number of real threats caught by employee reports.

No-blame reporting. Employees who click a phishing link and then report it should be thanked, not penalized. In our experience, the companies with the highest reporting rates are those that explicitly communicate and demonstrate that reporting is valued regardless of whether the reporter also clicked.

Report-to-resolution visibility. Share outcomes with reporters — "the email you reported was a phishing attempt targeting our finance team; it has been removed from all inboxes and the sending domain has been blocked." This feedback loop reinforces reporting behavior by demonstrating that the action mattered.

Response Procedures

When a phishing attack is identified — through employee reporting, technical detection, or both — the response must be fast and systematic.

Immediate containment (first 15 minutes):

1. Remove the phishing email from all inboxes across the organization using email admin tools
2. Block the sending domain and any URLs in the email at the email gateway, DNS filter, and web proxy
3. Identify all recipients and determine who interacted with the email (opened, clicked, submitted credentials)

Credential compromise response (first hour):

1. Force password reset for any employee who entered credentials
2. Revoke active sessions for compromised accounts
3. Review recent activity on compromised accounts for signs of unauthorized access
4. Enable or verify MFA on affected accounts

Investigation and communication (first 24 hours):

1. Analyze the phishing email for indicators of compromise and determine if it is part of a broader campaign
2. Search email logs for related messages from the same sender or campaign
3. Notify affected employees with specific, actionable guidance
4. Update detection rules to catch variants of the identified attack

Metrics That Matter

What to Stop Tracking

Click rate as a standalone metric. In our experience, companies that obsess over click rates optimize for the wrong outcome. A 3 percent click rate means nothing if those 3 percent of employees do not report the click, the security team does not know about the compromise, and the attacker has hours of undetected access.

Training completion rates. These measure compliance, not security. One hundred percent training completion with a 15 percent click rate is a worse outcome than 80 percent completion with a 5 percent click rate and a 90 percent reporting rate.

What to Start Tracking

Metric	What It Measures	Why It Matters	Target
Reporting rate	Percentage of phishing (simulated and real) that is reported	Measures the effectiveness of your human detection network	Above 70% within 24 hours
Time to report	Median time from phishing delivery to first employee report	Faster reports mean faster containment and less exposure	Under 5 minutes median
Time to containment	Time from first report to full email removal across the organization	Measures operational response capability	Under 30 minutes
Real phishing detection by employees	Number of genuine phishing emails caught by employee reports vs technical controls only	Validates the value of the human detection layer	Increasing trend
Credential submission rate	Percentage of employees who not only click but enter credentials	This is the metric that measures actual risk — clicking a link is less dangerous than submitting credentials	Below 2% on simulations
Resilience rate	Percentage of employees who receive phishing, do not click, and report	Combines avoidance and detection into a single measure of desired behavior	Above 60%

The Multi-Layered Approach

What we recommend to clients is organizing their anti-phishing strategy into three layers with clear ownership and investment allocation.

Layer 1: Technical prevention (60% of investment). DMARC at reject policy, advanced email filtering with URL and attachment sandboxing, impersonation protection, DNS filtering, and browser isolation. These controls prevent the majority of phishing emails from reaching employees and the majority of clicked links from causing harm.

Layer 2: Human detection and reporting (25% of investment). Phishing simulations focused on building reporting behavior rather than reducing click rates, one-click report buttons, positive reinforcement programs, and no-blame reporting culture. These controls catch the attacks that bypass technical prevention and provide the early warning that enables rapid response.

Layer 3: Incident response (15% of investment). Documented response procedures, rehearsed playbooks, email removal capabilities, credential reset automation, and post-incident analysis. These controls limit the damage when attacks succeed and feed lessons learned back into the prevention and detection layers.

In our experience, companies that allocate their anti-phishing investment across all three layers see fundamentally better outcomes than those that over-invest in any single layer. Technical controls alone miss novel attacks. Human training alone cannot overcome cognitive limitations. Response procedures alone are reactive. The combination is what produces resilience.

Key Takeaways

• In our experience, the reason your anti-phishing strategy is not working is that it relies too heavily on human awareness. Phishing exploits cognitive biases — authority, urgency, context matching, and cognitive load — that training cannot reliably override. Technical controls must carry the primary prevention burden.
• What we recommend is implementing DMARC at reject policy as the foundation of your anti-phishing program. This single control eliminates domain spoofing, the most dangerous category of phishing because it impersonates trusted internal senders.
• What we tell clients is to measure reporting rate, not click rate. A company where 70 percent of phishing is reported within five minutes has a stronger security posture than one with a low click rate but no reporting culture. Reporting is the human behavior that actually reduces risk.
• In our experience, the most effective anti-phishing programs allocate 60 percent of investment to technical controls, 25 percent to human detection and reporting, and 15 percent to incident response. This layered approach provides prevention, detection, and containment in depth.
• What we tell clients is that a persistent click rate plateau above 8 to 10 percent is not a training failure — it is a signal that you need to shift investment from awareness to technical controls and reporting culture. Stop trying to train humans to be firewalls. Instead, build the systems that make phishing less likely to arrive, less likely to cause harm when clicked, and more likely to be detected and contained quickly.