Select Page

Why phishing training is important: An intelligent approach

CYBSAFE-SebDB Webinar-preblog-221011MS-36


We are CybSafe. A cyber security & data analytics company.


Phishing attacks are the most common cyber threat to many businesses.
This form of cyber attack can be remarkably unsophisticated. Yet, the disruption caused can be huge.

So why are phishing attacks such a problem in the modern cyber security? What can be done to limit their success and prevent cybercrime? And does phishing training actually reduce your cyber risk?


Using human behavior as a weapon


Phishing emails prey on human behavior.

They will often claim to come from an authority figure. The suspicious email might foster a sense of urgency. Or offer some kind of reward to the recipient.

Each of these elements plays on the human psyche. Deference, anxiety, fear and/or excitement will prompt recipients to respond without due caution reveal sensitive information . That’s all it takes for the scam to work.


Taking advantage


In times of crisis—during a pandemic, for example—emotions that lead people to act in this way are heightened. Criminals know this. And they act accordingly.

The UK’s HMRC detected a 73% increase in email phishing attacks in the first six months of the Covid-19 pandemic.

In September 2020, HMRC published examples of Covid-19-related phishing emails. One email, claiming to be from HMRC, told people they were eligible for a tax rebate because of Covid-19. The email contained a phishing link entitled ‘Access your funds now’.

The arrival of a Covid-19 vaccine presented another opportunity for a phishing attempt. In early January 2021, scam text messages began circulating in Northern Ireland. The texts told people they were eligible for vaccination. Victims were directed to a fake NHS website where they were asked to provide bank details.


Targeted attacks


Covid-19-related phishing attacks demonstrate how cyber criminals exploit human vulnerabilities and anxieties. These types of scam can reach hundreds or even thousands of people.

But phishing scam can also target individuals.

It’s not difficult for a hacker to to employ social engineering techniques and impersonate someone else to obtain personal information. A few personal details from social media and a targeted scam can become incredibly convincing. A targeted phishing email is also less likely to be picked up by phishing filters.

Business Email Compromise (BEC) scams are one type of targeted spear phishing attack. In BEC scams, criminals impersonate organization employees.

In 2019, auto part supplier Toyota lost $37 million dollars in a BEC scam. This type of scam also increased during the Covid-19 pandemic. In the second quarter of 2020, BEC wire transfer losses were up 48%.

Phishing filters are imperfect


As phishing filters are far from perfect, can phishing ever really be prevented?

Today, with phishing attacks on the rise and the cyber threat landscape constantly evolving, most companies employ some form of technological phishing filter to help prevent phishing.

Such filters typically rely on machine learning to check and categorise incoming emails and, after doing, prevent suspicious emails from making it into corporate inboxes.

Unfortunately, as research shows, phishing filters are far from perfect. They might be able to counter dated and known phishing attacks. But consider the real-world spear-phishing email sent to a senior executive…

For the most part, phishing filters are powerless to prevent such attacks.


How else can companies prevent phishing?


Fortunately, information security officers have a second defence they can enlist to prevent phishing: their people.

Framing people as a defence might seem odd. In security, people are often seen as a vulnerability. But without question, alert and aware people detect and stop malicious phishing attacks from doing any damage on a daily basis.

Just as phishing filters categorise some emails as malicious, so too do people. The difference?

People have a larger range of criteria they can use when assessing emails. And, as people aren’t bound by arbitrary rules, people have the ability to err on the side of caution.

As more and more CISOs are beginning to suggest, properly empowered people can prevent cyber attacks – whether phishing or otherwise.


Empowering people to prevent phishing


How do you empower people to spot and report the phishing attacks phishing filters miss?

By changing not just security awareness, but security behaviors and security culture, too.

CybSafe, for example, was built in collaboration with psychologists to change not just what people know about cyber security, but what people think and feel about cyber security and how they respond when confronted with cyber threats.

The intelligent platform systematically measures security awareness, security behaviors and security culture, intervening to improve each in turn. In doing so, it transforms people from a so-say ‘weakness’ to another layer of defence, demonstrably reducing cyber risk in all areas – phishing included.

Can phishing be prevented? The short answer is yes.

The longer answer is yes – through a multifaceted security strategy that enlists a defence most companies overlook and a well executed phishing awareness training.

Why Phishing Training Is Important


The importance of phishing awareness training


For a cyber criminal, phishing attacks are relatively simple to execute. But for an organization or just a single computer user, the effects can be catastrophic.

67% of businesses say their single most disruptive cyberattack in the last 12 months was phishing. Phishing simulation such as a simulated phishing email is undoubtedly important. But it needs to move beyond the compliance-based training currently on offer. It needs to pay more attention to changing behavior.

Anyone who has ever conducted a prolonged period of phishing campaign will be aware that week-to-week and month-to-month, the results of phishing training tests can swing dramatically.

