How do organizations run phishing simulations currently? How you handle users who fail repeatedly?

We run phishing simulations for all 2,000 employees using a licensed platform called Phished Academy, with a strong focus on continuous education.

By the end of 2025, every employee was required to reach at least the Bronze level. We now encourage staff to aim for higher medals within the platform to keep improving their awareness. In addition to simulations, we actively reinforce the message through our intranet and a monthly magazine, raising awareness, keeping people alert, and providing practical tips.

This approach has worked quite well so far, and employees are genuinely engaged and enthusiastic about progressing.

We use KnowBe4 and have been for several years. We're happy with the product. We provide them with some additional training when they click on phish. Phish tests are conducted monthly and use the AI Defense Agents which create more realistic phish tests that are much more likely to be what staff would experience.

We have a 3rd party run a phishing test every 6-8 weeks. We were also looking to switch to Knowb4 to handle this, but haven't pulled the trigger. People who fail go through an additional training session, but we don't see a lot of repeated failures. We are also a smaller shop (50 people)

We utilize a 3rd party product to conduct monthly phishing campaigns every month for every employee. There are about 10 different emails in each monthly campaign. This is done to reduce the prairie dog response where one employee pops up and warns the others of a particular email. It is less likely employees will receive the same email as their neighbor (though not impossible). We have 5 levels of escalating training for employees that fail the phishing campaigns. There is no current plan to take it any further than this though.

We leverage a vendor product and conduct simulations each month. We have increased the complexity and alure of our messages to make them more enticing over time consistent with what we are seeing in the wild. This has resulted in a suborn and consistent rate of staff who continue to click where they shouldn't. We entertained progressive discipline but have read studies that show it does not really work. The best approach is escalating the required training. We do inform managers of repeat offenders and require them to include information about these breaches in the staff member's performance review.