Repeat Offenders in Phishing: Here’s How We Train Them Out

Why are people still clicking?

That’s the question echoing through security teams right now. Even in programs built on “best practices” – the same employees keep failing. It’s not for lack of trying. Many are using the biggest names in the business: KnowBe4, Microsoft Defender, Proofpoint. They’ve done the drills. And still, the repeat offenders keep repeating.

We’ve heard this frustration firsthand:

“We’ve been running phishing simulations for a year and some users still keep clicking.”

That’s not just an anecdote. It’s a warning sign. When people fail the same way twice, the system isn’t working… and they know it.

And so the question becomes: do we punish them? Escalate? Fire them? Some companies do. Others escalate to HR. But the data ( and the backlash) tells a different story.

Below we”ll walk through why traditional training fails repeat offenders – and what actually works instead.

We unpacked this dilemma in our latest episode of the All Things Human Risk Management Podcast, where we laid it out clearly: punishment doesn’t fix behavior. Progress and positive reinforcement does.

Repeat clickers are usually the first visible symptom of a program-level design problem, so as you weigh each fix below, it helps to see where it sits in how to build a human risk management program.

Why do the same people keep clicking on phishing emails?

The same employees keep clicking phishing simulations because the program never adapts to why they fail. Static campaigns send every user the same templates at the same difficulty, then assign the same generic module after every failure. Repeat clicking stops when simulations adapt to each person’s failure pattern and difficulty escalates individually, with support instead of punishment.

What surprises most security leaders is how often it is the same people failing.

You’d think that by the third or fourth round of security awareness training, those repeat clickers would get the message. Especially in companies using well-known tools like KnowBe4 or Microsoft Defender, where phishing simulation programs are monthly and security tips are piped through email newsletters and training videos.

Behind the scenes, the security teams we speak to are stuck: they don’t want to ignore risky employee behavior, but they also know punitive measures (like firing repeat responders or escalating to HR) can backfire, leading to disengagement or, worse, unreported incidents.

And let’s not pretend the tools are helping. Many so-called “mature” programs look solid on paper: a phishing platform with regular campaigns, automatic reminders, a few compliance frameworks met. But under the hood, these training modules aren’t built to drive behavior change. They’re built to check boxes. Which means they often do little to reduce click-through rates and even less to shift actual employee reactions under pressure.

If a user keeps failing, don’t just look at the person, try looking at the program. If your approach to training isn’t working, and some people improve while others don’t, you need to question the whole approach. Are you building a program that encourages people to change? Or are you relying on fear?

If your security awareness training still produces repeat offenders, the problem isn’t just with the user. It’s systemic.

Why security awareness training stops working after the third click

Most phishing simulation programs run like clockwork. Same cadence each month, same campaign for every user, maybe a slightly tweaked template if you’re lucky. And on paper, it seems fine: regular training campaigns, compliance frameworks satisfied, click rates tracked. Job done.

But if your “repeat offenders” list looks the same month after month, those static campaigns aren’t changing anything.

If it’s the whole program that has stalled rather than one group, that’s a different diagnosis: see why security awareness programs plateau after year one.

As one training admin told us before switching to Hoxhunt: “It’s all manual. You pick your user group, pick your template… and it doesn’t adapt.”

In other words, there’s no adaptive security training here. The issue isn’t just that these phishing tests are repetitive, it’s that they flatten everyone into the same risk category.

Senior engineer or new hire, finance or marketing, they all get the same phishing simulations. And when someone fails, the system’s idea of remediation is more of the same: maybe another phish testing round or a generic training video.

What you end up building is muscle memory for the test rather than for the real threats themselves.

This is how “fail once, repeat again” becomes the default pattern. Without individualized escalation or context-aware content, repeat clickers don’t get smarter. They get desensitized, and the phishing simulator itself starts to lose credibility: users learn it’s just a drill. So they start tuning it out.

This is worse than inefficient. It’s dangerous. Because phishing attacks don’t play by your campaign schedule. And real threat actors don’t send the same phish twice.

A phishing platform that treats everyone the same will always underperform, in click-through rates and in real-world behavior change. If the system doesn’t evolve, neither will your people.

What’s the right way to respond after someone fails again?

In most programs, when someone fails a phishing test, the response is automatic: send them the same training module. Maybe a five-minute video. Maybe a few quiz cards. But always the same thing, at the same difficulty level, regardless of who they are or how they failed.

This is where security awareness becomes a dead end.

“We just send the same training to everyone who clicks. It’s not helping.”

This is something we hear a lot. That one-size-fits-all remediation model might make sense in a spreadsheet but it fails in practice. Why? Because it assumes failure is purely a knowledge gap. That people just need to “know better.”

But the truth is messier.

Repeat clickers aren’t just careless. They’re disconnected. Some don’t understand the risk. Some don’t see themselves as a target. Others don’t even realize what they did wrong.

If the training doesn’t meet them where they are (by role, by behavior, by motivation), it doesn’t stick.

