[German]Some companies subject their employees to internal phishing training involving simulated attacks. A study has now shown that these phishing simulations are largely useless. But even secure email gateways cannot stop phishing emails.
Phishing simulations are useless
This topic was already covered by the media two weeks ago. In a large-scale field trial, 19,500 employees were exposed to various phishing simulations. The results regarding the detection of phishing emails are sobering. The details can be found in the document Understanding the Efficacy of Phishing Training in Practice
On August 7, 2025, Trend Micro drew my attention to a presentation entitled "Pwning User Phishing Training Through Scientific Lure Crafting" at the Black Hat conference in Las Vegas. The presentation featured the above study by researchers from the University of Chicago, the University of California San Diego (UCSD), and UCSD Health.
It sheds light on what has long been a topic of discussion in the corporate world in the field of cybersecurity: Are phishing training courses for employees even useful? In a nutshell, the results of the study show that:
- the overall effect is low:Awareness training increased security by only 1.7 percent on average.
- Interactive content was slightly better: those who completed interactive training were 19 percent less likely to click on malicious content afterwards.
- Static training was ineffective/counterproductive:With multiple static sessions, the click rate on malicious content actually increased by 18.5 percent.
- No "refresher effect": Annual courses did not show better click rates either in the short term or after more than a year.
- Good deceptions remain effective: even the best, most highly trained employees clicked on very convincing emails in more than 15% of cases.
Trend Micro therefore asks: instead of relying on prevention through employee training, shouldn't companies focus their security strategy more on emergency response?
Secure email gateways rarely help
While writing this text, I remembered a report from late July 2025 by Dr. Martin Krämer, Security Awareness Advocate at KnowBe4. His thesis: "Phishing cannot be stopped by secure email gateways." He agrees with other experts that phishing has become one of the most dangerous gateways for modern cybercrime.
Cybercriminals have proven one thing above all else: adaptability. According to the expert, when companies rely on sophisticated protective measures such as secure email gateways (SEGs), attackers specifically exploit their weaknesses. Attack methods are becoming increasingly sophisticated and dynamic, which is why now is the time to consider new defense strategies.
Wie Phishing SEGs umgeht
Cybercriminals take a strategic approach. They carefully analyze how SEGs work and develop their campaigns to circumvent verification mechanisms. Several key tactics can be identified, some of which complement each other and are becoming increasingly difficult to defend against:
- Time-delayed payloads: A proven method is to ensure that malicious content is not active immediately after email delivery. For example, phishing emails contain links that only lead to malicious websites hours later, or files whose malicious code only unfolds after download. Since SEGs primarily scan emails upon receipt, the threat remains undetected.
- Use of legitimate platforms: Attackers deliberately use well-known and trusted services such as Microsoft SharePoint, OneDrive, or Google Docs to hide their malicious links. This tactic exploits the good reputation of such domains to avoid being blocked by SEGs – even though the malicious component is hidden behind seemingly harmless URLs.
- Social engineering without traditional malware: Business email compromise (BEC) attacks in particular demonstrate how effective phishing can be without technical signatures. Attackers pose as supervisors or business partners and persuade employees to disclose sensitive information or initiate payments – without any attachments or conspicuous links.
- Phishing using only text without URLs or attachments: Some attacks do not use any links or attachments and imitate legitimate internal communications—for example, by using deceptively genuine invoices or delivery instructions. Since these emails do not contain any conspicuous indicators, they appear uncritical to traditional gateway solutions and reach the recipient without any problems.
According to Dr. Martin Krämer, these targeted techniques clearly show that the classic perimeter approach, in which emails are checked upon receipt and then released, is no longer sufficient today. Attackers think ahead—and are unfortunately often one step ahead.
Are there any protective measures?
Dr. Martin Krämer believes that only cloud-based, AI-supported security solutions that go far beyond a one-time check when emails arrive offer effective protection today. They analyze content and communication behavior, recognize atypical patterns, adapt dynamically to new attack techniques, and respond in real time to suspicious activities.
But technology alone is not enough, according to the expert, who writes: "It is equally important to provide employees with targeted and ongoing training – for example, in recognizing manipulated content, fake senders, or unusual wording." He adds: Only when intelligent prevention is combined with human vigilance can an effective defense against sophisticated phishing attacks be created.
A dilemma
Well, that leaves us with a circular argument or a dilemma. At the beginning, a study proved that phishing simulations are not very effective. Trend Micro called for "technical defense measures." In the second part of this blog post, a KnowBe4 expert points out that phishing cannot be stopped by secure email gateways and calls for better training. When I engage in some self-reflection, the thought occurs to me: "Only the magic bag of AI can help here." What do you think? How do you solve this dilemma in your company?
