Why “Gotcha” Phishing Training Backfires

The standard approach

Most phishing simulation programmes follow the same script: send a fake phishing email, collect click data, then immediately confront clickers with a punitive message. The assumption is that embarrassment creates motivation.

The research says otherwise.

What the research shows

• Employees who received immediate negative feedback after clicking showed higher anxiety scores.
• Higher anxiety did not translate into faster improvement in click rates.
• High-anxiety employees were less likely to report suspicious emails, fearing blame if it turned out to be legitimate.

Why shame-based training backfires

Shame creates avoidance behaviour. When clicking a phishing link means public embarrassment, employees learn to hide the fact that they clicked instead of surfacing incidents quickly.

What actually works

1. Immediate, contextual coaching

Show what the red flags were and what the employee should notice next time, rather than displaying a punishment screen.

2. Progressive difficulty

Start with fair scenarios and increase complexity as the workforce improves.

3. Report-rate focus over click-rate focus

The most important metric for real security posture is how reliably employees report suspicious emails, not whether a single campaign achieved a vanity click number.

How Phishy is built differently

Phishy uses teachable moments, reporting visibility, and calmer feedback patterns so simulations improve behaviour without making the product feel punitive or cheap.