Sending the same low-difficulty, generic module after each failure actually reinforces failure patterns. It teaches users what not to worry about. Over time, they disengage. Reporting habits stall. The phishing platform loses trust. Behavior change flatlines.

In a worst-case scenario, it gets worse than inaction. You create a culture where people fear the training and hide their mistakes. And that directly delays incident response time, leaving your organization exposed to phishing consequences like credential theft or malware attachment.

To shift that pattern, the follow-up matters. The type of content. The tone. The timing. Whether you assign remedial training matters less than what the user experiences when they get it.

And that’s where Hoxhunt starts to diverge: in content, in cadence, and in escalation.

Hoxhunt takes a fundamentally different approach. When someone fails, the system doesn’t just assign “more training.” It delivers a microlearning module tailored to the specific phish they failed. These bite-sized, scenario-driven lessons build what we call micro-victories: each one reinforces a key detection skill in under 90 seconds, giving users a clear win instead of reinforcing shame.

Hoxhunt remedial training for repeat offenders

Why treating every employee the same fails your high-risk users

The fundamental flaw in most phishing simulation programs? They treat every user the same. So Hoxhunt flips that, and the shift starts after the click.

Where traditional training campaigns send out a generic follow-up and wait another month, Hoxhunt immediately adjusts. We use behavioral analytics to identify the specific type of phish that tripped someone up and we tailor the next simulation to dig into that same blind spot.

Not six weeks later. Sometimes within days.

“I failed one, and Hoxhunt hit me again in 4 days, then 10. All were social media. It was like it knew.” – Real Hoxhunt user review.

That’s not luck. That’s adaptive security training in action.

Rather than cycle through a static library of phishing emails, we target themes based on each user’s past performance and role-based risk metrics. If someone struggles with credential harvest scams, they’ll see more simulations tuned to that vector instead of random templates from an old campaign.

Frequency adjusts, too. Someone who fails repeatedly might get a follow-up phish within days. Someone else might go weeks. The system reacts to behavioral signals instead of a fixed calendar. And because our phishing simulator integrates with reporting data, we can calibrate content difficulty in real time, escalating it as users build resilience.

This is how you get actual behavior change: by meeting people precisely at their failure point.

The result? Lower click-through rates, higher report rates, and a culture that treats failure as part of the learning process.

Below you can see Hoxhunt uses AI to personalize training to each and every user.

How Hoxhunt escalates difficulty when users keep failing

Behavioral change doesn’t come from repetition. It comes from escalation. When phishing simulations evolve from checkbox drills into realistic threat scenarios, users stop seeing them as training and start treating them like actual incidents.

That’s the shift.

At Hoxhunt, we use real-world threat intelligence to shape our phishing campaigns, from QR code payloads to vendor compromise and credential theft scenarios. These aren’t placeholders. They mimic the exact social engineering tactics threat actors are using in the wild.

Through behavioral analytics, we map employee reactions (like click rates, reporting habits, escalation speed) and calibrate both content and complexity to match.

A user who spots basic phish consistently might get hit with an Office 365 security spoof. It’s like adaptive training difficulty, but mapped to your actual threat landscape.

When simulations mirror real attack vectors, reported phishing attempts spike: in the Hoxhunt Phishing Trends Report 2026 dataset, real-threat reporting rises 9x over the training curve. When users recognize the patterns, they respond faster, and their muscle memory starts working for them.

This is where most phishing platforms fall short. They repeat instead of adapt. They assign instead of escalate. And that’s why many fail to close the behavior-to-breach gap.

But when simulations are dynamic and rooted in your environment, you build secure instincts rather than just testing them.

How Hoxhunt training adapts

What should you actually do with repeat clickers?

Most phishing training programs don’t know what to do with repeat clickers. After the third or fourth failure, it becomes a spreadsheet problem. Do we escalate to HR? Flag their manager? Hope they eventually “get it”?

Hoxhunt handles it differently. There’s no punishment involved, just precision.

This isn’t punitive. It’s built around understanding over blame. The system identifies risk behavior patterns and steps up both simulation frequency and training specificity.

Fail a phishing test, and the next hit might come in four days. Fail again, and you’ll get nudged with a microlearning tailored to the phish you missed.

It’s a closed loop:

Fail → targeted simulation → behavioral reinforcement → increased frequency → remedial training (if needed).

These remedial moments are engineered for engagement. Hoxhunt uses real user behavior, including what type of phishing email was clicked, how quickly it was reported (if at all), and how the user has responded to past content, to deliver personalized, just-in-time interventions.

This avoids one-size-fits-all fatigue and ensures each repeat clicker gets training that meets them at their failure point rather than beyond their comprehension.

No shame. No escalation. Just guided, adaptive support, informed by behavioral analytics and synced with your org’s policies.

And because the platform runs on autopilot, IT leadership doesn’t have to micromanage repeat responders. You define the thresholds. The system does the rest.

LyondellBasell ran this loop across roughly 25,000 users after hitting a wall with its previous platform: within two quarters, repeat failures showed an almost complete drop-off, and overall phishing failures were down 17% year-over-year (LyondellBasell case study).

