Repeat Offenders in Phishing: Here's How We Train Them Out

Why are people still clicking?

That’s the question echoing through security teams right now. Even in programs built on “best practices” - the same employees keep failing. It’s not for lack of trying. Many are using the biggest names in the business: KnowBe4, Microsoft Defender, Proofpoint. They’ve done the drills. And still, the repeat offenders keep repeating.

We’ve heard this frustration firsthand:

“We’ve been running phishing simulations for a year and some users still keep clicking.”

That’s not just an anecdote. It’s a warning sign. When people fail the same way twice, the system isn’t working... and they know it.

And so the question becomes: do we punish them? Escalate? Fire them? Some companies do. Others escalate to HR. But the data ( and the backlash) tells a different story.

Below we'll walk through why traditional training fails repeat offenders - and what actually works instead.

We unpacked this dilemma in our latest episode of the All Things Human Risk Management Podcast, where we laid it out clearly: punishment doesn’t fix behavior. Progress and positive reinforcement does.

‍

Why do the same people keep clicking on phishing emails?

For most security leaders, the surprise isn’t that people fail phishing tests... it’s how often the same people keep failing.

You’d think that by the third or fourth round of security awareness training, those repeat clickers would get the message. Especially in companies using well-known tools like KnowBe4 or Microsoft Defender, where phishing simulation programs are monthly and security tips are piped through email newsletters and training videos.

Behind the scenes, the security teams we speak to are stuck: they don’t want to ignore risky employee behavior, but they also know punitive measures (like firing repeat responders or escalating to HR) can backfire, leading to disengagement or worse - unreported incidents.

And let’s not pretend the tools are helping. Many so-called “mature” programs look solid on paper: a phishing platform with regular campaigns, automatic reminders, a few compliance frameworks met. But under the hood, these training modules aren’t built to drive behavior change. They’re built to check boxes. Which means they often do little to reduce click-through rates  and even less to shift actual employee reactions under pressure.

If a user keeps failing, don’t just look at the person, try looking at the program. If your approach to training isn’t working, and some people improve while others don’t, you need to question the whole approach. Are you building a program that encourages people to change? Or are you relying on fear?

If your security awareness training still produces repeat offenders, the problem isn’t just with the user. It’s systemic.

‍

Why security awareness training stops working after the third click

Most phishing simulation programs run like clockwork. Same cadence each month, same campaign for every user, maybe a slightly tweaked template if you’re lucky. And on paper, it seems fine: regular training campaigns, compliance frameworks satisfied, click rates tracked. Job done.

But if your “repeat offenders” list looks the same month after month, those static campaigns aren’t changing anything.

As one training admin told us before switching to Hoxhunt: “It’s all manual. You pick your user group, pick your template… and it doesn’t adapt.”

In other words, there’s no adaptive security training here. The issue isn’t just that these phishing tests are repetitive, it’s that they flatten everyone into the same risk category.

Senior engineer or new hire, finance or marketing, they all get the same phishing simulations. And when someone fails, the system’s idea of remediation is more of the same: maybe another phish testing round or a generic training video.

What you end up building is muscle memory for the test... not for the real threats themselves.

This is how "fail once, repeat again" becomes the default pattern. Without individualized escalation or context-aware content, repeat clickers don’t get smarter - they get desensitized. And worse, your phishing simulator itself starts to lose credibility.... users know it’s just a drill. So they start tuning it out.

It’s not just inefficient - it’s dangerous. Because phishing attacks don’t play by your campaign schedule. And real threat actors don’t send the same phish twice.

A phishing platform that treats everyone the same will always underperform. Not just in click-through rates, but in real-world behavior change. If the system doesn’t evolve, neither will your people.

‍

What’s the right way to respond after someone fails… again?

In most programs, when someone fails a phishing test, the response is automatic: send them the same training module. Maybe a five-minute video. Maybe a few quiz cards. But always the same thing, at the same difficulty level, regardless of who they are or how they failed.

This is where security awareness becomes a dead end.

“We just send the same training to everyone who clicks. It’s not helping.”

This is something we hear a lot. That one-size-fits-all remediation model might make sense in a spreadsheet but it fails in practice. Why? Because it assumes failure is purely a knowledge gap. That people just need to “know better.”

But the truth is messier...

Repeat clickers aren’t just careless - they’re disconnected. Some don’t understand the risk. Some don’t see themselves as a target. Others don’t even realize what they did wrong.

If the training doesn’t meet them where they are (by role, by behavior, by motivation), it doesn’t stick.

