Black Hat USA 2025 | Pwning User Phishing Training Through Scientific Lure Crafting

The Black Hat USA 2025 briefing challenges the long‑standing belief that brief phishing simulations are sufficient to inoculate employees against social engineering. By embedding researchers directly within corporate environments, the study captured real‑world interactions that laboratory tests miss, highlighting a stark disconnect between reported training success and actual user behavior. This evidence suggests that security teams need to move beyond simple click‑rate dashboards and adopt continuous, context‑aware education that addresses the psychological triggers behind phishing decisions.

One of the most striking findings is the chaotic performance of different lure themes. Traditional high‑urgency subjects—such as account suspension notices—did not consistently outperform more mundane hooks like dress‑code updates. This variability underscores that attackers can exploit any narrative that resonates with a specific audience, making it impossible to rely on a static set of training examples. Organizations should therefore diversify their simulated attacks, regularly refreshing content to mirror emerging threat vectors and cultural nuances within their workforce.

Finally, the presentation warns that gamified lure creation, while intended to boost engagement, can inadvertently reinforce harmful patterns. When employees are rewarded for spotting obvious phishing cues, they may develop a tunnel vision that ignores subtler, more sophisticated attacks. A balanced approach that combines realistic scenario training, post‑exercise debriefs, and measurable behavior change—rather than mere click counts—will better equip enterprises to mitigate the evolving phishing landscape.