What’s “phish fatigue”?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You've run the security training. You've sent the simulated phishing tests. You've added the banner that says "This email came from outside your organization." And now your team... clicks straight through all of it without reading a word. That's phish fatigue.
Phish fatigue is what happens when people are exposed to so many security warnings, phishing simulations, and alerts that they stop registering them. The warnings become wallpaper. And when a real phishing attempt arrives, it blends right in with everything else they've been trained to ignore.
It's not laziness or carelessness on the part of your team. It's a predictable human response to signal overload. When everything is flagged as urgent, nothing feels urgent.
What actually causes it
Too many false positives. If your security tools flag legitimate emails from known vendors, your team learns to dismiss warnings automatically. Once that habit forms, it's hard to break. Studies suggest that false positive rates above 5% are enough to erode trust in security alerts significantly.
Simulation overload. Internal phishing simulations are a useful training tool, but when they happen too frequently (more than once a month for most teams), people stop engaging with them seriously. They start pattern-matching on "this feels like a test" instead of actually evaluating the email.
No feedback loop. If someone reports a suspicious email and never hears back, they stop reporting. It feels like shouting into a void. That silence trains people to stop caring.
Complicated reporting. If reporting a suspicious email takes more than two clicks, most people won't do it. Friction kills good behavior.
How to measure whether you have a problem
A few numbers worth tracking:
- Phishing simulation click-through rate over time. If it's trending up, fatigue is setting in.
- Security report submission rate. If it's dropping, your team has stopped engaging.
- False positive rate on flagged emails. Anything above 5-10% is worth addressing.
- Time-to-report on simulations. If reports slow down, engagement is falling off.
What to actually do about it
Reduce the noise before you add more signal. Audit your current warnings and banners. Are all of them earning their place? If your "external sender" banner fires on every newsletter your team subscribes to, it's not protecting anyone. It's just decoration.
Close the feedback loop. When someone reports a suspicious email, tell them what happened. Even a short automated message like "Thanks, we reviewed this and it was safe" teaches your team that reporting matters. That's reinforcement, and it works.
Space out simulations. Industry guidance generally points to quarterly simulations as a reasonable cadence for most organizations. Monthly is usually too frequent. When you do run simulations, vary the format so people can't pattern-match on what a "test" looks like.
Make reporting genuinely easy. A one-click "Report phishing" button in the email client beats any other method. If your current setup requires forwarding to a security alias with a specific subject line, fix that.
Focus on the highest-risk users. Rather than blasting everyone with the same volume of training, identify the roles most likely to be targeted (finance, HR, executives, anyone who handles wire transfers or credentials) and tailor the intensity to those groups. Everyone else gets lighter-touch awareness.
Phish fatigue is a sign that your security program is overtuned, not that your team is hopeless. The fix is usually less volume and better feedback, not more warnings. Quality of alerts really does matter more than quantity. (And yes, that's a counterintuitive conclusion from a security standpoint, but the research backs it up.)
Still if you're unsure whether your email setup is contributing to the noise problem (think misleading banners, poorly authenticated senders, or external mail that looks internal), our SOS hotline is a free place to think it through.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.