The Phishing Plateau: When Simulated Phishing Attacks Fall Flat

We know many businesses have started using simulated phishing attacks as a way to assess their end-user vulnerability to this particularly dangerous threat vector. Simulated phishing attacks, when fallen for, create an "Ah ha!" moment, as they make end users aware of their susceptibility and more receptive to training.  

Unfortunately, many businesses only send phishing attacks to their end users and miss the opportunity to follow up with proven, effective training. Not all training is created equal. Videos and slide-based presentations aren’t engaging or interactive — they are “tune out” training.

The Phishing Plateau Phenomenon

When businesses take the phishing only approach or don't have effective training, they experience a phenomenon known as the "Phishing Plateau". During the course of their security awareness program the decrease in open and click rates stops, and the program flatlines. We've seen this happen with our customers who are only using simulated phishing attacks, as well as with companies currently using other security awareness and training vendors.

Why does this happen? Because phishing end users is not the same as educating them. If you send an unsuspecting end user a phishing email, they click on it, and are redirected to a landing page or pop-up message, the usual reaction is embarrassment. They might be less likely to click on what they think is a phishing email in the future, but they still don't know and can't prove why a message is a phishing email.

And with spear-phishing attacks becoming more common, phishing emails have become harder to spot. Today's messages are very different from that note from a Nigerian prince offering you a hefty cash sum.

Getting to the Root of the Problem

Many vendors claim to offer "training" in the form of slide-based "interactive" training and videos shown after a simulated attack. But if there isn't research proving the effectiveness of a solution, how do you know it works? These "tune out" training solutions require a lot of effort, but can't deliver the results.

To truly change behaviors, users must learn the tell-tale signs of a phishing email, what's malicious and what's not in those emails, and apply that knowledge with real-world examples.

To put it more simply, you can't ride a bike by watching a video, or clicking through slides, or putting instructions in an annual PowerPoint or email. You need to ride a bike.

Breaking the Plateau

At Wombat, we believe that the only way to break the plateau is by using phishing as an assessment tool, as our research-backed continuous training methodology shows that there is a big difference between Teachable Moments, or that "Ah ha!" moment, and what others call training immediately after a simulated attack. In fact, the practice of forcing end users into training immediately after a simulated attack breaks a key rule of our research-backed Learning Science Principles:

"Let Them Set the Pace
It may sound cliché, but everyone really does learn at their own pace. A one-size-fits-all security training program is doomed to fail because it does not allow users to progress at the best speed for them."

It's much easier to give end users a designated window of time and reminder emails to complete training using our exclusive Auto-Enrollment feature. That way, they're ready and better prepared for the training, making them more likely to learn and retain the information from the lesson. Let's face it, nobody likes to be interrupted in the middle of a big project or with a deadline looming.