Pwning User Phishing Training Through Scientific Lure Crafting
No ratings
Presented at Black Hat USA 2025 by
Phishing training has been sold as a silver bullet for twenty years—just show people a few fake emails, teach them what to look for, and they'll magically stop clicking, right? Wrong. Our 8-month, real-world study across 20,000+ employees blows that narrative wide open. We didn't run a controlled lab test. We embedded ourselves in the wild. And what we found was clear: current phishing training doesn't move the needle. Worse, the lures themselves behave chaotically—some bait (like "urgent dress code updates") consistently outperformed others, and not in ways that align with conventional wisdom. This talk digs into why phishing training metrics are a dangerous mirage—used as both security theater and a flawed defense strategy. We'll dissect how gamified lure creation inside orgs can backfire, how novelty and context collide, and why click rates may say more about the bait than the user. Finally, we'll open the floor to the hard questions: Can internal phish metrics be hacked for good—or evil? Are we designing for behavior change or just measuring clicks? And what does a post-phishing-training world even look like?