I run security awareness for a mid sized company, and we’ve done the usual fake “click here to update your password” emails for years. Our click rates are low now, but honestly, it’s because everyone spots them a mile away. The simulations don’t feel real anymore, so I’m not sure they’re actually training people for what’s out there.



Then last month, an attacker used a realistic voicemail pretending to be our CFO. One of our best team members almost fell for it. That scared me. It made me realize our email only tests are outdated.



I’ve been looking into platforms that do simulations across SMS and even AI generated voice calls, making them way harder to distinguish from real attacks. We need something that mirrors the actual multichannel threats we’re seeing now, not just another obvious fake invoice email.



Has anyone switched from basic click tests to more realistic, AI driven phishing simulations? Did it actually improve how your team handles real suspicious messages, or did it just frustrate people more? Curious what worked for you.