Why Anti-Phishing Training Isn’t Enough

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

Not only is relying on employees’ awareness insufficient to prevent sophisticated social engineering attacks, some training methods can create other problems.

It’s time we take a hard look at why we rely so much on end users to catch phishing scams that can jeopardize an entire company. As hackers continue to advance their social engineering techniques, phishing attacks are becoming harder to detect and are missed 39% of the time. While you might think your anti-phishing training program is up to date, your organization will continue to be at risk as long as email is necessary for business operations.

Because we all engage with email daily, we have a degree of blind trust despite continuous, sophisticated anti-phishing training. On many occasions, hackers scheme to elicit emotional responses from their target — for example, by sending urgent messages “from” human resources or the CEO. These are more likely to result in improper downloads or email responses that can damage the entire organization.

File sharing over email is another necessary business function that puts the organization at significant risk for a breach. According to Proofpoint’s “2021 State of the Phish Report,” attachment-based attacks are becoming more common, and employees often cannot differentiate malicious emails from those with files they need to collaborate, especially when remote work is so common. Currently, the average failure rate in attachment-based attacks is 20%, far higher than for URL-based attacks, at 12%.

Why Anti-Phishing Training Isn’t Succeeding
If you think this is solely a pandemic-related problem, think again, as it predates COVID-19. In 2019, 68% of organizations focused on raising awareness of link-based attacks compared with just 10% of organizations that put their efforts on attachment-based attacks. And 65% of the phishing tests with the highest failure rates were attachment-based, with most emails looking like they came from a recognizable internal account such as a supervisor or someone from the HR department. 

Notably, the HR department is at increased risk for falling victim to an attachment-based attack because of the resumes and other files from outside sources it engages with…