What are the most common mistakes companies make when protecting themselves against phishing?

Cybersecurity training often fails. Employees still click on phishing emails even after training. AI is increasing the success rate of attacks by dozens of percent. How can companies defend themselves systematically? Testing is the foundation.

26 February 2026 / 3 minutes of reading

A positive trend — but with serious gaps

We are currently seeing a positive trend in employee cybersecurity education. More and more companies are introducing various forms of training, awareness programs, and security initiatives aimed at increasing employees’ understanding of cyber risks.

Both companies and their employees are increasingly aware that cybersecurity plays a critical role not only at work but also in everyday life.

However, from our experience, especially in small and medium-sized businesses, the format or content of these training programs is often poorly designed. As a result, they frequently create a false sense of security, while delivering little to no real benefit.

False security: Training without testing doesn’t work

Many organizations today offer some form of security training, whether it’s e-learning modules, short presentations, or mandatory annual sessions. In practice, however, we often see that this knowledge is never tested in realistic scenarios.

Only after running a simulated phishing campaign do many companies realize with some shock, that despite regular training, a large number of employees still enter their credentials into a phishing form. In some cases, the only people who didn’t do so were those who happened to be on vacation or out sick.

The AI revolution in phishing

Another common challenge is that companies which until recently maintained a relatively high level of security awareness have not reacted quickly enough to new threats related to AI.

With the rise of artificial intelligence, phishing phone calls are becoming far more convincing, something we’ve observed firsthand in testing scenarios with several clients.

In practice, phishing is increasingly multichannel combining email attacks with smishing (SMS) and vishing (phone calls). This coordinated approach can increase the success rate of a simulated phishing campaign by dozens of percent.

A systematic approach is key to protection

To summarize: while mistakes can never be completely eliminated, what truly matters is a systematic approach to security.

Training employees alone is not enough. Organizations must regularly test employees, measure the effectiveness of training, and continuously adapt their defenses to evolving threats.

Only then can phishing protection become truly effective, not just a compliance checkbox.

Other interesting articles

All news

4 March 2026

Why do phishing emails still work, even though we’ve been hearing about them for years?

Companies invest millions in firewalls, yet the most vulnerable point remains the human factor. Not because we are incompetent, but because attackers don’t hack systems — they hack human psychology. And that hasn’t changed in the last ten years.

24 July 2025

From High School Exploits to Leading a Team: Fero's 10-Year Journey at Citadelo

He first heard about hacking in high school. Today, he hacks mobile apps, trains developers, and leads his own team. What keeps Fero excited about ethical hacking even after 10 years at Citadelo? And how do you keep growing without burning out?

16 July 2025

Case Study: How a Phishing Attack Tricked 40% of Employees

In a simulated attack, our ethical hackers tricked nearly 40% of employees through phishing and vishing. One click gave us access to the network—proving that even strong tech can’t compensate for human error. Here’s what we learned and why awareness is your best defense.

Home

GDPR

Contacts

Code of ethics

News