Getting Past Gotcha: Reframing Anti-Phishing Training


If you’ve been following our blog for a while, you’ll already be aware of our stance on anti-phishing training.

Experience has taught us that the only way to reliably improve a user’s ability to spot and report phishing emails is to test them in the real world. To put it another way, they need to see realistic phishing emails in their inbox on a regular basis… and you need to put them there.

It’s tempting (oh so tempting…) to treat this as a gotcha exercise.

You put your black hat on, devise a series of phishing simulations so fiendishly convincing that even trained, and watchful users would be fooled 90 percent of the time.

But does this approach really achieve anything? Sadly not… and here’s why:

Worried about the risks posed by phishing? Download our Best Practice for Enterprise Phishing Protection white paper

Phishing Protection Best Practices Whitepaper

Tricking People Isn’t the Point

Now, on the one hand, it’s important for users to understand that not all emails are legitimate. It’s also important for them to realize that identifying malicious emails will not always be easy.

But the vast majority of users will internalize these lessons within the first month or two of any decent anti-phishing program. Beyond this, the purpose of your program should be to provide users with the tools and skills they need to reliably spot and report phishing emails… not simply to trick them on a regular basis.
Think about it. If you wanted to learn to juggle, you wouldn’t start by trying to emulate world-class circus performers. Instead, you’d start with a single ball, and work your way up.

So why throw highly sophisticated phishing simulations at your users before they’re ready? Just as though they were developing any other skill, your users need to start with the basics and work up slowly.
Which brings us on to our second point…

Users Can’t be Trained for All Possible Phishing Attacks

There are dozens, if not hundreds of different types of phishing attack. Yes, they fall into a smaller number of broad categories, but in practice, there is simply too much variation in attacks for an average user to be fully trained in phishing defense.

But here’s the thing: THEY DON’T NEED TO BE. An average user only needs to be trained to spot and report the types of phishing attacks they are most likely to receive.

Training users on your payments team? They’ll definitely need to be primed to spot and report business email compromise (BEC) scams because they’re highly likely to be targeted with them.

Training “average” users throughout your organization? You’ll need to cover common phishing attack styles such as holiday-themed attacks, malicious links and attachments, and credential theft.

The simple truth is that no matter how well trained your users are, you could likely produce a simulation in under 30 minutes that would fool 90 percent of them. But how likely are they to actually receive a phishing attack that complex?

For instance, there have been reported cases of SMEs being targeted by nation-state advanced persistent threat (APT) groups purely for the purposes of stealing email communications between the SME and a larger partner organization. These emails have subsequently been used to craft spear phishing lures so sophisticated as to be practically undetectable.

Why would anyone go to so much effort to pull off a single attack? Simple: industrial espionage.

But is anyone in your organization really going to receive an attack this complex? Unless they happen to be a senior executive at your major telecoms or cutting-edge tech firm, probably not.

Of course, it all depends on the user in question. Do your payments staff need more tailored training than an average user? Probably yes. Do your executives need to be prepared for a higher caliber of phishing attack than the rest of your users? Almost certainly.

But no individual user can be prepared for every type of phishing attack.

Play the Numbers Game

Hopefully, the solution to this problem should be obvious by now: Simply identify the types of attacks most likely to be encountered by a group of users, and ensure they are suitably prepared.

Simple, right?

Yes, it can be boring to produce a whole series of simple BEC simulations. And yes, it’s possible one of your users will be faced with a more advanced phishing scam before they’ve mastered your first few simulations.

But these things can’t be rushed. A powerful anti-phishing program is an ongoing process that gradually and consistently reduces the threat profile of your organization. There will always be new users who need to start from the very basics, but over time you’ll have a growing body of experienced veterans who are prepared to face almost anything that gets thrown their way.

So as excited as you may be to finally crack your organization’s phishing problems this year, take our advice: Start slow, build up gradually, and don’t allow yourself to get carried away when developing your phishing simulations.

Article Link: