Why We Don’t Use Phishing Simulations (and What We Do Instead)

Phishing simulations—sending fake phishing emails to staff to “test” them—are often promoted as a way to improve cybersecurity awareness. But we’ve chosen not to use them, and here’s why:

Why We Avoid Phishing Simulations

1. They Undermine Trust
   Cybersecurity should build a culture of responsibility and openness. Simulations feel like a “gotcha” tactic, which can damage trust between staff and management.
2. They Discourage Reporting
   If employees fear being tricked, they may hesitate to report real phishing attempts—exactly the opposite of what we want.
3. They’re Often Unnecessary
   Most businesses we work with already have very low click rates on phishing emails thanks to strong awareness training.
4. They Can Create a False Sense of Security
   Passing a simulation doesn’t guarantee readiness for real-world attacks, which are often more sophisticated.
5. They Consume Time and Resources
   For small businesses, the cost and effort of running simulations often outweigh the benefits.

What We Do Instead

We believe in education, not deception. Our approach focuses on Regular Cybersecurity Awareness Training with Practical, jargon-free sessions that teach staff how to spot scams.