Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
01:00 PM
Aviv Grafi
Aviv Grafi
Connect Directly
E-Mail vvv

Why Anti-Phishing Training Isn't Enough

Not only is relying on employees' awareness insufficient to prevent sophisticated social engineering attacks, some training methods can create other problems.

It's time we take a hard look at why we rely so much on end users to catch phishing scams that can jeopardize an entire company. As hackers continue to advance their social engineering techniques, phishing attacks are becoming harder to detect and are missed 39% of the time. While you might think your anti-phishing training program is up to date, your organization will continue to be at risk as long as email is necessary for business operations.

Because we all engage with email daily, we have a degree of blind trust despite continuous, sophisticated anti-phishing training. On many occasions, hackers scheme to elicit emotional responses from their target — for example, by sending urgent messages "from" human resources or the CEO. These are more likely to result in improper downloads or email responses that can damage the entire organization.

Related Content:

5 Ways Social Engineers Crack Into Human Beings

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How to Move Beyond Passwords and Basic MFA

File sharing over email is another necessary business function that puts the organization at significant risk for a breach. According to Proofpoint's "2021 State of the Phish Report," attachment-based attacks are becoming more common, and employees often cannot differentiate malicious emails from those with files they need to collaborate, especially when remote work is so common. Currently, the average failure rate in attachment-based attacks is 20%, far higher than for URL-based attacks, at 12%.

Why Anti-Phishing Training Isn't Succeeding
If you think this is solely a pandemic-related problem, think again, as it predates COVID-19. In 2019, 68% of organizations focused on raising awareness of link-based attacks compared with just 10% of organizations that put their efforts on attachment-based attacks. And 65% of the phishing tests with the highest failure rates were attachment-based, with most emails looking like they came from a recognizable internal account such as a supervisor or someone from the HR department. 

Notably, the HR department is at increased risk for falling victim to an attachment-based attack because of the resumes and other files from outside sources it engages with daily. For example, in 2020, hackers were able to avoid a sandbox by sneaking malware inside resumes and medical leave forms

Additionally, training that threatens to come down hard on employees who open an email from an untrustworthy source creates additional problems. Making employees feel like they are going to be fired if they fail a test or miss a dangerous email can create phishing training trauma.

Finally, programs can also come off as insulting. As an example, the Tribune Publishing Company received some backlash after it sent anti-phishing training emails promising significant bonuses — in the middle of a global pandemic when journalists were being laid off and experiencing salary cuts. Incidents like this can cause severe disconnections between the security team and the rest of the company. It also does nothing to build a sense of camaraderie or motivate people to learn more about security. 

It's Time to Stop Blaming End Users
Beyond users being tricked by increasingly sophisticated — and socially engineered — phishing campaigns along with other cyber exploits, there are a plethora of threats that user awareness training — and most security solutions — can do nothing about. Solutions that rely on signature databases and cannot detect zero-day exploits or undisclosed threats may leave significant gaps. Zero-day malware is constantly being developed and evades some of the best detection mechanisms. Yet many organizations' security defenses focus largely on threat detection along with anti-phishing training.

These solutions may give end users a false sense of security that they are protected no matter what, when many threats can slip through the cracks. If a security solution cannot detect these threats, then why would you expect employees to be able to detect them? Deploying detection-based solutions and relying on user awareness training will not provide the protection that enterprises need.

Even if better-educated users could stop more attacks and create safer cyber ecosystems, overreliance on phishing training will come up short — especially given recent developments that are putting a strain on the awareness training in place. Once organizations shifted to large-scale remote work, phishing training moved down the list of priorities. And cuts to security budgets threaten to take funding away from more advanced and effective measures.

To put it simply, putting all your eggs in the cybersecurity-awareness basket is ineffective. Organizations should divert more resources to prevention solutions rooted in data and technology, which stand a much better chance of keeping up with the fast-changing threat landscape and don't put the onus on well-intentioned employees.

Aviv Grafi is CEO & Founder of Votiro, an award-winning cybersecurity company specializing in neutralizing files of all kinds through Secure File Gateway solutions. Aviv is principal software architect for Votiro's enterprise solution, which is based on a unique Positive ... View Full Bio
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...