Follow ZDNET: Add us as a favorite source On Google.
Key takeaways of zdnet
- Fishing is a major and growing threat to businesses.
- But fishing awareness training has a minimum success rate.
- Researchers urge organizations to invest in counters.
A new study has confirmed that many of us have doubts – employee phishing training is not only worth effort.
StudyUsed by researchers at UC San Diego Health and Senses, found that the fishing-related cyber security training programs had no effect on whether the employees were cheated by the fishing email or not.
After analyzing the results of 10 separate fishing email campaigns sent to more than 19,500 employees in UC San Diego Health, researchers found that “there is no significant connection between users whether users have recently met an annual, compulsory cyber security training and fall for fishing emails.”
Also: Plash by cyber attack, salesforce faces a trust problem – and sued a possible class action
The team also investigated whether embedded fishing training – when the organizations send simulated fishing emails, to see if their employees would fall for them – was effective. Simply put, it was not, and there was almost no difference in the failure rate for those who fulfilled the training, which did not do those people. Groups were reduced to falling for only 2%of fishing emails.
It is particularly related, given that Fishing was found to be the main cause of ransomware this year, according to a new, fuel was given by misuse of Infosellers and AI Tools, Spilad identification danger reportFishing was also the most reported attack vector by the businesses participating in research and was quoted in 2024 by 35% of organizations affected by 25%.
What is fishing?
Fishing is a continuous crisis and is a threat that affects individuals, SMBs and enterprises equally. Fishing expeditions often take the form of spray-end fraud or targeted messages in their recipients designed for curiosity, nervousness, or fear.
By preparing messages that induce fear or urgency, the cyber criminal hopes that their victims will not take one step back and think rationally, rather, rather, click on a button or put a hand on sensitive information, which can be used in identity theft, to conduct fraud transactions, or for use in a comprehensive cyber crime.
Too: Scammers are now throwing their website of FBI – how to be safe here
When the danger is so severe, and a phishing-related violations can be serious consequences for an organization-including data theft, destruction, financial results, ransomware deployment, and reputed losses-comments, companies, naturally, will look for a solution.
Fishing training program is a popular strategy aimed at reducing the risk of a successful fishing attack. They can be performed annually or over time, and usually, employees will be asked to look and learn from instructional materials. They can also get fake fishing email sent by a training partner over time, and if they click on suspicious link within them, these failures are recorded to spot a fishing email.
Why Fishing Training does not work
Researchers with UC San Diego Health and Sensors said that the subject matter was important for the success of a phishing email in its study. For example, barely someone clicked on a link to update his outlook password, while more than 30% of the participants clicked on a link in an email, pretending to be an update to the employer for holiday policies.
A phishing plan continued, an employee was likely to click on a fraud link, which had increased from 10% of the participants to more than 50% in a month by the eighth month.
Also: This 2FA phishing scam pwed a developer – and billions of NPM downloads
Researchers said, “Together, our results suggest that the anti-phishing training program, in their current and commonly deployed forms, is unlikely to offer a significant practical value in reducing fishing risks,” the researchers said.
According to the researchers, the lack of engagement in modern cyber security training programs is to blame, the rate of engagement is often not recorded less than a minute or in any way. When there is no engagement with learning materials, it is surprising that there is no effect.
Potential solution
To combat this problem, the team suggests that, for better returns on investing in fishing protection, a axis can work for more technical help. For example, applying two or multi-factor authentication (2fa/MFA) on the endpoint device, and only applying credentials and use on reliable domains.
Also: How PassKeys Work: The Complete Guide to Your Unnecessary Passwordless Future
This is not to say that there is no place in the corporate world in fishing programs. We should also return the basics of attractive learners. As a former teacher, I would suggest that tabletop discusses, in-tradition seminars, and even gamefibation training and the missing links between positive results.
