December 16, 2025

Phishing Time Bomb: How Should Repeat Clickers Be Handled?

daksh kataria September 7, 2025 0
Phishing Time Bomb: How Should Repeat Clickers Be Handled?
Post Views: 343

I’ve lately discussed repeat clickers with a number of people.  First with a Forrester analyst, and then shortly after, at Prometeo–IIT Jodhpur, when Mohit Yadav, Founder and Director of the Craw Cyber Security Institute, gave an overview on the topic.

My strategy became a little less natural after that. Intrigued by the subject, I talked to a number of Craw Security’s clients to learn how they handle repeat clickers.

Image Shows phishing scam

As the name suggests, “repeat clickers” are those who repeatedly click on dubious links in emails, either in phishing simulations or, more dangerously, in real phishing attempts.  This goes beyond the odd mistake.  The same names that are commonly mentioned as having interacted with simulations or resulted in a security incident are being discussed here.

For their organizations, repeat clickers pose a serious cybersecurity risk.  They are also frequently among the most cherished workers.  Therefore, the difficulty lies in lowering this risk in a reasonable and equitable manner while maintaining these people’s commitment to their jobs.

The Disproportionate Risk and Return of Repeat Clickers

Mohit Yadav’s studies in this field are intriguing. He identified repeat clickers in preliminary research as those who engaged with three or more phishing simulations. He concluded:

  • However, just 0.79% of participants were in this group.
  • Compared to the larger group, they were almost ten times more likely to engage with a simulation.

Let’s just take a moment there. Less than 1% of employees are usually repeat clickers, who pose a tenfold greater risk of phishing than other employees.

Mohit Yadav further emphasized in his presentation at Prometeo–IIT Jodhpur that these people are typically highly valuable to their firms and occupy high-level roles.  One instance of a known repeat clicker who engaged with a legitimate phishing attempt and caused a cyber issue was given by him.  This person was also a scientist at ISRO, India.

Image Shows mohit yadav

Similar to this, one of the clients I spoke with (who wished to remain anonymous) told me about a troubling repeat clicker they had in their company: a senior employee who is a tremendous asset to the business and who, in the past, would click on every link in every email, including phishing simulations on topics completely unrelated to their position.

These individuals represent more than simply business worth.  According to the same Mohit Yadav’s Research Study, reducing this excessive risk can result in a sizable return on investment (ROI), which makes sense.  All you need to do is get your habitual repeat clickers to stop.

There’s Something Different About Repeat Clickers

Certain elements come into play when someone receives a phishing email, whether it is simulated or real. Some of these vary depending on the situation, including the social engineering methods employed or the environment (for example, someone may be more vulnerable on a day when they are hurrying).

In his research, Mohit Yadav identifies two stable factors—things that are less likely to change—as individual characteristics and cultural influences. The latter is referred to as “the primary factor” in repeated clicking.

Mohit Yadav starts to explore some of these characteristics in a subsequent study, and he provides what may be my favorite tale from his work.

A group known as “Defensive Guardians” is at the opposite end of the spectrum from repeat clickers; they consistently spot phishing simulations and routinely report them.  Mohit Yadav requested that each group memorize a code word of their choosing, such as the name of a pet.  While all repeat clickers forgot their code phrases, all Defensive Guardians were able to recall them in subsequent interviews!

image shows phishing scam

 

In addition, repeat clickers had trouble remembering the phishing simulations they had interacted with, but this could be partly attributed to embarrassment.

The study starts to show the cognitive distinctions between those who consistently display the least ideal cybersecurity behaviors (repeated interactions that are not reported) and those who consistently display the most desirable ones (not interacting with simulations and reporting them).

Apart from being forgetful, repeat clickers also appear to have:

  • A locus of control that is more internally oriented, which means they feel more in charge of their own fate.
  • High confidence in their abilities to identify phishing emails, which I believe we can properly refer to as “overconfidence.”
  • A lack of skepticism or mistrust leaves individuals vulnerable to social engineering attempts.
  • Email behaviors that are rigid rather than flexible, like the previously stated person who, seemingly without thinking, clicks on hyperlinks in every email.

