Back to Blog
Case Studies8 min readDec 8, 2024

Reducing Phishing Click-Through by 92% at a Financial Firm

A phishing case study: how a mid-market financial firm cut click-through rates from 18% to 1.5% in 9 months through phishing prevention layers.

C

Customer Success

Revealer.US

The Starting Point

When our customer success team began working with a mid-market financial services firm in the Midwest, their phishing prevention posture looked familiar. Roughly 1,100 employees, a SOC of four analysts, a legacy secure email gateway, and quarterly security awareness training delivered through a learning management system that nobody opened voluntarily. The baseline phishing simulation we ran in month one produced a click-through rate of 18.3 percent and a credential submission rate of 6.1 percent. For a firm that moves client funds and processes wire instructions daily, those numbers were not acceptable.

Nine months later, the same firm reported a click-through rate of 1.5 percent on simulated phishing and zero confirmed credential submissions during the final measurement window. This phishing case study walks through how that transformation actually happened, what worked, what did not, and how continuous exposure monitoring quietly became the most valuable piece of the program.

Why Traditional Security Awareness Training Fails

Before the program launched, the firm had been running annual security awareness training for six years. Completion rates were strong on paper. Real-world click-through rates never moved. The root causes turned out to be the same ones we see across the industry.

The Annual Training Trap

  • Content was generic and aged poorly against modern lures
  • Employees treated it as a compliance checkbox, not a skill
  • There was no feedback loop between real incidents and training content
  • Finance, operations, and executive assistants received the same material despite facing very different threats

The Measurement Gap

The firm tracked completion, not behavior change. Nobody knew which employees were repeatedly clicking, which departments were being targeted, or how employee behavior correlated with actual exposed credentials surfacing in stealer logs. Without that visibility, every dollar spent on training was a guess.

Building the Four-Pillar Program

We designed a program around four pillars that reinforced one another. Any single pillar on its own would have produced marginal gains. Together they compounded.

Pillar 1: Realistic Simulated Phishing

Monthly simulated phishing campaigns replaced the old quarterly model, with lures rotated across the techniques employees were actually seeing in production.

  1. Credential harvesting pages mimicking Microsoft 365 and the firm's VPN portal
  2. QR code phishing embedded in PDF attachments, targeting mobile-device scanning behavior
  3. MFA fatigue scenarios simulating push-bombing after a hypothetical credential leak
  4. Vendor impersonation lures referencing real suppliers the finance team worked with
  5. Voicemail and Teams-message callback lures targeting the executive assistant pool

Difficulty escalated over time. In month one the lures had obvious red flags. By month six they included cloned branding, valid-looking sender domains registered days earlier, and contextual hooks pulled from publicly available firm news.

Pillar 2: Just-in-Time Training

The biggest behavioral shift came from killing scheduled training entirely for most of the workforce and replacing it with just-in-time training triggered by actual clicks. When an employee clicked a simulated lure, they landed on a 90-second micro-lesson tied to the specific technique that had fooled them. No slide decks, no certificates, no quizzes longer than three questions.

Employees who never clicked received quarterly five-minute refreshers. Repeat clickers were enrolled in a coached track with their manager notified. This turned training from a calendar event into a consequence.

Pillar 3: Exposure Monitoring via Revealer.US

This was the pillar the firm had never considered. We onboarded their domains into Revealer.US and began continuously monitoring for employee credentials appearing in stealer logs, combolists, and breach datasets. Within the first 30 days we surfaced 47 exposed employee credentials, including 12 that still worked against the firm's VPN and 3 that belonged to users with privileged access.

The operational value was twofold.

  • Immediate containment: Compromised accounts were reset and investigated before attackers could exploit them
  • Employee risk scoring: Users whose credentials appeared in external exposures were flagged as higher-risk and routed into the coached training track, regardless of whether they had clicked a simulation

Employee risk scoring became the connective tissue of the program. Instead of treating all 1,100 employees identically, the SOC focused its limited attention on the roughly 80 users whose combined signals, clicks, exposures, department, and access level, placed them in the top risk quintile.

Pillar 4: Hardened Email Security

The firm replaced its legacy secure email gateway with a modern API-based email security layer that could inspect post-delivery messages, rewrite URLs, and detonate attachments in a sandbox. We layered DMARC enforcement at p=reject, enabled strict SPF alignment, and implemented banner warnings on any external email containing financial keywords. None of this was novel. It simply had not been done.