Should this really be the case?

If phishing program in its current form did indeed reduce phishing susceptibility, then shouldn’t phishing susceptibility rates gradually decline, rather than pogo up and down?

It’s also worth considering how today’s phishing training usually attempts to rectify ‘failures’—which is invariably through more of the same training. But if the training didn’t do all that much good the first time around, should we really expect it to work a week or so later? Research suggests more of the same phishing training does little to reduce cyber risk.

As time goes on, more businesses are investing more money in cyber defences—phishing awareness training included. Gartner predicts global security investment to $172.5 billion in 2022 and $267.3 billion in 2026. Yet in 2022, in total, 36% of harmful cyber activities reported in the annual cybersecurity attitudes and behaviors report were phishing incidents that resulted in the loss of money or data.


Raising awareness


To be clear, simply phishing your employees and then forcing anyone who clicks a link to sit through a 20-minute video is not raising security awareness – it’s just making people resent their security teams.

However, phishing is exactly what we want to teach people to recognise. The fact that some people’s ‘job consists almost entirely of opening attachments from strangers, and clicking on links in emails’ is exactly the point.

People need to be better at spotting cyber scams and in order to do this they need to be trained. It’s not about looking in the other direction. You don’t train for penalties in football without a goalkeeper.

An intelligent approach to simulated attacks recreate many of the conditions that people face in reality. The training platform then educates and increases awareness and understanding of how best to become a safe and secure cog in the socio-technical systems of a company.

This is made much more achievable by helping staff understand why secure online behavior is important to them personally as well as professionally, and how phishing fits in. It’s therefore equally important that the simulated attack activity is coordinated with other thoughtful awareness activity if you are to get the true benefit from the simulated attacks.

Setting appropriate and agreed expectations in relation to how an awareness campaign will run beforehand allows a spirit of ‘we’re all in this together.’

Getting the culture right from the outset fosters an internal siege mentality that companies can use to combat internal and external threats.

With the right foundations, companies could even create departmental competition with rewards for the ‘safest’ department – without ruffling any feathers whatsoever.


Making phishing training work


An intelligent approach to simulated phishing is seldom counterproductive if done well and contextualised. And it can most definitely increase cyber resilience. The trick lies in encouraging a culture that allows it to do so.

To do that, companies should;

  1. Encourage a growth mindset
  2. Be explicit with intentions and expectations and share the reality of the cyber-threat while keeping Protection Motivation Theory (Rogers & Prentice-Dunn, 1997) in mind.
  3. It’s also worth noting Modic & Anderson (2014) who state that warning effectiveness can be improved by:
    • Providing a clear, concrete and nontechnical description of the threat
    • Using social influence, ie referencing an authority or social group
  4. Understand mistakes
    • And allow for reflection, education and action
  5. Develop psychological safety
    • Ideally through C-suite Execs and the IT department
    • Psychological safety refers to a climate in which people are comfortable being (and expressing) themselves (Edmondson, 2003)

As ever, making simulated attacks work requires multi-layer interventions that link into the essence of a company. Cyber security interventions should also ‘talk’ to people – interventions need to engage the emotional brain, as research shows that people remember feelings far more than they do thoughts, facts or figures.

In the right environment, simulated phishing emails (and equally as important, other forms of simulated attack) can do this. In the right company, with a culture that embraces learning from failure and supports everyone having a voice, simulated phishing can do a great deal to increase cyber security awareness. That said, failing to contextualise the simulated phishing properly or implementing thoughtless phishing campaigns runs the risk of p@*sing our people off, possibly making the situation worse.


What intelligent phishing training looks like


While it’s impossible to say for certain whether today’s phishing training does or does not reduce cyber risk, it’s safe to say today’s phishing training could be improved.

At CybSafe, the psychologists, security obsessives, and behavioral scientists that develop our platform are continually working on innovations in cybersecurity to further security awareness training and other interventions. Their latest innovation, which introduces an intelligent twist to phishing training, does just that.

CybSafe’s intelligent approach to security awarness and phishing training goes beyond simply indicating who is susceptible to phishing and reveals why they’re susceptible. People fall prey to phishing for a number of reasons, such as fear, greed, pride, vanity and a desire to help those in need.

Intelligent phishing training reveals the types of attacks likely to convince specific individuals. Combined with bespoke training tailored to individuals, intelligent phishing training demonstrably reduces individual, departmental, and organizational cyber risk.

As far as we know, intelligent phishing training is an innovation unique to CybSafe, the world’s first truly intelligent security awareness, behavior and culture solution that demonstrably reduces human cyber risk.

To find out how it works—and how CybSafe demonstrably reduces cyber risk—book a demonstration today.

simulated phishing ebook

Phishing FAQs

You May Also Like