TL;DR: Security awareness training does little to change click or report rates against modern phishing, while browser-delivered attacks increasingly arrive through search ads, social media DMs, cloned AI service pages, and legitimate OAuth flows, according to Push Security and cited studies. The real control gap is at the point of execution: in the browser, where technical intervention can block compromise and educate users in context.
NHIMG editorial — based on content published by Push Security: browser-based controls and the limits of security awareness training
By the numbers:
- A 2025 study from Purdue University involving 12,511 employees at a US fintech firm found that anti-phishing training produced no significant effect on click rates (p=0.450) or reporting rates (p=0.417).
- The Verizon DBIR 2025 found that employees trained within the last 30 days were 4x more likely to report phishing than those trained earlier.
Questions worth separating out
Q: How should security teams reduce phishing risk when attacks happen in the browser?
A: They should place preventive controls in the browser itself, because that is where users make the trust decision and where malicious pages execute.
Q: Why does annual security awareness training fail against modern phishing?
A: Annual training fails because it usually teaches users to spot outdated email cues, while modern attacks use search ads, trusted domains, social platforms, and legitimate web flows.
Q: What do security teams get wrong about phishing simulations?
A: They often measure the wrong attack path.
Practitioner guidance
- Deploy browser-layer phishing detection Block malicious pages based on page behaviour, form structure, and interaction patterns so you can stop cloned login pages, AiTM kits, and ClickFix payloads before the user completes the action.
- Redesign awareness exercises around browser-native attacks Extend simulation and education beyond email to include search ads, social DMs, consent abuse, device code phishing, and fake software download flows that look legitimate in the browser.
- Measure control effectiveness by compromise outcomes Track successful compromise rate, response time, and reporting behaviour instead of using training completion as a proxy for security performance.
What's in the full article
Push Security's full article covers the operational detail this post intentionally leaves for the source:
- Examples of browser-native attack chains, including search-ad delivery and cloned AI service pages.
- How the browser layer can block malicious activity in real time without browser migration.
- Operational guidance for warn screens, proceed-anyway prompts, and SSO or MFA guidance.
- The specific control design Push says helps translate blocked events into contextual education.
👉 Read Push Security's analysis of why browser-based controls matter more than awareness training →
Browser-based phishing: why training is no longer enough?
Explore further
Browser trust has become the new identity perimeter: The decisive security event is no longer the receipt of a phishing message, but the moment a user evaluates a page, prompt, or download inside the browser. That changes the governance problem from awareness completion to in-session control, because the identity decision now happens at execution time. Practitioners should treat browser context as an identity enforcement layer, not just a user experience layer.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases, according to The State of Secrets in AppSec.
A question worth separating out:
Q: How can organisations decide when to invest in browser security instead of more training?
A: When the dominant failures involve legitimate-looking pages, search-driven delivery, or quick in-session decisions, browser security should take priority. Training can improve awareness, but it cannot reliably intercept a compromise that unfolds inside a live session. The better investment is the control that can see the page, the prompt, and the action at the same time.
👉 Read our full editorial: Browser-based controls expose the limits of security awareness training