During my career as a System Engineer, I’ve frequently encountered clients and colleagues eager to implement phishing exercises as a key part of their cybersecurity strategy. While the intent—to educate employees and reduce vulnerability to phishing attacks—is commendable, I’ve observed that these exercises often fall short of their goals and can even have unintended negative consequences. Recent research, including a study from ETH Zürich, supports this view, suggesting that phishing exercises may not only be ineffective but could also undermine trust within the organisation.