Nearly everyone’s cybersecurity program includes a phishing test. “Click here to renew your subscription”, “Please update your contact information”, “Enter your password to unlock this month’s partner rebates” etc.

As popular as they might be, and as important as they might be – their effectiveness is up in the air.

This review, prepared for IEEE 2025, looks at the performance on phishing tests by healthcare workers at the University of California San Diego. Members in the control group did not receive any sort of feedback if they clicked on a phishing link, they simply went to a dead 404 page. Then, the other four groups received different types of feedback, as randomized, from the Proofpoint catalogue of educational content.

Across 19,000 healthcare workers and 8 months, the authors tested several different types of training and types of e-mails, and, among their many results, the following:

The far left “Control” group performance sure looks a lot like the other groups!

And, now you know – getting someone to click on a “gimme your password” link might tip off most folks, but nearly everyone will blunder forward to check out a change in vacation policy or dress code ….