Pwning User Phishing Training Through Scientific Lure Crafting
Black Hat USA 2025 · Day 1 · Briefings
A randomized controlled trial across 19,000+ hospital employees found that simulated phishing training delivered via off-the-shelf products produced only a 1.7% aggregate reduction in click rates — and the median user spent zero to ten seconds on the training. At the same time, lure crafting alone could swing failure rates from 2% to 30%, meaning a single AI-optimized email can erase whatever modest gains training achieves. ---
AI review
Rare thing: an RCT with 19,000 subjects telling us that the phishing training industry is selling snake oil. The 1.7% aggregate improvement number is damning, and the lure variance data — 2% to 30% click rate on identically formatted emails — is the kind of empirical ammunition defenders have needed for a decade. Not a vulnerability research talk, but absolutely actionable.