PhishClub › Thinking
Phishing and social engineering are involved in the majority of serious compromises. They’re also routinely excluded from red team engagements — not because they’re irrelevant, but because they’re too reliable. Including them would make the test too easy. The most effective attack vector in practice is being quietly set aside in assessment because it’s almost a guaranteed hit if you persist long enough.
So the most prominent threat gets the weakest defence. That’s the gap nobody talks about.
The standard response is annual training. Slides, videos, simulated phishing tests that catch people out and send them back to more slides.
The problem is the theory of change underneath it.
People who click phishing links know they shouldn’t click suspicious links. If you ask them after, they can tell you it’s suspicious because it’s amaz0n.com. The knowledge isn’t the gap — it’s the reflex that’s being exploited. Think about the last time you locked yourself out of your car, or left your door unlocked. You know how locks work. What happened was that you had shopping and kids and were on hold to the credit card company, and in that moment there was simply nowhere to put the thought. If someone steals your car that day, the lesson isn’t that you need better education about car theft. You needed the habit of locking the door to be automatic enough to survive that afternoon.
Phishing works the same way. It doesn’t exploit ignorance. It exploits cognitive load. It catches people on rushed Tuesday afternoons when the bar for what looks safe is lower because there’s too much else going on. Annual training that teaches people what phishing looks like doesn’t address that. It addresses a different, simpler problem that isn’t really the one we have.
The first thing is frequency. A threat you’ve never encountered doesn’t feel real — if a compromise hasn’t happened at your organisation recently, the urgency stays abstract. You can’t build a reflex against something hypothetical. You need repetition in realistic conditions, often enough that checking becomes default rather than deliberate.
But frequency alone isn’t enough if there’s no reason to stay engaged. Compliance training assumes that the threat of consequences sustains attention. It doesn’t, because the consequences feel distant. What actually works is immediate social stakes — something that matters this week. If your colleagues are trying to catch you, and you’re trying to catch them, and there’s a leaderboard the team actually looks at, you’re engaged for completely different reasons. You’re playing. And while you’re playing, you’re building exactly the reflex that needs to be there on that rushed Tuesday afternoon.
The goal, in the end, isn’t awareness. It’s automation. You’re not trying to make people think more carefully about links — training can do that. You’re trying to make the check happen before the thinking kicks in. That only comes from enough repetition that the behaviour stops being a decision.
The organisations that take this seriously aren’t the ones with the most thorough annual training programmes. They’re the ones that have made security a live, social, ongoing part of how work feels. That’s harder to buy off a shelf and harder to measure in a compliance report. But it’s the thing that actually closes the gap.
This is what PhishClub is built around.
Gamified phishing simulation that runs in the background, builds the reflex through repetition, and gives your team something to actually compete over. No learner accounts, no software to install, no annual review.
Start a free trial