Phishing Training Is Pretty Pointless, Researchers Find (scworld.com)
- Reference: 0178708006
- News link: https://it.slashdot.org/story/25/08/17/0134258/phishing-training-is-pretty-pointless-researchers-find
- Source link: https://www.scworld.com/news/phishing-training-is-pretty-pointless-researchers-find
> In a scientific study involving thousands of test subjects, eight months and four different kinds of phishing training, the average improvement rate of falling for phishing scams was a whopping 1.7%. "Is all of this focus on training worth the outcome?" asked researcher Ariana Mirian, a senior security researcher at Censys and recently a Ph.D. student at U.C. San Diego, where the study was conducted. "Training barely works..."
>
> [Research partner Christian Dameff, co-director of the U.C. San Diego Center for Healthcare Cybersecurity] and Mirian wanted scientifically rigorous, real-world results. (You can [2]read their academic paper here .) They enrolled more than 19,000 employees of the UCSD Health system and randomly split them into five groups, each member of which would see something different when they failed a phishing test randomly sent once a month to their workplace email accounts... Over the eight months of testing, however, there was little difference in improvement among the four groups that received different kinds of training. Those groups did improve a bit over the control group's performance — by the aforementioned 1.7%...
>
> [A]bout 30% of users clicked on a link promising information about a change in the organization's vacation policy. Almost as many fell for one about a change in workplace dress code... Another lesson was that given enough time, almost everyone falls for a phishing email. Over the eight months of the experiment, just over 50% failed at least once.
Thanks to Slashdot reader [3]spatwei for sharing the article.
[1] https://www.scworld.com/news/phishing-training-is-pretty-pointless-researchers-find
[2] https://arianamirian.com/docs/ieee-25.pdf
[3] https://www.slashdot.org/~spatwei
Oh of course (Score:3)
Corporate systems are a mess of different websites cobbled together with varying URL schemes and not always unified authentication processes (SSO most of the time, not always). How do you want to train people for that ?
Reverse Training (Score:3)
Work rolled out a new SAP invoice system. I'd been ignoring notifications for weeks because they looked like phishing emails.
It wasn't until a colleague from the purchasing dept. *actually* emailed me personally that I realized they weren't.
Fight the problem at the source (Score:3)
At one of the previous jobs, I immediately approached the HR department and made it clear that, unlike everyone else, I did not allow them to mention me on the "About Us" page. Result: zero scams received other than the simulated ones from internal pentests.
E-mail security is a clusterfuck (Score:2)
It was never originally designed with security in mind.
There are various protocols that can be layered on top to improve security. None have been universally adopted.
Having email content signed, and being able to verify the signature locally, would go a long way.
S/MIME did this 3 decades ago ! Thunderbird and Outlook still support it. Sadly, consumer gmail does not.
For anything corporate related, such as HR vacation policies, using digital signatures would go a very long way to prevent fishing scams, as the
Re: (Score:2)
Eh. I can generate S/MIME signed emails, but the cert is only signed by a CA within my employer -- there's no chain of trust that third parties, or even our corporate parent, can use (well) to verify that my cert means anything. And some or all employees at the corporate parent use an email client that shows signed emails as attachments, so there's a burden for them to see what I wrote.
So email infrastructure needs to meet a higher bar than just allowing signatures. It needs to make the signatures meanin
Not even trying to solve the right problem... (Score:4, Insightful)
The other reason to be deeply cautious of phishing training is that it tends to (when not just plain trivial either because nobody much cares to lovingly craft it to blend in with their specific environment or because they don't want awful result numbers) focus on the risks that are most amenable to technical solutions and waste the time you could be using for the actually dangerous stuff.
Even fairly middling mail filters get a lot of the really lazy stuff; and if you don't want people clicking on Important.doc.exe you just tell the mailserver not to give it to them; not try to train them out of double extensions. If they keep falling for fake login pages; well, that's what the FIDO2 requirement is for.
It's when an account gets compromised at a supplier and a nice looking email, legitimately coming from their infrastructure, body including knowledge of past interactions with them, asking accounts payable to please make a few updates that you have a problem you hope you actually spent time drilling people on proper procedure. Those ones are, at a technical level, impeccably legitimate; and a great way to send tends of thousands of dollars into the ether really fast.
Easily broken when working in a big office. (Score:2)
I once broke a phishing test by standing up in the SOC and shouting "watch out - there's a very suspicious email just arrived".
You woke up all your colleges. (Score:2)
That's mean.
You woke up all your colleges for a false alarm :)
Re: (Score:2)
Similar here. During the early days of Covid, since we were quite frequently targetted for phishing (spear and general), the engineering team got into the habit of posting to the group Teams chat about any suspicious looking emails so everyone else could be extra wary until its legitimacy could be confirmed since our HR and finance departments sent some phishy-looking emails on occasion. Needless to say, Corporate IT was oblivious to this until we trashed their Phishing test, at which point they kicked of
Seen It (Score:2)
The phishing test emails at work are blatantly obvious, and yet people somehow fall for them repeatedly. One person even replied directly to a fake government department email with their full personal and financial details. WTF. How? Why?!
That's because the workplace counter-trains people (Score:2)
The abysmal results are because every workplace trains people to fall for phishing scams. That change in vacation policy? The real, legitimate notification of it will be in an email from an external bulk-mailing service telling employees to click on the link included. There's nothing in it to distinguish it from a phishing attempt, and employees are supposed to trust it.
Progress is going to require workplaces, schools etc. to:
Send official mail from an internal address, not through any external service.
Ha
Small wonder (Score:2)
Half the population has an IQ of under 100.
Click-through is the wrong thing to measure (Score:1)
The experiment, and typical phishing training in general, measure click-through on email links. They use that measure because it is technically easy - you just need to create a fake email, not an entire fake website, and all phishing scenarios can be handled in the same way. The problem is that people frequently get emails with links they do have to click on, and this makes reliably distinguishing between legitimate emails and (well-crafted) phishing emails before clicking genuinely hard.
It is not clicking
ID (Score:2)
Noob here... wouldn't this be a legit reason to make a part of the web ID only? No anonymity, log in with government ID. Laws apply, credentials can be revoked by court? Like a driving license. Country borders would be an issue I guess.
Re: (Score:2)
Worst thing I've seen was when "wanting back" the reported phishing email that turned out to be legitimate, that it takes weeks and it doesn't return as the actual email in outlook but as a chain of emails going back and forth partly with some company to which this thing was outsourced, and a small one I wouldn't send my slashdot and whatnot emails to check them ...