As phishing has become more of a prevalent threat, businesses around the world are starting to establish cybersecurity training that is designed to ensure employees don’t fall victim to scam messages. Anti-phishing training works by sending phishing emails to employees that are from white-hat hacker organizations, designed to see if they can catch out workers.
If they do, and they give away their personal data, it’s not to criminals but instead to an innocuous organization, who can inform them of their error and advise them on how to avoid falling into the same trap once more. The sandbox simulations are designed to do the best of both worlds: to make people more aware of their fallibility when presented with a phishing email and to allow them to make mistakes without causing real damage.
It's little wonder that they’ve been embraced wholeheartedly by businesses and organizations looking to shore up their security. But are they actually useful? Do they prevent what they’re aiming to? Or do they just perpetuate the same problems?
Phishing for help
An experiment carried out by researchers at ETH Zurich in collaboration with a large company saw 14,000 employees given multiple phishing simulations over the course of 15 months, during which their responses were tested. A reporting button was added to the company’s email client which allowed the participants to report suspicious emails they received – should they suspect they were falling victim to a scam.
The academics analyzed the outcome of phishing email scams by looking at how employees reacted to the suspicious emails they deliberately sent as part of the exercise. They did so by measuring click rates for phishing emails, dangerous actions such as submitting credentials, and reporting of suspicious emails.
Their findings may give pause to organizations looking to seek out training and awareness as a simple solution to the problem of phishing. One in three employees surveyed over 15 months clicked on at least one link or attachment in the simulated phishing emails. And an equally highly worrying proportion – one in four – performed at least one dangerous action. “These results indicate that a rather large fraction of the entire employee base will be vulnerable to phishing when exposed to phishing emails for a sufficiently long time,” the researchers say.
Training doesn’t help
Even if phishing is inevitable for a high proportion of the employee base of a company, proponents of such training exercises defend worked experiences by ensuring that they’re more sceptical of any messages they receive. After falling victim and being told they did and how they made the mistake, the theory goes, workers will start to be more circumspect when presented with similar-looking missives.
But as with many things, theory doesn’t always align with practice. Training doesn’t actually improve future detection of phishing emails, the research shows. “Surprisingly, we observe that both click and dangerous actions rates are higher for participants that received contextual training (i.e., participants who were forwarded to a training page) after falling for simulated phishes,” the academics say.
It’s a bold claim and one that could be damaging for the usual standard of anti-phishing training programs. The business that worked with the academics used a tested phishing training delivery method that is known as a common industry practice and is produced by a specialist company that works for many. The result, then, is a worry. “We call for caution in the deployment of methods like embedded phishing exercises and training, where the existing literature is less unanimous about their effectiveness, and our research discovers potential negative side effects,” the researchers say.