Phishing Training Doesn't Stop Your Employees From Clicking Scam Links - Here's Why

narvo vexar / iStock / Getty Images Plus

Follow ZDNET: Add america arsenic a preferred source on Google.

ZDNET's cardinal takeaways

• Phishing is simply a awesome and increasing threat to businesses.
• But phishing consciousness training has a minimal occurrence rate.
• Researchers impulse organizations to put successful countermeasures.

A caller study has confirmed what galore of america suspected -- worker phishing training is simply not worthy nan effort. 

The study, conducted by UC San Diego Health and Censys researchers, recovered that phishing-related cybersecurity training programs had nary effect connected whether aliases not labor were duped by phishing emails. 

After analyzing nan results of 10 different phishing email campaigns sent to complete 19,500 labor astatine UC San Diego Health complete 8 months, nan researchers recovered "no important narration betwixt whether users had precocious completed an annual, mandated cybersecurity training and nan likelihood of falling for phishing emails."

Also: Battered by cyberattacks, Salesforce faces a spot problem - and a imaginable people action lawsuit

The squad besides investigated whether embedded phishing training -- erstwhile organizations nonstop simulated phishing emails to spot if their labor will autumn for them -- was effective. Simply put, it wasn't, and location was almost nary quality successful nonaccomplishment rates for those who completed nan training versus those who did not. The groups were separated by a reduced likelihood of falling for a phishing email of only 2%. 

This is particularly concerning, fixed that phishing was recovered to beryllium nan starring origin of ransomware this year, fueled by infostealers and nan maltreatment of AI tools, according to a new SpyCloud Identity threat report. Phishing was besides nan astir reported onslaught vector by businesses participating successful nan investigation and was cited by 35% of affected organizations -- up from 25% successful 2024.

What is phishing? 

Phishing is simply a changeless scourge and is simply a threat that impacts individuals, SMBs, and enterprises alike. Phishing campaigns often return nan shape of spray-and-pray fraudulent emails aliases targeted messages designed to elicit curiosity, panic, aliases fearfulness successful their recipients. 

By crafting messages that animate fearfulness aliases urgency, cybercriminals dream that their victims will not return a measurement backmost and deliberation rationally, but will, rather, panic-click a fastener aliases manus complete delicate accusation that tin beryllium utilized successful personality theft, to behaviour fraudulent transactions, aliases for usage successful broader cybercrime. 

Also: Scammers are now faking nan FBI's ain website - here's really to enactment safe

When nan threat is truthful serious, and a phishing-related breach tin lead to terrible consequences for an statement -- including information theft, destruction, financial consequences, ransomware deployment, and reputational harm -- companies, naturally, will look for solutions. 

Phishing training programs are a celebrated maneuver aimed astatine reducing nan consequence of a successful phishing attack. They whitethorn beryllium performed annually aliases complete time, and typically, labor will beryllium asked to watch and study from instructional materials. They whitethorn besides person clone phishing emails sent by a training partner complete time, and if they click connected suspicious links wrong them, these failures to spot a phishing email are recorded. 

Why phishing training doesn't work

UC San Diego Health and Censys researchers said taxable matter was important to nan occurrence of a phishing email successful their study. For example, hardly anyone clicked a nexus to update their Outlook password, whereas complete 30% of participants clicked connected a nexus successful an email pretending to beryllium an employer update to picnic policies. 

The longer a phishing strategy continued, nan much apt an worker was to click a fraudulent link, rising from 10% of participants successful period 1 to complete 50% by nan eighth month.

Also: This 2FA phishing scam pwned a developer - and endangered billions of npm downloads

"Taken together, our results propose that anti-phishing training programs, successful their existent and commonly deployed forms, are improbable to connection important applicable worth successful reducing phishing risks," nan researchers said.

According to nan researchers, a deficiency of engagement successful modern cybersecurity training programs is to blame, pinch engagement rates often recorded arsenic little than a infinitesimal aliases nary astatine all. When location is nary engagement pinch learning materials, it's unsurprising that location is nary impact. 

Potential solutions

To combat this problem, nan squad suggests that, for a amended return connected finance successful phishing protection, a pivot to much method thief could work. For example, imposing 2 aliases multi-factor authentication (2FA/MFA) connected endpoint devices, and enforcing credential sharing and usage connected only trusted domains. 

Also: How passkeys work: The complete guideline to your inevitable passwordless future

That's not to opportunity that phishing programs don't person a spot successful nan firm world. We should besides spell backmost to nan basics of engaging learners. As a erstwhile teacher, I would propose that tabletop discussions, in-person seminars, and moreover gamification could supply nan missing nexus betwixt training and affirmative outcomes.