Sending the same low-difficulty, generic module after each failure actually reinforces failure patterns. It teaches users what not to worry about. Over time, they disengage. Reporting habits stall. The phishing platform loses trust. Behavior change flatlines.

In a worst-case scenario, it gets worse than inaction. You create a culture where people fear the training and hide their mistakes. And that directly delays incident response time, leaving your organization exposed to phishing consequences like credential theft or malware attachment.

To shift that pattern, the follow-up matters. The type of content. The tone. The timing. It’s not just about whether you assign remedial training - it’s what the user experiences when they get it.

And that’s where Hoxhunt starts to diverge... not just in content, but in cadence and escalation.

Hoxhunt takes a fundamentally different approach. When someone fails, the system doesn’t just assign “more training” - it delivers a microlearning module tailored to the specific phish they failed. These bite-sized, scenario-driven lessons build what we call micro-victories: each one reinforces a key detection skill in under 90 seconds, giving users a clear win instead of reinforcing shame.

‍

Why treating every employee the same fails your high-risk users

The fundamental flaw in most phishing simulation programs? They treat every user the same. So at Hoxhunt we flips that - and it starts after the click.

Where traditional training campaigns send out a generic follow-up and wait another month, Hoxhunt immediately adjusts. We use behavioral analytics to identify the specific type of phish that tripped someone up and we tailor the next simulation to dig into that same blind spot.

Not six weeks later. Sometimes within days.

“I failed one, and Hoxhunt hit me again in 4 days, then 10. All were social media. It was like it knew.” - Real Hoxhunt user review

That’s not luck. That’s adaptive security training in action.

Rather than cycle through a static library of phishing emails, we target themes based on each user's past performance and role-based risk metrics. If someone struggles with credential harvest scams, they’ll see more simulations tuned to that vector, not random templates from an old campaign.

Frequency adjusts, too. Someone who fails repeatedly might get a follow-up phish within days. Someone else might go weeks. The system reacts to behavioral signals, not a fixed calendar. And because our phishing simulator integrates with reporting data, we can calibrate content difficulty in real time - escalating it as users build resilience.

This is how you get actual behavior change: by meeting people at their failure point, not above or below it.

The result? Lower click-through rates, higher report rates, and a culture that sees failure as part of the process, not a punishment.

Below you can see Hoxhunt uses AI to personalize training to each and every user.

‍

How Hoxhunt escalates difficulty when users keep failing

Behavioral change doesn’t come from repetition, it comes from escalation. When phishing simulations evolve from checkbox drills into realistic threat scenarios, users stop seeing them as training and start treating them like actual incidents.

That’s the shift.

At Hoxhunt, we use real-world threat intelligence to shape our phishing campaigns - from QR code payloads to vendor compromise and credential theft scenarios. These aren’t placeholders. They mimic the exact social engineering tactics threat actors are using in the wild.

Through behavioral analytics, we map employee reactions (like click rates, reporting habits, escalation speed) and calibrate both content and complexity to match.

A user who spots basic phish consistently might get hit with an Office 365 security spoof. It’s like adaptive training difficulty, but mapped to your actual threat landscape.

When simulations mirror real attack vectors, reported phishing attempts spike. When users recognize the patterns, they respond faster. Their muscle memory starts working for them, not against them.

This is where most phishing platforms fall short. They repeat instead of adapt. They assign instead of escalate. And that’s why many fail to close the behavior-to-breach gap.

But when simulations are dynamic - and rooted in your environment - you can actually build secure instincts, not just test them.

‍

What should you actually do with repeat clickers?

Most phishing training programs don’t know what to do with repeat clickers. After the third or fourth failure, it becomes a spreadsheet problem. Do we escalate to HR? Flag their manager? Hope they eventually “get it”?

Hoxhunt handles it differently. There’s no punishment - just precision.

This isn’t punitive. It’s built around understanding over blame. The system identifies risk behavior patterns and steps up both simulation frequency and training specificity.

Fail a phishing test, and the next hit might come in four days. Fail again, and you'll get nudged with a microlearning tailored to the phish you missed.

It’s a closed loop:

Fail → targeted simulation → behavioral reinforcement → increased frequency → remedial training (if needed).

These remedial moments are engineered for engagement. Hoxhunt uses real user behavior - including what type of phishing email was clicked, how quickly it was reported (if at all), and how the user has responded to past content - to deliver personalized, just-in-time interventions.

This avoids one-size-fits-all fatigue and ensures each repeat clicker gets training that meets them at their failure point, not beyond their comprehension

No shame. No escalation. Just guided, adaptive support - informed by behavioral analytics and synced with your org’s policies.

