Study: Repetition Key to Phishing Awareness Training

Study: Repetition Key to Phishing Awareness Training

Phishing awareness training is designed to educate employees about how to spot fraudulent emails and text messages designed to steal sensitive information and data. However, a new study by researchers from several German universities suggests the effectiveness of such training is short-lived.

Researchers said test subjects’ ability to correctly distinguish phishing emails from legitimate emails was “significantly improved” for up to five months after training. After six months, however, they seemed to forget much of what they had learned.

The study presented to the USENIX Symposium on Usable Privacy and Security is believed to be the first attempt to quantify the long-term effects of training. The results reinforce what industry insiders have long believed — that security training must be repeated regularly to produce lasting behavioral changes. Regular training exercises are doubly important now that millions of Americans are working from home, outside their employers’ security perimeters.

KnowBe4, the provider of the world’s largest security awareness training platform, says phishing awareness should be a core topic in any education program. Phishing is a gateway attack that sets the stage for a variety of additional threats such as ransomware, identity theft, data exfiltration and extortion. The company says more than 90 percent of all successful hacks and data breaches start with phishing scams.

Training materials should remind remote workers of three essential practices for avoiding phishing attacks — don't open emails from senders you don't recognize, don’t click on email links if you aren’t certain they are legitimate, and don’t open email attachments unless they are expected and come from a trusted source. Employees should also learn to spot some of the tell-tale signs of a phishing email:

  • It asks for personal or sensitive information. Legitimate companies will not ask you to confirm account information or provide login details by email.
  • It is poorly written. Spoofed emails often originate in countries where English is not the native language, resulting in spelling, grammar, logic and syntax errors.
  • It is impersonal. Phishing emails often use generic salutations such as “Dear account holder.” Legitimate companies are more likely to address you by name.
  • The source is suspicious. Professional organizations won’t send emails from Gmail or Hotmail accounts.
  • There’s an attachment. An unsolicited email with an attachment is a huge red flag. Legitimate companies are far more likely to provide directions on how to download a document from their website.
  • There’s a suspicious hyperlink. An embedded hyperlink is another red flag. Cybercriminals use embedded links to redirect you to phony websites in an attempt to either extract personal information or download malware.
  • There’s a heightened sense of urgency. Phishing emails that suggest your account will be suspended or terminated unless some action is taken immediately are meant to make you act quickly without taking the time to fully investigate. Legitimate organizations don’t rely on email messages to deliver such news.

Like any security plan, awareness programs must be tested regularly to ensure it they are working as intended. Social engineering testing is the most reliable way to discover if your education and training programs are truly effective. In these tests, authorized ethical hackers simulate a variety of attacks to understand whether employees are being vigilant and following established procedures.

Phishing education and assessments are essential elements of Verteks’ cybersecurity practice.  Through our partnership with KnowBe4, customers can set up employee training programs using a variety of interactive modules, videos, games and newsletters. The KnowBe4 content library is continually updated with the latest phishing-related content. Our assessments can help you be sure your education and awareness programs are working as intended. Give us a call to learn more.