Is Security Awareness Training Effective Against Deepfakes?

Yes.

Our data backs this up, and the correlation between awareness and reduced vulnerability is clear. But, it’s not black and white, and to truly understand effectiveness, we need to talk about how we measure success.

Too often, security awareness is treated like a zero-sum game. You’ll hear people say “We still had clicks, so training failed.” That’s the wrong lens. A 2.5% click rate, for instance, is actually quite good. Phishing hasn’t been “solved” in 20+ years and it likely never will be. Deepfakes are just raised stakes for phishing and social engineering.

You’re Measuring It Wrong

Most training vendors focus on click rate as the holy grail. But we think action taken (e.g., entering credentials, initiating a wire transfer, divulging info) is far more important. Clicking a link might signal curiosity. Taking action means the adversary hit their objective. That’s more reflective of Risk.

So, our training focuses on action taken vs. click rates.

Here’s what our data shows so far:

Untrained Users – 16.45% Will Take Action.

Trained Users – 1.8% Will Take Action.

That’s not a small difference: that’s a massive reduction in risk with awareness training. It is not linear though, some organizations without awareness training fair very well too. But, more often than not the outcome tends to be more sobering when users are not aware or trained.

Our Approach: Harder, Smarter, Less Often

We don’t believe in endless simulations. Users hate them, and they stop paying attention. We believe in fewer simulations, tailored to real threats, executed quarterly at most, and we test against real-world deepfake-enabled scenarios, like impersonated IT helpdesk calls that mimic human emotion in real-time. Identical to the most recent Scattered Spider attacks.

We also test process, policy, and security controls, not just the user. Think of it like a full-system stress test… Because attackers don’t just exploit people, they exploit gaps in procedures too like password resets.

We’re Not Here to Punish. We’re Here to Inform.

Our simulations are non-punitive and non-destructive. We’re not here to shame users. We’re here to help organizations identify vulnerability and align their people with the knowledge they need.

We don’t force users to watch boring videos. Our micro-modules are tailored to each function’s risk profile. Sales gets one set of content. Finance another. Because attackers don’t treat every department the same and neither should knowledge transfer.

The Bottom Line

Security awareness training works when it’s done right.

Is it 100% effective across every org? No.

Is it a silver bullet? Definitely not.

But does it reduce risk in meaningful, measurable ways? Absolutely.

You’ll never eliminate risk entirely. But layered defense — people, process, and technology — is how you build resilience.

So don’t ask, “Did anyone click?”

Ask: “Did anyone take action that could lead to a business loss?”

That’s not protecting the organization or user from a $50 Gift card scam… That risk is manageable. Ransomware attacks executed with just a phone call is the risk we’re focused on helping organizations address..

That’s where real awareness makes all the difference.