Browser-based phishing: why training is no longer enough

TL;DR: Security awareness training does little to change click or report rates against modern phishing, while browser-delivered attacks increasingly arrive through search ads, social media DMs, cloned AI service pages, and legitimate OAuth flows, according to Push Security and cited studies. The real control gap is at the point of execution: in the browser, where technical intervention can block compromise and educate users in context.

NHIMG editorial — based on content published by Push Security: browser-based controls and the limits of security awareness training

By the numbers:

• A 2025 study from Purdue University involving 12,511 employees at a US fintech firm found that anti-phishing training produced no significant effect on click rates (p=0.450) or reporting rates (p=0.417).
• The Verizon DBIR 2025 found that employees trained within the last 30 days were 4x more likely to report phishing than those trained earlier.

Questions worth separating out

Q: How should security teams reduce phishing risk when attacks happen in the browser?

A: They should place preventive controls in the browser itself, because that is where users make the trust decision and where malicious pages execute.

Q: Why does annual security awareness training fail against modern phishing?

A: Annual training fails because it usually teaches users to spot outdated email cues, while modern attacks use search ads, trusted domains, social platforms, and legitimate web flows.

Q: What do security teams get wrong about phishing simulations?

A: They often measure the wrong attack path.

Practitioner guidance

• Deploy browser-layer phishing detection Block malicious pages based on page behaviour, form structure, and interaction patterns so you can stop cloned login pages, AiTM kits, and ClickFix payloads before the user completes the action.
• Redesign awareness exercises around browser-native attacks Extend simulation and education beyond email to include search ads, social DMs, consent abuse, device code phishing, and fake software download flows that look legitimate in the browser.
• Measure control effectiveness by compromise outcomes Track successful compromise rate, response time, and reporting behaviour instead of using training completion as a proxy for security performance.

What's in the full article

Push Security's full article covers the operational detail this post intentionally leaves for the source:

• Examples of browser-native attack chains, including search-ad delivery and cloned AI service pages.
• How the browser layer can block malicious activity in real time without browser migration.
• Operational guidance for warn screens, proceed-anyway prompts, and SSO or MFA guidance.
• The specific control design Push says helps translate blocked events into contextual education.

👉 Read Push Security's analysis of why browser-based controls matter more than awareness training →

Browser-based phishing: why training is no longer enough?

Explore further

View Full Forum →  |  NHI Foundation Course →