Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    A Clicking Time Bomb: What To Do About Repeat Clickers

    Bex Bailey | Jun 23, 2025

    repeat clickers 2I recently had several conversations about repeat clickers. First with a Forrester analyst and then, shortly after, at KB4-CON Orlando following a presentation on the subject by Matthew Canham, Executive Director of the Cognitive Security Institute.

    After that, my approach was a little less organic: intrigued by the topic, I spoke with several KnowBe4 customers to find out how they manage repeat clickers. 

    The term “repeat clickers” is pretty self-explanatory: they’re the individuals who continually click on suspicious links in emails - whether in phishing simulations or, more dangerously, in actual phishing attacks. This is more than the occasional error. Here, we’re talking about those same names that frequently come up as having interacted with simulations or caused a security incident. 

    Repeat clickers represent a significant cybersecurity risk to their organizations. At the same time, they’re often among some of the most valued employees. The challenge, then, is how to reduce this risk in a fair and just way that keeps these individuals invested in their work. 

    The Disproportionate Risk and Return of Repeat Clickers

    Canham’s research into this area is fascinating. In a pilot study, he defined repeat clickers as people who interacted with three or more phishing simulations. He determined:

    • While only 0.83% of participants fell into this category
    • They were nearly 10 times more likely to interact with a simulation than the wider group 

    Let’s just pause there. Repeat clickers are, typically, less than 1% of the employee base who represent 10 times the phishing risk of other employees. 

    During his presentation at KB4-CON, Canham also highlighted that these individuals are often of significant value to their organizations, frequently holding high-ranking positions. He cited one example of a known repeat clicker who interacted with a real phishing attack, leading to a cyber incident. This individual also happened to be a Nobel Prize winning scientist. 

    Similarly, one of the customers I spoke to (anonymously) described a concerning repeat clicker they’d had in their organization: a senior employee, who is an incredible asset to the company and who, pretty much, used to click every link in every email - including phishing simulations on subjects totally unrelated to their role. 

    It’s not just the business value these people represent. The same research study from Canham (rather logically) states that mitigating this disproportionate risk can offer substantial return on investment (ROI). You’ve just got to get your repeat clickers to stop clicking.

    There’s Something Different About Repeat Clickers 

    When anyone receives a phishing email (real or simulated) certain factors come into play. Some of these change on a case-by-case basis, such as context (e.g. someone might be more susceptible on a day when they’re rushing) or the social engineering techniques used. 

    Then there are stable factors (things that are less likely to change), which Canham lists in his research as cultural influences and individual traits - with the latter described as “the primary factor” in repeat clicking. 

    In a later study, Canham begins to unpack some of these traits - and shares what is possibly my favorite anecdote from his research. 

    At the other end of the spectrum from repeat clickers are a group labeled “protective stewards”, who always identify phishing simulations and habitually report them. Canham asked both groups to remember a code word of their choosing - such as a pet’s name. In later interviews, all protective stewards remembered their code words while all repeat clickers forgot theirs! 

    Tying into this, repeat clickers also struggled to recall the phishing simulations they interacted with, although in part, this might be due to embarrassment. 

    The research begins to demonstrate the cognitive differences between the individuals who exhibit the most desirable cybersecurity behaviors (not interacting with simulations and reporting them) and those who repeatedly exhibit the least desirable ones (repeated interactions that go unreported). 

    In addition to forgetfulness, repeat clickers also seem to have:

    • A more internally oriented locus of control, meaning they feel more in control of their own destiny
    • High confidence (which I think we can safely call “overconfidence”) in their ability to detect phishing emails 
    • A lack of distrust or skepticism (making them more susceptible to social engineering attacks)
    • Rigid, rather than adaptive, email habits - such as the individual mentioned earlier, who clicks on hyperlinks in all emails seemingly on autopilot

    It’s easy to see how this explosive cocktail of traits interplay to cause someone to repeatedly interact with phishing emails. Ultimately, many of these factors are deeply ingrained - but they can be influenced with the right approaches. 

    Beyond Punishment: You Probably Can’t Make Repeat Clickers Feel Worse

    Generally speaking, most organizations avoid punitive measures, seeing them as counterintuitive to a positive cybersecurity culture that encourages transparency for swift remediation of any potential incidents. However, in the search for a solution to repeat clickers, I’m sure many cybersecurity professionals have questioned whether some form of punishment might elicit more secure behaviors. 

    The answer, however, is that it won’t. Both Canham and the customers I spoke to broadly agree that repeat clickers already feel bad enough, so punishment simply won’t work because it can’t make them feel worse. 

    Practical Steps You Can Take to Reduce Repeat Clicking

    So what can you do? Below are several different steps that I discussed with our customers - all use a combination of some or all of them. 

    Talk to Your Repeat Clickers

    Once you’ve identified your repeat clickers, you need to speak to them. These conversations should be free from any recrimination and center on increasing understanding about an individual’s behavior and email habits. 

    One Cybersecurity Manager I spoke to described how, in one conversation, the employee acknowledged the risk they were creating and stated they didn’t feel able to change their behavior alone. This allowed the Cybersecurity Manager to work alongside the individual on risk reduction strategies that the employee was also invested in. 