It is simple to understand how this potent combination of characteristics can lead to someone frequently interacting with phishing emails.  In the end, a lot of these elements are deeply rooted, but with the correct strategies, they can be changed.

Beyond Punishment: You Probably Can’t Make Repeat Clickers Feel Worse

Punitive measures are often avoided by most firms because they are perceived as being incompatible with a healthy cybersecurity culture that promotes transparency for prompt incident response.  However, I’m sure a lot of cybersecurity experts have wondered if punishing repeat clickers could lead to more secure behavior in their quest to find a solution.

 

Image Shows phishing scaam

 

But the answer is no, it won’t.  Recurring clickers already feel awful enough, so punishing them won’t work because it can’t make their feelings worse, according to Mohit Yadav and the customers I spoke with.

Practical Steps You Can Take to Reduce Repeat Clicking

What are you able to do then?  I talked with our customers about the various steps listed below; each one uses some or all of them.

Talk to Your Repeat Clickers

You must talk to your repeat clickers when you’ve determined who they are.  The goal of these discussions should be to better understand a person’s behavior and email habits without resorting to blame.

According to a cybersecurity manager I spoke with, during one meeting, the employee admitted the risk they were posing and said they didn’t think they could alter their conduct on their own.  This made it possible for the cybersecurity manager to collaborate with the worker on risk-reduction tactics in which the worker also had an interest.

Other clients have highlighted doing company-wide polls regarding simulations and casual drop-in events like lunch and learns.  These exercises can promote an environment of open communication and constructive feedback loops, even when they don’t specifically target repeat clickers.

Take a Personalized Approach

It makes reasonable that a customized strategy will help reduce this risk, as the research indicates that individual characteristics are what motivate recurrent clicking.

this image shows phiishing scam

The development of AI-powered human risk management (HRM) technologies has made it easier than ever to customize cybersecurity for each individual.  Despite being an organization-wide effort, it offers individualized technical interventions and assistance that are extremely pertinent to each individual.  Here, the goal is to support people in making consciously safe decisions by providing contextual and risk-based interventions, rather than expecting them to do so on their own.

Disrupt Their Behaviors

Some people need assistance overcoming the habit of repeatedly clicking that they have developed while using email.  I had a conversation with a customer who had implemented Craw Security’s Phishing Simulation Services for a repeat clicker who thought there was a habit.  Second Chance would ask them if they wanted to go to the final destination each time they clicked on a link.

As demonstrated via phishing simulations, the client purposefully used this for a predetermined amount of time and agreed with the employee that it would be deleted after they had changed their behavior.  In addition to providing a kind of “reward” to the employee if they were able to adapt, this made sure the employee wouldn’t grow intolerant to Second Chance, allowing the cybersecurity manager to use it again in the future (if necessary).

It was successful!  The individual, who had previously failed every simulation, was able to lower their risk by more than 80% in the allotted period.

Side note: Although time-of-click URL analysis, such as that provided by Craw Security’s Phishing Simulation Services, is an organizational-wide strategy, this worked well for the repeat clicker.  When a URL is considered safe, the employee is taken straight to the website and can be completely barred from accessing websites with questionable URLs. This is a far less intrusive method that works best for non-repeat clickers.  (Obviously, this may be disabled for simulations.)

This image shows phishing scam

 

Get Creative!

Speaking with the people may help you come up with more original approaches to assist them.  For instance, one client had a repeat clicker who sent an abnormally large number of emails.  To lessen the amount of noise in the inbox, the security team sent a list for the employee to inspect, after which they unsubscribed them from any emails that weren’t needed.  As an alternative, you might think about sophisticated graymail filtration.

