If phishing were purely a technical problem, we would have solved it by now.
The uncomfortable reality is that social engineering succeeds because it exploits predictable human behavior—autopilot thinking, misplaced trust, fear of consequences, and the assumption that “the tools will catch it.”
In this session, I’ll walk through Beauceron Security’s newest research, which goes beyond click rates to examine the psychology behind phishing failures.
We didn’t just measure what happened—we asked people why they clicked.
Here’s what the data shows: Roughly half of all phishing clicks happen because the message looked legitimate or matched something the person was already expecting
Nearly 40% of clicks occur when people are rushing or operating on autopilot—and a shocking number don’t even remember clicking
Employees who believe security tools “have them covered” click dramatically more often than those who understand the limits of technology
Fear—of getting in trouble, of ignoring a request, of slowing down—produces the worst security outcomes of all
And then there’s training.
Yes, bad training doesn’t work. We’ve known that for years. But our data shows that well-designed, well-timed training absolutely does—when it’s delivered in a way that respects how people actually learn, forget, and relearn under pressure.
We’ll break down: - Why post-click landing pages are a dead end - How awareness decay makes “once-a-year training” almost meaningless - What actually reduces repeat clicking - Why reporting behaviour matters
If you’ve ever wondered whether security awareness is worth the effort—or why your program feels busy but ineffective—this talk will give you answers grounded in evidence, not ideology.
Key Takeaways
Attendees will leave with:
- A clear, evidence-based explanation of why people click on phishing emails - Proof of where traditional awareness models fail—and why - A better way to think about human error that doesn’t default to blame - Practical guidance on how to design training that changes behaviour instead of measuring failure - A framework for aligning security awareness with creating positive security cultures that sustain motivation to be secure.
