Why Training Is Not Enough to Stop Phishing Emails

Nov 30, 2018 5:33:29 PM / by Amy Daly

Email phishing is the top security threat to your organization. As the entry point for most security breaches, cyber-criminals are launching malware and ransomware, committing wire fraud, and identity theft. According to the FBI, phishing-based email accounted for more than $12 billion in fraud in just the last five years.

Phishing Training for Employees

Companies should conduct phishing email awareness training for their employees but need to recognize that training alone won’t solve the problem. Nearly 90% of all data breaches and threats are a result of human error. 

Even when recipients know an email looks suspicious, they sometimes still click on them. The only safe way to prevent phishing attacks is to stop them before they get to end users.

A study by researchers from Vanderbilt and Dartmouth examined phishing training for employees. Participants got extensive training in detecting phishing schemes and were shown specific examples that they should avoid.  When tested 3 months later, participants showed very little change in behavior and still exposed themselves to credential theft and phishing scams. A second study was conducted with MBA students who received the training with no change in results.

“Changing security behavior is challenging,” the study reports. “It takes only one misstep to seriously compromise a system.”

When it comes to phishing emails, you are only as strong as your weakest link. Since most companies now experience regular turnover, the training cycle never ends. Training needs to be provided for new employees and current employees need refreshed phishing email awareness training regularly.  It’s hard to know whether the problem has been solved.

You Can’t Train for The Unknown

There are also a lot of threats for which you can’t provide training. You can’t train on the unknown, or the newest tactics the cyber-criminals employ. When one scheme is exposed, a new one pops up. Zero-day attacks which occur before or on the same day software vulnerabilities are discovered are impossible to train for ahead of time.

Phishing Your Own Employees

As part of the phishing training for employees, organizations often test their own staff.  Spoofed emails, fake links, or sampling phishing emails representing the most common attacks are sent to unsuspecting employees to assess the effectiveness of phishing email awareness training.  When employees take an unwise action after receiving your simulated phishing email, they are caught in the moment and given immediate feedback and training. While it can be a helpful technique to drive home the importance of awareness, employees don’t like it. They can feel you don’t trust them, are questioning their intelligence, or just embarrassing them. That can hurt morale and cause them to ignore your message.

Phishing your own employees can feel like a punishment for your team. They may fear their actions will get reported to supervisors and may have a negative impact on promotions or performance evaluations.  When employees are called out for failing such a training exercise, they are certainly less likely to report when they’ve clicked on a real phishing email.

Phishing Training for Employees Is No Match For Clever Thieves

Thieves sometimes go to great lengths to make these emails look like a trusted company or vendor. With the way people often mix business and personal email in their work accounts, it doesn’t have to be a fake invoice that causes them to click. A forged email from Netflix or Amazon can cause just as much damage if they open it on their business email account.

Netflix phishing email

A Better Solution to Prevent Phishing Attacks

Inky Phish Fence is the most comprehensive email phishing, SPAM, and malware protection you can buy. Inky® Phish Fence acts as an email protection gateway, sitting on top of Office 365 or Google Suite, and scans every internal and external email.

Using proprietary machine learning and computer vision, Inky detects phishing attacks (and even deep-sea phishing attacks) that other systems fail to catch When a phishing email is detected, Inky Phish Fence disables the links or quarantines the malicious email. The recipient will receive the email with a prominent warning displayed in the body of the email. Not only does this stop the threat but makes employees aware of the potential trouble it can cause and serves as a reminder of phishing email awareness training. This reduces the risk someone will act on a phishing email.

The warning is reported in the email itself rather than the header. This is important because of the prevalence of mobile devices now in the workplace. If the threat is only displayed in the email header, users may never see it on a device that truncates the header, such as a mobile phone. Putting it right in the email in a way you can’t miss makes sure everyone will see it. Further, as employees most often check email on their mobile device it means they are protected no matter where they are. 

2-2

CISOs and administrators get a comprehensive dashboard. This dashboard allows for both overview reporting on threats and the ability to do a deep dive into individual threats and messages. The Inky Phish Fence dashboard allows for search by recipients, dates, or threats.

Get in touch with Inky today to request a live demo of Inky Phish Fence. Let us help you make your business more secure.

Topics: phishing

Amy Daly

Written by Amy Daly