Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
01:00 PM
Aviv Grafi
Aviv Grafi
Connect Directly
E-Mail vvv

Why Anti-Phishing Training Isn't Enough

Not only is relying on employees' awareness insufficient to prevent sophisticated social engineering attacks, some training methods can create other problems.

It's time we take a hard look at why we rely so much on end users to catch phishing scams that can jeopardize an entire company. As hackers continue to advance their social engineering techniques, phishing attacks are becoming harder to detect and are missed 39% of the time. While you might think your anti-phishing training program is up to date, your organization will continue to be at risk as long as email is necessary for business operations.

Because we all engage with email daily, we have a degree of blind trust despite continuous, sophisticated anti-phishing training. On many occasions, hackers scheme to elicit emotional responses from their target — for example, by sending urgent messages "from" human resources or the CEO. These are more likely to result in improper downloads or email responses that can damage the entire organization.

Related Content:

5 Ways Social Engineers Crack Into Human Beings

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How to Move Beyond Passwords and Basic MFA

File sharing over email is another necessary business function that puts the organization at significant risk for a breach. According to Proofpoint's "2021 State of the Phish Report," attachment-based attacks are becoming more common, and employees often cannot differentiate malicious emails from those with files they need to collaborate, especially when remote work is so common. Currently, the average failure rate in attachment-based attacks is 20%, far higher than for URL-based attacks, at 12%.

Why Anti-Phishing Training Isn't Succeeding
If you think this is solely a pandemic-related problem, think again, as it predates COVID-19. In 2019, 68% of organizations focused on raising awareness of link-based attacks compared with just 10% of organizations that put their efforts on attachment-based attacks. And 65% of the phishing tests with the highest failure rates were attachment-based, with most emails looking like they came from a recognizable internal account such as a supervisor or someone from the HR department. 

Notably, the HR department is at increased risk for falling victim to an attachment-based attack because of the resumes and other files from outside sources it engages with daily. For example, in 2020, hackers were able to avoid a sandbox by sneaking malware inside resumes and medical leave forms

Additionally, training that threatens to come down hard on employees who open an email from an untrustworthy source creates additional problems. Making employees feel like they are going to be fired if they fail a test or miss a dangerous email can create phishing training trauma.

Finally, programs can also come off as insulting. As an example, the Tribune Publishing Company received some backlash after it sent anti-phishing training emails promising significant bonuses — in the middle of a global pandemic when journalists were being laid off and experiencing salary cuts. Incidents like this can cause severe disconnections between the security team and the rest of the company. It also does nothing to build a sense of camaraderie or motivate people to learn more about security. 

It's Time to Stop Blaming End Users
Beyond users being tricked by increasingly sophisticated — and socially engineered — phishing campaigns along with other cyber exploits, there are a plethora of threats that user awareness training — and most security solutions — can do nothing about. Solutions that rely on signature databases and cannot detect zero-day exploits or undisclosed threats may leave significant gaps. Zero-day malware is constantly being developed and evades some of the best detection mechanisms. Yet many organizations' security defenses focus largely on threat detection along with anti-phishing training.

These solutions may give end users a false sense of security that they are protected no matter what, when many threats can slip through the cracks. If a security solution cannot detect these threats, then why would you expect employees to be able to detect them? Deploying detection-based solutions and relying on user awareness training will not provide the protection that enterprises need.

Even if better-educated users could stop more attacks and create safer cyber ecosystems, overreliance on phishing training will come up short — especially given recent developments that are putting a strain on the awareness training in place. Once organizations shifted to large-scale remote work, phishing training moved down the list of priorities. And cuts to security budgets threaten to take funding away from more advanced and effective measures.

To put it simply, putting all your eggs in the cybersecurity-awareness basket is ineffective. Organizations should divert more resources to prevention solutions rooted in data and technology, which stand a much better chance of keeping up with the fast-changing threat landscape and don't put the onus on well-intentioned employees.

Aviv Grafi is CEO & Founder of Votiro, an award-winning cybersecurity company specializing in neutralizing files of all kinds through Secure File Gateway solutions. Aviv is principal software architect for Votiro's enterprise solution, which is based on a unique Positive ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file