Measurement Methodology

A program without a measurement methodology is a story, not a case study. We tracked four metrics across the nine-month window.

  • Click-through rate (CTR): Percentage of recipients who clicked a simulated lure
  • Credential submission rate (CSR): Percentage who then entered credentials on the landing page
  • Report rate (RR): Percentage who reported the message via the report-phish button
  • Mean time to report (MTTR): Minutes between delivery and first report

Simulations were sent in waves of roughly 250 recipients, rotated so no single employee received more than one campaign per month. We controlled for lure difficulty by scoring each campaign against a standardized rubric, and compared month-over-month trends only across lures of similar difficulty.

Results

The numbers moved in the direction we wanted, but not in a straight line.

Month-by-Month Trajectory

  • Month 1 baseline: 18.3% CTR, 6.1% CSR, 9% RR, 42 minute MTTR
  • Month 3: 11.7% CTR, 3.4% CSR, 24% RR, 18 minute MTTR
  • Month 5: 6.2% CTR, 1.2% CSR, 41% RR, 11 minute MTTR
  • Month 7: 3.8% CTR, 0.4% CSR, 58% RR, 7 minute MTTR
  • Month 9: 1.5% CTR, 0.0% CSR, 67% RR, 4 minute MTTR

The report rate mattered as much as the click-through rate. By month nine, employees were reporting suspicious messages within minutes, giving the SOC actionable signal on real-world campaigns before they spread.

What Did Not Work

Two interventions we tried early produced no measurable benefit and were dropped.

  1. Gamified leaderboards ranking departments by click rate. Finance hated being publicly shamed, and the leaderboard created incentives to hide clicks rather than learn from them.
  2. Long-form monthly newsletters summarizing recent threats. Open rates hovered near 8 percent. The content was good. Nobody read it.

Lessons for Security Leaders

The firm's transformation was not the result of any single vendor, tool, or training platform. It was the result of tightly coupling four feedback loops so that real-world exposure data informed training, training informed simulations, simulations informed risk scoring, and risk scoring drove where the SOC spent its time.

Three takeaways generalize to any organization attempting similar results.

  • Measure behavior, not completion. Training hours are vanity metrics. CTR, CSR, and report rate are what actually move.
  • Personalize by risk, not by role. A junior analyst with exposed credentials in a stealer log is a higher-priority training target than a senior executive with a clean record.
  • Integrate exposure monitoring early. Phishing prevention without visibility into what has already leaked is half a program. Real-time stealer log monitoring closed the loop the firm did not know was open. You can see how we approach this on our pricing page.

Conclusion

A 92 percent reduction in phishing click-through is achievable, but it requires accepting that annual security awareness training is not a program, it is a ritual. This phishing case study succeeded because the firm stopped treating phishing prevention as a compliance exercise and started treating it as a measurable operational discipline, with exposure monitoring as the early warning system that made everything else work.

The most interesting data point, nine months in, was not the click-through rate. It was that the SOC spent 40 percent less time chasing false positives, because the same risk scoring model that prioritized training also prioritized alerts. The program paid for itself twice.

Want to build a phishing prevention program that actually moves the numbers? Start a free trial of Revealer.US and give your security awareness training the exposure data it has been missing.

PreviousRate Limiting Auth: Stopping Brute Force and StuffingNextInfostealer Malware Trends Report: H2 2024

Related Articles

View all
Case Studies

Case Study: Detecting a Supply Chain Attack in 48 Hours

How a mid-market fintech used Revealer.US vendor monitoring to catch a supply chain attack within 48 hours of stolen credentials surfacing in a stealer log.

8 min read
Case Studies

How a SaaS Startup Stopped a Credential Stuffing Wave

Case study: how a mid-sized SaaS startup used early breached password alerts to prevent 50+ account takeovers during a credential stuffing wave.

7 min read
Case Studies

Case Study: How a Fortune 500 Reduced Account Takeovers by 85%

Real-world results from implementing proactive credential monitoring.

5 min read
Get Started

Ready to check your exposure?

Create a free account and search >21 billion records.

Start Free