Crucially, this progression path learns. It gets better over time. The more data the platform sees, the sharper the risk insights get, from simulation-to-incident correlation to personalized trigger timing. Because behavior change isn’t a one-time fix. It’s a path, and Hoxhunt builds that path, click by click.

What happens when you train repeat clickers instead of punishing them?

When it comes to reducing organizational cyber risk, most companies default to focusing broadly, trying to uplift the middle, hoping the outliers follow.

Qualcomm flipped that. The data showed why: 4% of users were generating 80% of Qualcomm’s phishing incidents.

So the security team identified the company’s 1,000 riskiest employees. These are people who had failed 3 or more phishing simulations, with failure rates hovering between 30–50%, and near-zero reporting habits. These were repeat clickers, not because they didn’t care, but because traditional SAT tools had failed to reach them.

Instead of giving up on this group, Qualcomm enrolled them into an experimental program powered by Hoxhunt’s adaptive phishing training.

“You see the worst going to the best – in 2 months with Hoxhunt.” – Rachel Shaw, Sr. Manager of Cybersecurity, Qualcomm.

The results were staggering.

Within months, this “Risky 1K” cohort outperformed the rest of the 50,000-person org in click-through rates and reporting rate. Simulated malicious click rates dropped by nearly 10x, and their phishing report rates surged.

Those who once posed the greatest phishing risk became model cyber citizens, with behavior impact measurable across every security culture metric.

Hoxhunt x Qualcomm case study with top 1k repeat offenders

This was more than remediation. It was a cultural reset. Hoxhunt turned phishing consequences into learning triggers. Repeat responders into early detectors. Employees who used to fail phishing tests were now reporting threats in under a minute.

“In their 9-month enrollment, our riskiest users went from double the fail rate of their peers to half – a 4x swing. That success earned us a CSO50 Award and paved the way for a global rollout.” – Kris Virtue, Global Head of Cybersecurity, Qualcomm.

After the full org joined Hoxhunt, Qualcomm saw a 6x improvement in overall simulation resilience. The program didn’t just scale. It sustained. Even as the number of phishing simulations increased, employee engagement and positive feedback went up.

Phishing repeat offenders FAQ

Should you punish employees who repeatedly fail phishing tests?

No. Punitive responses like HR escalation, disciplinary action or public naming consistently backfire: they create shame and silence, suppress the reporting behavior you need most, and slow incident response. Treat repeat failure as a program signal. Escalate simulation difficulty and personalize the remediation, and reserve human follow-up for patterns that persist. Keep discipline out of the training loop.

How many times should someone be allowed to fail before we escalate?

There’s no universal number, and that’s by design. Hoxhunt allows orgs to define their own thresholds (e.g. two phishing failures within 30 days) that automatically trigger remedial workflows. You can tune those triggers based on role sensitivity, business unit, or even past incident data.

The goal isn’t to punish after some magic number. It’s to spot patterns early and engage before someone becomes a true risk vector. That’s what adaptive escalation enables.

What do other companies actually do when someone fails 3+ times?

Escalation policies vary widely, but we’ve seen three common models:

  1. Auto-remediate with targeted training (e.g. micro-modules matched to the phish they failed)
  2. Flag for manager review, often tied into existing SOAR tools or HR workflows
  3. Human touchpoint: a security team member reaches out to coach or investigate

The one model we don’t recommend is the punitive one; see the answer above.

How do we make repeat offenders feel supported instead of shamed?

This is the heart of behavior change: not just what you send, but how you show up.

Punishment creates fear. Fear kills reporting. And silence makes breaches worse. That reporting culture is the engine of the whole program; we map it end to end in our guide to what actually reduces human cyber risk.

Instead, take this approach:

  • Focus on why the failure happened, not just the fact that it did
  • Normalize mistakes: even security pros fall for well-crafted phishing emails
  • Use empathetic language like: “Hey, looks like that one got you. It’s been fooling a lot of folks. Let’s take a minute to walk through what happened and how to spot it next time.”

How do we avoid training fatigue or backlash from over-targeting repeat offenders?

The key is not more training but smarter training.

That means:

  • Short, scenario-based training videos (30–90 seconds)
  • Just-in-time delivery instead of quarterly dumps
  • Personalized content that reflects their past failures and role risks
  • Gamified reinforcement instead of compliance checklists

Hoxhunt’s remedial training approach builds up small victories instead of punishing failure. And the data shows this keeps engagement high, even in previously disengaged users.

What does escalation look like in the Hoxhunt platform?

Escalation is built into the platform: quietly, automatically, and without shame.

The three automated remedial training approaches we’ve deployed to help repeat clickers change their behavior to reporting suspicious messages are:

  • Assigning relevant training to the user
  • Notifying the user’s manager
  • Notifying additional accounts, like awareness managers or security officers

Instead of putting people on blast, Hoxhunt puts them on a path from high risk to high performance.

Hoxhunt remedial training for phishing repeat offenders
Scroll to Top