Phishing remains a persistent cybersecurity threat, with attackers continuously refining their techniques to evade detection. This study applies Risk Homeostasis Theory (RHT) to understand employee behavior in response to phishing attacks within a large organization. Through a 2x2 between-subjects field experiment involving 400 employees, we assess the impact of cybersecurity training and phishing incident reports on phishing susceptibility. Our findings suggest that general cybersecurity training alone does not immediately reduce phishing risk, but phishing-specific training significantly improves employee susceptibility. Regular phishing incident reports initially enhance risk awareness and reduce susceptibility; however, this effect diminishes over time. Interestingly, combining training and reports does not yield significant improvements, raising questions about the effect of combined interventions. This study provides the first empirical insights into RHT’s application in cybersecurity and highlights the importance of targeted interventions to enhance organizational resilience against phishing threats.