Phishing Emails and Risk Management: Why Your Employees Keep Clicking

Share with your network!

Last updated: August 1, 2018

It should come as no surprise (given the website you’re on) that we are advocates for security awareness training. It may surprise you to know, however, that we don’t believe anti-phishing training can eliminate end-user risk. Actually, we feel that “chasing zero” is counterproductive — and we’ll tell you why.

There Are Three Primary Reasons End Users Fall for Phishing Attacks

Our experience has shown that there are three fundamental reasons users click on phishing scams (spoiler alert: “stupidity” isn’t one of them):

1. They aren’t aware of the phishing threat.

This, you may be thinking, is impossible. How can anyone not know what phishing is? It’s all over the most prominent infosec news sites and even many mainstream news sites! There are studies and statistics! And I totally send my end users emails about this!

We don’t mean to burst your bubble, but the average employee is probably a lot more interested in social media memes and Netflix than they are in cybersecurity news and reports. And even if you are sending emails…it’s likely they aren’t reading them (or at least not all of them).

For our 2018 State of the Phish Report, we commissioned an independent survey of 1,000 U.S. and 1,000 UK working adults about their knowledge of phishing. Though well more than half of those users did know what phishing is (in general terms), 39% of U.S. respondents and 27% of UK respondents did not. That is a sizable awareness gap.

The reality is that if you aren’t regularly communicating to your users in multiple ways and using language and materials that resonate with them, your warnings about phishing are probably going in one ear and out the other.

2. They are aware of the phishing threat but don’t know what to do about it.

We hope you’ll forgive us for being persnickety, but we tend to favor “security awareness and training” over “security awareness training.” That preference is based on a simple reason: awareness and training are two separate things.

Making your end users aware that a threat exists is not the same as teaching them how to recognize and react to that threat if they encounter it during their day-to-day business activities. Sure, it’s great to win the battle of getting your employees to know that phishing attacks are happening within your organization — but to win the war, you need to use anti-phishing training tools to educate your employees about the different types of social engineering tactics attackers will use to try to trick them into clicking…and downloading…and submitting sensitive data.  

This philosophy is a primary reason why we recommend using both simulated attacks and interactive education in anti-phishing training programs. In addition to providing vulnerability phishing assessments, our ThreatSim® Phishing Simulations can be paired with Teachable Moments, which help organizations raise awareness with end users by providing a “just-in-time teaching” message to anyone who interacts with a simulated attack. This starts to give employees a sense of how their actions can impact data and network security.

But given that one phishing example is just that — one phishing example — follow-up education is a critical piece of end-user risk management. Our security awareness training modules not only explain the different kinds of threats that end users might face, they allow employees to practice applying their knowledge. This interactivity is key to engagement and knowledge retention — and our customers have told us that this approach makes a big difference in how their employees respond to training.

3. They are human.

This may sound a little harsh, but making a 0% vulnerability rate your measure of success is unrealistic. That’s because there is no ignoring the human factor. Humans are fallible. Humans make mistakes — even you. You know stoves are hot, but you occasionally still get burned. You are aware of the risks associated with reckless driving, and you know how to avoid those actions — but chances are that you still exhibit risky behaviors on occasion. Maybe it’s because you get distracted. Maybe you get a little overconfident about your driving skills. Whatever the reason, you end up courting risk, even though you know better.

That said, before you throw up your hands and give up on the idea of security awareness and training, consider this cybersecurity equation:

Educated Human > Aware Human > Unaware Human

Awareness gets your end users thinking about the way they act, and education gives them the knowledge they need to change the way they act. Users who are totally unaware are likely to click on anything and everything — and be none the wiser. Educated users make far better decisions, make far fewer mistakes, and are far more likely to alert you to questionable emails, allowing you and your infosec response team to become more proactive and less reactive.

You allow for imperfection from your spam filter, your antivirus software, and a host of other technical safeguards. You need to allow for imperfection from your end users as well, if only because of the value they bring to your organization. They are your biggest asset, and you need to stop simply writing them off as a liability.


Get your copy of our State of the Phish Report





To Reduce Vulnerability, Focus on Managing Risk, Not Eliminating It

When you couple the human factor with the sheer volume of attacks and the single-minded focus of cybercriminals, it is clear that cybersecurity risks are not going anywhere. In the end, though, the volume of phishing emails and sites detected aren’t nearly as important as the quality of the attacks and the impact to individuals and to businesses.

Cybercrime has clearly proven its value to attackers. For the first time, the latest Crime Survey for England and Wales (CSEW) tracked statistics about cybercrime for the full year of its survey period. Out of the 11.8 million identified incidents of crime — which included those affecting both individuals and businesses — 5.6 million were attributed to fraud and computer misuse, which nearly matched all other incidents combined.   

If end-user risk management is not part of your cybersecurity plan…what are you waiting for? In specific, a security awareness and training program can offer a cost-effective, result-driven way to quickly impact end-user risk and generate improvements over time.

Choose Your Awareness and Training Tools (and Partners) Carefully

Our security awareness training methodology is about continuity, raising awareness over time, and using cybersecurity education tools to teach your employees how to apply best practices that will improve the security of personal and organizational data and systems. While our customers have seen measurable results — some very impressive — we would never tell you that anti-phishing training is your gateway to a 0% click rate. Frankly, claims of those types of results just don’t pass the sniff test. Because humans are in the equation and all humans are fallible, 0% vulnerability is an unrealistic — and unattainable — goal.

What is realistic is risk reduction. A cybersecurity strategy that includes technical safeguards and employee security awareness and training will you the best opportunity to lower attack success rates and minimize the impact that cybercrime can have on your organization.