And because the platform runs on autopilot, IT leadership doesn’t have to micromanage repeat responders. You define the thresholds. The system does the rest.

Crucially, this progression path learns. It gets better over time. The more data the platform sees, the sharper the risk insights get - from simulation-to-incident correlation to personalized trigger timing. Because behavior change isn’t a one-time fix. It’s a path... and Hoxhunt builds that path, click by click.

‍

How do we prove phishing training is actually working?

When it comes to reducing organizational cyber risk, most companies default to focussing broadly, trying to uplift the middle, hoping the outliers follow.

Qualcomm flipped that.

Their security team identified the company’s 1,000 riskiest employees. These are people who had failed 3 or more phishing simulations, with failure rates hovering between 30–50%, and near-zero reporting habits. These were repeat clickers, not because they didn’t care, but because traditional SAT tools had failed to reach them.

Instead of giving up on this group, Qualcomm enrolled them into an experimental program powered by Hoxhunt’s adaptive phishing training.

“You see the worst going to the best - in 2 months with Hoxhunt.” - Rachel Shaw, Sr. Manager of Cybersecurity, Qualcomm

The results were staggering.

Within months, this “Risky 1K” cohort outperformed the rest of the 50,000-person org in click-through rates and reporting rate. Simulated malicious click rates dropped by nearly 10x, and their phishing report rates surged.

Those who once posed the greatest phishing risk became model cyber citizens - with behavior impact measurable across every security culture metric.

This wasn’t just about remediation, it was a cultural reset. Hoxhunt turned phishing consequences into learning triggers. Repeat responders into early detectors. Employees who used to fail phishing tests were now reporting threats in under a minute.

“In their 9-month enrollment, our riskiest users went from double the fail rate of their peers to half - a 4x swing. That success earned us a CSO50 Award and paved the way for a global rollout.” - Kris Virtue, Global Head of Cybersecurity, Qualcomm

After the full org joined Hoxhunt, Qualcomm saw a 6x improvement in overall simulation resilience. The program didn’t just scale - it sustained. Even as the number of phishing simulations increased, employee engagement and positive feedback went up.

‍

Phishing repeat offenders FAQ

How many times should someone be allowed to fail before we escalate?

There’s no universal number... and that’s by design. Hoxhunt allows orgs to define their own thresholds (e.g. two phishing failures within 30 days) that automatically trigger remedial workflows. You can tune those triggers based on role sensitivity, business unit, or even past incident data.

The goal isn’t to punish after some magic number - it’s to spot patterns early and engage before someone becomes a true risk vector. That’s what adaptive escalation enables.

What do other companies actually do when someone fails 3+ times?

Escalation policies vary widely, but we’ve seen three common models:

1. Auto-remediate with targeted training (e.g. micro-modules matched to the phish they failed)
2. Flag for manager review - often tied into existing SOAR tools or HR workflows
3. Human touchpoint - a security team member reaches out to coach or investigate

What we don’t recommend? Instant HR escalation or disciplinary action. Punitive approaches tend to backfire - creating shame, silence, and slower incident response.

How do we make repeat offenders feel supported instead of shamed?

This is the heart of behavior change: not just what you send, but how you show up.

Punishment creates fear. Fear kills reporting. And silence makes breaches worse.

Instead, take this approach:

• Focus on why the failure happened, not just the fact that it did
• Normalize mistakes: even security pros fall for well-crafted phishing emails
• Use empathetic language like: “Hey, looks like that one got you - it’s been fooling a lot of folks. Let’s take a minute to walk through what happened and how to spot it next time."

How do we avoid training fatigue or backlash from over-targeting repeat offenders?

The key is not more training... it’s smarter training.

That means:

• Short, scenario-based training videos (30–90 seconds)
• Just-in-time delivery, not quarterly dumps
• Personalized content that reflects their past failures and role risks
• Gamified reinforcement instead of compliance checklists

Hoxhunt’s remedial training approach builds up small victories instead of punishing failure. And the data shows this keeps engagement high, even in previously disengaged users.

What does escalation look like in the Hoxhunt platform?

Escalation is built into the platform - quietly, automatically, and without shame.

The three automated remedial training approaches we’ve deployed to help repeat clickers change their behavior to reporting suspicious messages are:

• Assigning relevant training to the user
• Notifying the user’s manager
• Notifying additional accounts, like awareness managers or security officers

Instead of putting people on blast, Hoxhunt puts them on a path from high risk to high performance.