Running a distinct training and simulation program designed to make sure that repeat clickers can recognize the biggest risks to your particular firm might be another initiative.  While setting this up will take time from someone on your team, increasing AI-driven automation in training platforms will free up resources that you can use for such projects.

Create a Positive Environment

Many of our clients host yearly competitions or pit departments/offices against one another in “Spot the Phish Leaderboards” to assist and encourage secure practices. Bragging rights, the newest technology, and—possibly the most inventive—a premium parking space in the business lot are among the rewards!

Furthermore, a number of clients stated that they did not want corrective training to be associated negatively with training in general after phishing failures. Employees generally expressed the value of training and simulations in their comments, and they intended to maintain that.

Remedial training was sometimes termed “refresher training,” and lunch and learns were given equally pleasant terms that emphasized “helping” rather than “enforcing.”

Behavioral Change Is Possible — There’s No Silver Bullet!

Since each repeat clicker is different and their behavior is influenced by personal characteristics, there is no magic bullet that can address this issue.  You must be specific in your response.

This was confirmed by the clients I spoke with, who accompanied their frequent clickers until they were able to alter their email interaction patterns to drastically reduce risk.  You can implement the strategies listed here in your company, and you may even think of more if you talk to your repeat clickers!

Stop Advanced Phishing Attacks with Craw Security’s Phishing Simulation Services

Craw Security’s Phishing Simulation Services takes a new approach to email security by addressing the gaps in M365 and Secure Email Gateways (SEGs).

Defend helps you respond to threats quicker, dynamically improve security, and stop advanced phishing threats. It reduces admin overhead, enhances detection, and engages users to build a stronger security culture.

With Craw Security’s Phishing Simulation Services, you can:

  • By identifying dangers that M365 and SEGs miss, you may lower the chance of data breaches.
  • Automate email security duties to free up administrative resources.
  • Use color-coded banners to inform users and transform dangers into teaching opportunities.
  • Reduce administrative costs by continuously evaluating and dynamically adjusting security detection.
  • Use real-time threat intelligence to automate simulations and training.

About The Author:

Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space.  Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.

Read More:

Noisy Bear Ran BarrelFire Phishing Campaign Targeting Kazakhstan Energy Sector

About Author

daksh kataria

See author's posts

More Stories

Futuristic cybersecurity interface on a screen with a headline about AI-powered phishing kits using MFA bypass techniques.

AI and MFA Bypass Techniques Are Used by New Advanced Phishing Kits

daksh kataria December 15, 2025 0
Cybersecurity-themed banner showing a person typing on a keyboard with icons of a password, lock, and shield, highlighting the five major threats that transformed web security in 2025.

5 Threats That Reshaped Web Security in 2025

daksh kataria December 5, 2025 0
Craw-security win-atc-circle-of-excellence-award

Craw Security Wins EC-Council’s Prestigious ATC Circle of Excellence Award 2025

daksh kataria December 1, 2025 0

Leave a Reply

Your email address will not be published. Required fields are marked *

You may have missed

image shows online-shopping-scam-exposed

Recent Online Shopping Scam Exposed Major Supply-Chain Fraud Involving Mau, UP

daksh kataria December 16, 2025 0
Futuristic cybersecurity interface on a screen with a headline about AI-powered phishing kits using MFA bypass techniques.

AI and MFA Bypass Techniques Are Used by New Advanced Phishing Kits

daksh kataria December 15, 2025 0
fake-or-code-fraud

Fake QR Codes Emerging As New Threat, Experts Alert UPI Users

daksh kataria December 15, 2025 0
PystoreRat-malware-payloads

PyStoreRAT Malware Payloads Are Spread via Fake OSINT and GPT Utility GitHub Repos

daksh kataria December 15, 2025 0
Image Shows Jaguar Land Rover Cyber Attack

Jaguar Land Rover Faced a Major Cyber Attack Claiming Payroll Data Theft

daksh kataria December 14, 2025 0
en_USEnglish
en_USEnglish