Microlearning beats one‑off training

A University of South Florida co‑authored study published Nov. 3, 2025 ran three large experiments with thousands of participants and concluded that “just‑in‑time” embedded feedback can backfire and that sending a follow‑up explanation to all users after a simulation produced better learning outcomes than training only the clickers. (usf.edu) Vendor playbooks now formalize short, scenario‑based micro‑lessons: Hoxhunt’s 2026 phishing‑simulation guide pairs each lure with immediate educational feedback plus a 1‑minute micro‑lesson and recommends a monthly baseline cadence with 1–4 week micro‑drills for high‑risk roles. (hoxhunt.com) Security researchers and vendors report that large real‑world evaluations found almost no measurable benefit from single annual awareness modules, prompting a shift toward measurement of reporting rate, time‑to‑report and repeat‑click reduction instead of raw “click rate” metrics. (proofpoint.com) A documented early‑2025 incident at a mid‑sized Atlanta financial services firm showed an employee halted a $48,000 wire after receiving a CEO‑impersonation email and calling the executive to verify the request, illustrating how verification steps and vigilance can stop fraud before funds move. (trueitpros.com) The scale of the threat underscores the need for layered defenses: FBI/IC3 data report $55.5 billion in exposed losses from BEC incidents reported between October 2013 and December 2023, with 305,033 domestic and international incidents logged in that period. (ic3.gov) Federal guidance emphasizes pairing people‑centric exercises with engineered controls — CISA recommends enterprise‑wide multi‑factor authentication and email authentication (SPF/DKIM/DMARC) as foundational controls, while Microsoft documents step‑by‑step DMARC/SPF/DKIM setup for M365 and NACHA advises call‑back verification for wire transfers. (cisa.gov 1) (cisa.gov 2) (learn.microsoft.com) (nacha.org)