You've likely fallen for it before—a simulated test sent by your own company to determine whether its employees are vulnerable to one of the most pernicious online threats today: Phishing.

Those simulated phishing tests often come with a voluntary or mandatory training afterwards, with questions and lessons about what mistakes you made, right after you made them. 

But this extremely popular phishing defense practice might not work. In fact, it might make you worse at recognizing phishing attempts in the future.

That's what Daniele Lain and his fellow PhD candidates at the ETH Zurich university in Switzerland revealed in a recent 15-month study, which we discuss today on Lock and Code, with host David Ruiz.