    Other customers also mentioned hosting informal drop-in sessions, such as lunch and learns, and company-wide surveys about simulations. Although these activities don’t home in on repeat clickers alone, they can help foster a culture of open communication and beneficial feedback loops. 

    Take a Personalized Approach

    The research suggests that repeat clicking is driven by individual traits - so it makes sense that a personalized approach will help mitigate this risk. 

    Thanks to the evolution of AI-powered human risk management (HRM) platforms, tailoring cybersecurity to the individual is becoming easier than ever. While this is an organizationwide initiative, it provides tailored technical interventions and guidance in a way that’s highly relevant to each person. Here, you’re not expecting every individual to always make consciously secure decisions on their own, but rather, helping them do so through contextual and risk-based interventions. 

    Disrupt Their Behaviors

    For some, repeat clicking is a habit they’ve formed as they use email - one that they need help breaking. One of the customers I spoke to had deployed KnowBe4 Second Chance to a repeat clicker who believed theirs was an ingrained behavior. Every time they clicked a link, Second Chance would confirm whether they wanted to proceed to the end destination. 

    The customer intentionally used this for a set period of time and agreed with the employee it would be removed once they had altered their behavior (evidenced through phishing simulations). This ensured the employee didn’t become desensitized to Second Chance, meaning the Cybersecurity Manager could utilize it again in future (if needed) and offered a form of ‘reward’ to the employee if they were able to change. 

    It worked! Within the timeframe, the employee (who’d previously failed every simulation) managed to reduce their risk by over 80%. 

    Side note: while this worked effectively for the repeat clicker, time-of-click URL analysis, such as that offered by KnowBe4 Defend, is an organization-wide approach. Where URLs are deemed safe, the employee is routed directly to the website and they can be blocked entirely from visiting sites with suspicious URLs - which is a much less disruptive approach suited to non-repeat clickers. (Of course, this can be turned off for simulations!)

    Get Creative! 

    When you speak to the individuals, you might find more unique ways to help them. One customer, for example, had a repeat clicker with a disproportionately high volume of emails. The Security team produced a list that the employee reviewed and then the team unsubscribed them from any unnecessary emails to reduce noise in the inbox. Alternatively, you could consider advanced graymail filtering. 

    Another initiative might be to run a separate training and simulation program tailored to ensuring that repeat clickers are able to identify the greatest threats to your individual organization. This will require time from someone in your team to set up, but increasing AI-driven automation within training platforms will free up resources that you could dedicate to initiatives like this. 

    Create a Positive Environment

    To help incentivize the secure behaviors, many of our customers run annual tournaments or pit offices/departments against each other in “Spot the Phish Leaderboards”. Prizes range from bragging rights to the latest tech gadget and (perhaps the most creative) a prime parking spot in the company lot!

    Additionally, several customers also mentioned that they didn’t want remedial training following phishing failures to create negative associations with training in general. Overall, feedback they had was employees say the value of simulations and training - and they wanted to keep it that way! (For more on how employees feel about simulations, check out our blog "Breaking the Stigma: 90% of Employees Agree that Phishing Simulations Improve their Security Awareness." 

    In some cases, remedial training was renamed “refresher training” and lunch and learns had similarly positive names, with focus on “helping” and not “enforcing”. 

    Behavioral Change Is Possible - But There’s No Silver Bullet 

    Repeat clickers are unique, with their behavior driven by individual traits, so there’s no silver bullet that can solve this problem. Your response has to be personalized. 

    The customers I spoke with validated this, coming alongside their repeat clickers until they were able to change the way they interacted with emails to significantly decrease risk. The approaches mentioned here can be transferred to your organization - and, by speaking with your repeat clickers, you might come up with more!

     

    Return To KnowBe4 Security Blog

    Stop Advanced Phishing Attacks with KnowBe4 Defend

    KnowBe4 Defend takes a new approach to email security by addressing the gaps in M365 and Secure Email Gateways (SEGs). Defend helps you respond to threats quicker, dynamically improve security and stop advanced phishing threats. It reduces admin overhead, enhances detection and engages users to build a stronger security culture.

    BreachSim LogoWith KnowBe4 Defend you can:

    • Reduce risk of data breaches by detecting threats missed by M365 and SEGs
    • Free up admin resources by automating email security tasks
    • Educate users with color-coded banners to turn risks into teachable moments
    • Continuously assess and dynamically adapt security detection reducing admin overhead
    • Leverage live threat intelligence to automate training and simulations

    Request a Demo

    PS: Don't like to click on redirected buttons? Cut and paste this link in your browser:

    https://www.knowbe4.com/products/defend-demo

    Topics: Phishing, Security Culture

    Bex Bailey

    ABOUT BEX BAILEY

    As Research and Communications Director, Bex spearheads KnowBe4's research initiatives and analyst relations program. She collaborates with thought leaders across KnowBe4 and the industry to bring the latest insights to life and to deliver timely and valuable perspectives on critical security issues. Before joining KnowBe4, Bex was Corporate Marketing Director at Egress, where she was responsible for a range of marketing programs, including brand and content, campaigns and events, channel marketing, and PR and communications. Egress was acquired by KnowBe4 in 2024.

    Read more from Bex »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Ransomware Awareness Month
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews