Of all the battles against phishing and social engineering attacks, organizations have a silent and underestimated security threat: the repeat clicker. These individuals, despite years of awareness training and simulated phishing drills, consistently click on suspicious links in emails. Unlike one-time mistakes, repeated clicking indicates ingrained behavioral habits that blanket awareness programs cannot correct. To address this problem, it is necessary to shift beyond generic training and adopt individualized, human-focused approaches that transform habits, attitudes, and risk profiles.
Understanding the Repeat Clicker
Repeat clickers are not necessarily negligent or oblivious workers. Although highly confident in detecting phishing, they consistently miss the telltale signs. Their misplaced confidence may cause them to skip easy checks, like hovering over links, checking senders’ addresses, or taking a moment to scan for awkward language or typos.
They also tend to have rigid, reflex-based email behaviors. High email volumes and productivity pressures often lead to habitual reflexes. Scan, click, move on, rarely breaking the cycle to think critically about each message they receive.
The most telling trait is an absence of distrust toward digital communications. Where most employees learn to approach unsolicited attachments or high-priority requests with wariness, these individuals approach each message at face value, assuming all messages reflect good intentions, and rarely exercise the healthy skepticism needed to steer clear of phishing traps.
Why Generic Training Falls Short
Many training interventions, phishing simulations, and awareness programs focus on knowledge transfer but often overlook ingrained habits. Slide shows and annual refreshers are too generic to change the quick-to-click types. Repeat clickers need interventions that address their individual blind spots, disrupt automatic behaviors, and reinforce new habits in real time. For this, companies need to break away from information-focused training and move towards targeted interventions, homing in on individual behaviors, drivers, and contexts that drive repeat clicking, and intercepting them with smart, tailored measures.
Coaching the Clickers: Fear Isn’t a Strategy
It’s tempting to apply disciplinary measures, but guilt or shame won’t strengthen defenses. Repeat clickers already feel embarrassed by their mistakes, and punitive strategies will only undermine trust and openness. Supportive policies, rather than finger-pointing, will foster the safety mindset that users need to adopt.
Why Understanding Individual Behaviors Matters: The Human Risk Management Approach
The key takeaway in dealing with repeat clickers is that you can’t change deep-seated habits with broad-based campaigns. High-risk behaviors are a result of a mix of personality traits (risky habits, overconfidence) and environmental pressures (productivity needs, email overload). By drilling down to the “why” behind every click, you gain the leverage to create interventions that work at an individual level. Addressing repeat clickers requires an integrated, human risk management approach that addresses each user as a unique risk profile.
Practical Steps to Reduce Repeat Clicking
- Personalized dialogue with repeat clickers: Start with direct, compassionate dialogues. Blame or embarrassment should be avoided. Use surveys, interviews, and simulated drills to identify the precise triggers that drive each repeat clicker’s lapses. Sit-down discussions with repeat clickers can draw forth the assumptions they make when dealing with emails, including whether time constraints encourage hurried clicks and whether they are more dependent on visual cues than sender verification details.
- Tailor behavioral interventions: Implement light-touch interventions that break automatic clicking, i.e., micro-delays or confirmation prompts that insert a pause or on-screen prompt prior to opening links; inducing decision friction through “email triage” steps, e.g., checking the sender domain or mouseover links, prior to interacting; and employing behavioral nudges, e.g., pop-up nudges to encourage users to use critical thinking prior to action.
- Use environmental tweaks to reshape email routines: Implement inbox noise reduction by recognizing and unsubscribing from non-essential newsletters or automated feeds. This will result in a less cluttered inbox that will better highlight suspicious emails more prominently.
- Make security a personal win: Establish a culture where security is not only about compliance but also about identity and pride. Host department-level “Phish Spotting” competitions with bragging rights, gift cards, or prime parking as awards. Gamified aspects make vigilance fun instead of taxing. Reward those who improve, particularly repeat clickers who demonstrate a change in their behavior. Reward secure habits through internal newsletters or shout-outs.
- Segment and monitor: Treat repeat clickers as a separate cohort by segmenting them based on tracking click rates, creating targeted interventions, and delivering tailored feedback. Monitor cohort metrics, such as click fatigue, response times, training retention, and quantify improvements over time. Visualize progress through dashboards, identify patterns, and update tactics. Involve their managers in personalized coaching and recognition. By separating this high-risk group, security teams can distribute resources in a targeted manner, improve strategies incrementally, and drive sustained behavior change.
Repeat clickers are a demonstration of human vulnerabilities that attackers exploit, but they are not hopeless. Transitioning from general awareness efforts to tailored, behavior-centered approaches that include empathy and positive reinforcement gives organizations the opportunity to re-educate high-risk individuals into prudent, cyber-resilient users.
Erich Kron is Security Awareness Advocate for KnowBe4, the world-renowned cybersecurity platform that comprehensively addresses human risk management with over 70,000 customers and more than 60 million users. A 25-year veteran information security professional with experience in the medical, aerospace, manufacturing, and defense fields, he was a security manager for the U.S. Army's 2nd Regional Cyber Center-Western Hemisphere. He holds CISSP, CISSP-ISSAP, SACP, and other certifications. Erich has worked with information security professionals worldwide to provide tools, training and educational opportunities to succeed in information security.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.