Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:00 PM
Aviv Grafi
Aviv Grafi
Connect Directly
E-Mail vvv

Why Anti-Phishing Training Isn't Enough

Not only is relying on employees' awareness insufficient to prevent sophisticated social engineering attacks, some training methods can create other problems.

It's time we take a hard look at why we rely so much on end users to catch phishing scams that can jeopardize an entire company. As hackers continue to advance their social engineering techniques, phishing attacks are becoming harder to detect and are missed 39% of the time. While you might think your anti-phishing training program is up to date, your organization will continue to be at risk as long as email is necessary for business operations.

Because we all engage with email daily, we have a degree of blind trust despite continuous, sophisticated anti-phishing training. On many occasions, hackers scheme to elicit emotional responses from their target — for example, by sending urgent messages "from" human resources or the CEO. These are more likely to result in improper downloads or email responses that can damage the entire organization.

Related Content:

5 Ways Social Engineers Crack Into Human Beings

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How to Move Beyond Passwords and Basic MFA

File sharing over email is another necessary business function that puts the organization at significant risk for a breach. According to Proofpoint's "2021 State of the Phish Report," attachment-based attacks are becoming more common, and employees often cannot differentiate malicious emails from those with files they need to collaborate, especially when remote work is so common. Currently, the average failure rate in attachment-based attacks is 20%, far higher than for URL-based attacks, at 12%.

Why Anti-Phishing Training Isn't Succeeding
If you think this is solely a pandemic-related problem, think again, as it predates COVID-19. In 2019, 68% of organizations focused on raising awareness of link-based attacks compared with just 10% of organizations that put their efforts on attachment-based attacks. And 65% of the phishing tests with the highest failure rates were attachment-based, with most emails looking like they came from a recognizable internal account such as a supervisor or someone from the HR department. 

Notably, the HR department is at increased risk for falling victim to an attachment-based attack because of the resumes and other files from outside sources it engages with daily. For example, in 2020, hackers were able to avoid a sandbox by sneaking malware inside resumes and medical leave forms

Additionally, training that threatens to come down hard on employees who open an email from an untrustworthy source creates additional problems. Making employees feel like they are going to be fired if they fail a test or miss a dangerous email can create phishing training trauma.

Finally, programs can also come off as insulting. As an example, the Tribune Publishing Company received some backlash after it sent anti-phishing training emails promising significant bonuses — in the middle of a global pandemic when journalists were being laid off and experiencing salary cuts. Incidents like this can cause severe disconnections between the security team and the rest of the company. It also does nothing to build a sense of camaraderie or motivate people to learn more about security. 

It's Time to Stop Blaming End Users
Beyond users being tricked by increasingly sophisticated — and socially engineered — phishing campaigns along with other cyber exploits, there are a plethora of threats that user awareness training — and most security solutions — can do nothing about. Solutions that rely on signature databases and cannot detect zero-day exploits or undisclosed threats may leave significant gaps. Zero-day malware is constantly being developed and evades some of the best detection mechanisms. Yet many organizations' security defenses focus largely on threat detection along with anti-phishing training.

These solutions may give end users a false sense of security that they are protected no matter what, when many threats can slip through the cracks. If a security solution cannot detect these threats, then why would you expect employees to be able to detect them? Deploying detection-based solutions and relying on user awareness training will not provide the protection that enterprises need.

Even if better-educated users could stop more attacks and create safer cyber ecosystems, overreliance on phishing training will come up short — especially given recent developments that are putting a strain on the awareness training in place. Once organizations shifted to large-scale remote work, phishing training moved down the list of priorities. And cuts to security budgets threaten to take funding away from more advanced and effective measures.

To put it simply, putting all your eggs in the cybersecurity-awareness basket is ineffective. Organizations should divert more resources to prevention solutions rooted in data and technology, which stand a much better chance of keeping up with the fast-changing threat landscape and don't put the onus on well-intentioned employees.

Aviv Grafi is CEO & Founder of Votiro, an award-winning cybersecurity company specializing in neutralizing files of all kinds through Secure File Gateway solutions. Aviv is principal software architect for Votiro's enterprise solution, which is based on a unique Positive ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-10-28
There is a Register tampering vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may allow the register value to be modified.
PUBLISHED: 2021-10-28
There is a Memory out-of-bounds access vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause malicious code to be executed.
PUBLISHED: 2021-10-28
There is a issue of IP address spoofing in Huawei Smartphone. Successful exploitation of this vulnerability may cause DoS.
PUBLISHED: 2021-10-28
There is a SSID vulnerability with Wi-Fi network connections in Huawei devices.Successful exploitation of this vulnerability may affect service confidentiality.
PUBLISHED: 2021-10-28
There is a issue of Unstandardized field names in Huawei Smartphone. Successful exploitation of this vulnerability may affect service confidentiality.