3 mistakes to avoid when training teams to recognize phishing attempts

Phishing is arguably the most dangerous type of internet scam, fooling millions of people every year.

Billions of dollars are lost annually to phishing attacks, and the damage to a brand’s reputation after a data breach is beyond measure. Cyber attacks, meanwhile, continue to hit businesses at record rates.

Unfortunately, phishing has evolved to the point where tech tools alone can’t protect your business. Sophisticated filters and firewalls might stop the majority of attempts, but enough still get through to cause significant damage.

Today’s phishing attacks are highly sophisticated, avoiding the keywords that would trigger an anti-phishing tool and often using genuine email addresses from hijacked accounts and content personalised to target individual recipients. That’s why only human-oriented phishing training, which educates employees how to recognize a phishing attack and the right ways to deal with it, is effective.

However, phishing training is nothing new and people are still taken in by phishing. A recent survey found that close to half of all UK employees can’t recognise a scam email, and data breaches due to phishing still make the headlines.

If phishing training is the best solution, why are we still seeing phishing success? Because phishing training isn’t always carried out the right way. Many phishing awareness training programs make mistakes which undermine the success of the training. Here are three top mistakes to avoid when implementing phishing training.

1.   Making it generic

Too many phishing training programs provide the exact same education and simulations to the entire organisation. When real phishing attacks are personalised, it makes sense that generic training doesn’t get the job done. Hackers can go to impressive lengths to customise their email to the victim, using personal details like their first name, referring to recent events like the birth of a child, and playing on each individual’s specific anxieties.

Phishing training, like real phishing, has to be targeted to each employee’s role, cultural background, and what makes them most likely to click.

Additionally, different people have different levels of trust and varying degrees of digital awareness. Some might be naturally more suspicious, while others need repeated practice to spot the signs of a phishing email. Others are less tech-savvy and need to learn the basics for recognizing a secure website. Simulated phishing emails need to hit the right level for each recipient — too easy and they’ll let their guard down, too hard and they’ll give up even trying.

Tailored timing matters too. It’s best to send a simulation when people are stressed or tired, because that’s when they’re most likely to accidentally click on a dodgy link or open an infected attachment. That’s the window that hackers aim for. But with today’s hybrid and flexible work patterns, employees reach that point at different times of day.

The most important reason why generic training is a mistake is that it’s rare for one-size-fits-all to be appropriate for more than a handful of participants. You need your employees to pay attention to and complete phishing training, but that will only happen if the training is engaging and compelling.

2.   Making it a one-off

Your phishing training might be excellent and highly effective today, but it will quickly become irrelevant and outdated. Hackers are constantly finding new tactics to penetrate your defences and fool victims into responding, so phishing training needs to keep up.

It’s a big mistake to only run phishing training from time to time – the result is that you’ll prepare your team for yesterday’s threat, but leave them vulnerable to tomorrow’s attack.

Phishing training that only takes place once a year or once a quarter isn’t enough to keep your employees on their toes. You need to send out phishing simulations several times per month to keep your employees alert. It’s also natural for skills to fade with time; frequent simulations help make sure their abilities stay sharp.

Another issue with intermittent or infrequent training is that it doesn’t give you an accurate picture of employee awareness. You might think that they are more alert or effective at spotting phishing than they really are, leading to a false sense of confidence that could cause you to relax your other defences or let your own guard down.

You also need to keep pushing employees to get better at phishing detection. Your simulations should keep getting harder as your employees adapt to the threat, so that they are constantly improving. Hackers never rest on their laurels. They are always raising the bar as it gets more difficult to deceive people, so your phishing simulations need to follow suit.

3.   Focusing on the wrong metrics

Traditional phishing training involves lectures, worksheets, and quizzes, but these only measure knowledge, not behaviour. Someone could get perfect marks on a quiz about how to recognize a phishing email, and yet still click a suspicious link. Far too many people have admitted clicking even though they knew better.

Metrics from phishing simulations are more meaningful, but companies make mistakes here too. Organisations tend to elevate fail rates above all other metrics, but they can create a misleading picture of your employees’ true capabilities. Fail rates could be low because employees avoid clicking any links, for example, not because they recognize a phishing email. Disproportionate focus on fail rates also often leads to a culture of punishment instead of improvement, which discourages employees from trying to improve.

Miss rates are at least as important and strongly correlate to how likely it is that someone will detect and report a phishing attempt. Success rates are also significant, because they more accurately represent people’s ability to perceive a phishing attack. Only by combining fail, success, and miss metrics can you correctly gauge your organisation’s level of risk and resilience.

Lastly, businesses need to be sure that they are watching up to date, holistic data about employee click rates. If you’re only checking one metric, you’ll miss insights into employee progress and won’t be able to track their improvement over time.

Effective phishing training is possible

Although there’s no such thing as a guarantee to stop 100% of all phishing attacks, phishing training can be highly successful at protecting your organisation. As long as you avoid concentrating on the wrong metrics, running infrequent training, and offering one-size-fits-all awareness sessions, you can stay ahead of the hackers and defend your business.