“Real-time beats simulation” - Terry McCorkle on Rethinking Phishing

“Real-time beats simulation” - Terry McCorkle on Rethinking Phishing

Phishing Simulations Are Broken – Here’s What Terry McCorkle Is Doing About It

Phishing comes up every time awareness professionals get in a room. No matter the agenda, it always sneaks in. That’s because it’s still one of the biggest threats we face – and one of the trickiest to manage.

In this episode of The Awareness Angle, I speak to Terry McCorkle, a red team veteran with more than 25 years in cybersecurity, about why phishing simulations might not be working the way we think they are – and what we can do instead.

Terry’s been on the frontlines. As a red teamer, he used phishing to gain access to networks across the world. Now, he’s switched sides. He’s the founder of PhishCloud, a platform that takes a completely different approach to phishing defence: real-time support for users, without the surveillance, fear, or gotchas.

And if you think this is just another anti-simulation rant, it’s not. Terry knows simulations can have value. But he’s seen first-hand the harm they can do when they’re designed to catch people out, especially when those clicks turn into warnings, HR meetings, or worse.

So what do we talk about?

First, we get into the core problem with traditional phishing simulations – they rely on tricking people. You run a test, someone clicks, and then you show them what they should have done. That’s like letting someone get mugged and then saying, “Next time, don’t walk down that alley.” It’s not helpful, and it’s not fair.

Terry shares a story about someone who clicked on a simulated phish during a red team engagement. That person immediately reported it, changed their password, did all the right things – but still got fired. The security team didn’t even respond for two days. That’s not a user failure. That’s a broken system.

PhishCloud flips the model. Instead of testing people after the fact, it gives them support at the moment of risk. A simple browser overlay shows a green, yellow, or red warning when a user sees a link – not just in email, but in search results, chat messages, social media, and more. It’s like having a trusted friend sat next to you, quietly nudging you before you make a mistake.

And yes, the platform uses machine learning and threat intelligence – but Terry doesn’t pitch it like it’s magic. He talks about confidence levels, transparency, and giving users the tools they need without invading their privacy. It’s smart tech designed to make people smarter, not just tick boxes.

We also cover some familiar ground, like how phishing isn’t just an email problem anymore, and how simulation metrics can be easily gamed. Want a low click rate? Send an obvious phish. Want to scare your stakeholders? Send a nasty one and watch the clicks roll in. It’s easy to shape the data to suit your story – but that doesn’t make it meaningful.

Terry’s approach is rooted in empathy. He’s not here to bash users or hand out click-shaming reports. He’s here to build something that actually helps. That gives people a chance to learn in the moment and change their behaviour in a way that sticks.

We also talk about automation, and how a system like PhishCloud doesn’t just help users – it helps the security team too. By cutting down false positives, giving better visibility, and pushing useful metrics into the SOC, it frees up time and reduces burnout.

It’s a proper rethinking of how we handle phishing. Less fear. More support. Less finger-pointing. More partnership.

And if you’ve ever felt uncomfortable about running phishing tests that feel more like traps than training, this episode might just give you the words – and the model – to do it differently.

You can find out more about PhishCloud at phishcloud.com, and connect with Terry on LinkedIn.