Q&A: Prioritize Behavioral Change Over “Checkbox” Phishing Training, Recommends Hoxhunt CEO

Mika Aalto is the co-founder and CEO at Hoxhunt, a human risk management platform. Hoxhunt combines AI and behavioral science to deliver security awareness training and phishing simulation for organizations like Airbus, IGT, DocuSign, Nokia, AES, Avanade, and Kärcher.

As phishing continues to be one of the top causes of data breaches, Expert Insights recently reached out to Mika to get his insights on the state of the phishing threat landscape, and how organizations can develop a successful strategy to deal with phishing attacks.

What are the biggest challenges facing organizations in the phishing space today, and how are threats evolving?

The phishing threat landscape is evolving faster than people, processes, and technology can keep up with, when they are not purposefully aligned and integrated.

Modern threat actors are leveraging AI to craft sophisticated spear phishing campaigns at scale, bypassing traditional email filters and security mechanisms. These AI-generated attacks are highly targeted, personalized, and capable of deceiving even the most vigilant employees. This is particularly concerning in today’s age of supply chain attacks.

Adding to the complexity is the rise in omni-channel phishing. Attackers are exploiting not only email, but also SMS (smishing), social media, and messaging apps on personal devices, where people are more likely to click a phishing link. This expanded attack surface makes it difficult for organizations to maintain visibility and control over potential entry points.

CISOs have low visibility into phishing attacks that successfully bypass technical defenses. Email security solutions cannot guarantee 100% effectiveness, and many phishing attempts reach users without detection. This lack of visibility increases the risk of breaches and compromises that go undetected for so long that the damage spreads catastrophically. Malware and ransomware deployments, usually facilitated through phishing, are on the rise, stressing the importance of taking a lighthouse approach to human threat detection as integral to a holistic phishing defense.

The prevailing attitude of phishing training as ineffective signifies an overarching challenge to the phishing space. Organizations are attributing most of their cybersecurity budget to technology investments and settling for low-cost, ineffective SAT tools geared for compliance—thus continuing the belief that training is ineffective. This “check-a-box” mentality prevents organizations from adopting next-gen anti-phishing platforms that demonstrably reduce their risk of a phishing breach. Threat actors are making billions from our slow adoption rates.

How does the Hoxhunt platform help teams address these challenges, and how do you differentiate the platform in this competitive space?

Hoxhunt’s platform breaks the mold of traditional SAT by focusing on personalized, adaptive training that actually changes behavior, rather than just ticking a compliance box. We use principles of behavioral science and AI to deliver tailored phishing simulations at scale, and training curriculums evolve based on each individual’s learning curve and performance.

Unlike other platforms that operate with a static approach, Hoxhunt is dynamic and fully automated, scaling effortlessly across large organizations while maintaining high engagement with a blend of gamification, real-time feedback, and personalized training. 

What sets Hoxhunt apart is its (measurable) effectiveness.

We have data to prove a reduction in human risk in both simulated and real environments—the global 6x drop in click rates and 9x rise in simulated reporting rates translates to a 10x rise in real threat detection. Over 2/3 of active Hoxhunt participants report a real phishing attack within one year of starting training.

Qualcomm recently won a CSO50 Award for their work with us. They opted to deploy Hoxhunt to just their 1,000 worst repeat phishing offenders to test the effect adaptive phishing training would have. See what Kris Virtue, Global Head of Cybersecurity at Qualcomm had to say:

“In their 9-month-long enrollment with Hoxhunt, our riskiest user cohort went from having 2x the phishing failure rate of their colleagues to roughly half. These results helped us initiate a global rollout of Hoxhunt to all of our employees, who have since dropped their failure rates by 4x.”

What are your top recommendations for CISOs looking for a phishing protection and simulation solution?

For CISOs evaluating solutions, my first recommendation is to understand that human-based attacks can be your biggest opportunity for risk reduction if you look for training solutions that go beyond compliance and create measurable behavior and culture change. Ensure that the solution you choose changes behavior with real attacks and that they have reporting capabilities to actually measure the impact across the organization. Engaging training with tailored learning paths is key to empowering your workforce as an effective line of defense.

Second, integration with your existing tech stack is crucial. The solution should work with your SOC tools and enhance your overall threat intelligence. This way, your investment in training feeds directly into a stronger, more coordinated security posture.

Third, demand Outcome-Driven Metrics (ODMs) from your security awareness team. Evidence of a solution’s impact on real threat detection and employee behavior change will help you discern results and justify a dedicated investment in human risk reduction. 

Lastly, choose a partner, not just a product. Select a vendor that will evolve with your organization’s needs and provide ongoing support, insights, and enhancements. Phishing tactics evolve, and so should your training.

What trends do you expect to see in the phishing space in 2025?

In 2025, I anticipate seeing even more sophisticated phishing attacks powered by advancements in AI. Attackers will use AI agents to tirelessly search for vulnerabilities, open-source intelligence to fuel personalized attacks, text-based AI to mimic human writing styles, and deepfake technology to create more convincing impersonations faster and cheaper than ever before. This will eventually push organizations to adopt more advanced training tools, it’s just a matter of when—before or after a breach.

Another trend will be the integration of human risk analytics into phishing prevention strategies. Organizations can now analyze user behavior patterns and training performance data to pre-emptively identify vulnerable employees and target dynamic interventions. This shift from reactive to proactive phishing protection will be essential as the negative impacts of human-based breaches hit an all-time high.

In your view, what should organizations’ top phishing protection planning priorities for 2025 be?

The top priority should be evolving from static SAT programs to adaptive security training that engages employees and fosters measurable behavior and culture change. Then, organizations should put training, culture, and behavior change into the center of their security stack as to measure its effectiveness alongside broader security initiatives. 

This entails changing KPIs to measure detection rather than click rates, too, because that is the best evidence of reduced risk. Measurement will be crucial to understand how much resources to invest here.

Phishing tactics are evolving, so your training must evolve, too. Every employee should know how to recognize and report phishing attempts confidently, whether they occur in email, Teams, SMS, or WhatsApp. But they must also be motivated to actively participate in cybersecurity on a continuous basis. Empowered employees who see cybersecurity as a shared responsibility are the strongest defense against phishing.

Further reading:

• Learn more about Hoxhunt
• Read our guide to the top Phishing Simulation and Training Solutions