Employees are overconfident in their ability to detect phishing emails

More than four in five respondents to Intermedia’s 2017 Data Vulnerability Report said they were confident that they could detect a phishing email, which sounds like an encouraging statistic. Phishing has boomed in the past few years, causing a great deal of damage to people and businesses. That 86% think they’ve got a handle on how to detect phishing means that there could soon be far fewer stories about successful phishing attacks.

But then you see another statistic: 21% of respondents admit to having fallen victim to a phishing attack. That means that at least 7% of people are confident they could detect a phishing email but have still fallen victim to one. This is a major problem because it only takes one employee clicking a malicious link for your entire organization to be put at risk.

Staff training isn’t working

The standard advice to combat phishing is to invest in staff awareness training, but according to Intermedia, a lack of training isn’t the problem. Nearly two thirds of surveyed organizations (62%) said they provide cybersecurity training every six months, and 29% said they provide it every three months.

The problem is that these training courses are poorly executed.

Ryan Barrett, vice president of security and privacy at Intermedia, said: “It’s no longer effective to just talk ‘at’ employees about cyber threats. Companies need to offer regular interactive IT security training events to show employees what real attacks look like, and how to react to them.”

The report reveals that an above-average number of senior staff (34%) and IT workers (25%) admit to falling for a phishing email. Given the access these people have to critical systems and information, this means that training needs to focus more on spear phishing and whaling attacks.

Rethink your approach to staff awareness training

Given these concerns, you should consider changing the way your business raises awareness of phishing. Earlier this year, (ISC)2 and Forbes suggested that organizations should phish their own staff. Phishing emails sent to everyone in the company (obviously without the malicious payload) can give those who fall victim a warning, and make them think twice in the future.

Both (ISC)2 and Forbes say that organizations might prefer to have a third party conduct these simulated attacks. Forbes writes: “A contractor or outside vendor could present a more realistic scenario for your organization [and it will be] devoid of internal bias (for example, internal IT members may feel conflicted about tricking fellow employees or may accidently mention the test in conversation).”

Our Simulated Phishing Attack provides an independent assessment of employee susceptibility, and benchmarks your security awareness campaigns. It can help you to:

  • Satisfy compliance and regulatory requirements
  • Focus future testing to areas and employees at greatest risk
  • Reduce the number of times employees click malicious emails

After conducting this test, you might want to enroll your staff on our Phishing Staff Awareness Course. The course will reduce the likelihood of your employees falling victim to such scams by helping them understand how phishing works, the consequences of a successful attack, and how to identify and respond to malicious messages.

This course is suitable for everybody in your organization, including senior and technical staff, as it covers the most common types of malicious emails as well as spear phishing, whaling, and other variants.

Find out more about phishing >>