Phishing scams strike victims with alarming regularity. The Anti-Phishing Working Group, which collates information from various bodies worldwide, reported nearly a million phishing attacks in the last three months of 2024. That boils down to seven per minute, every minute of the day. And that’s just the ones that member companies report to the APWG.
Each incursion costs businesses, as hackers often get their victims to hand over passwords or bank details. One analysis claims $17,700 is lost per minute to phishing attacks. This makes it worthwhile for organizations to try and teach their staff to be more skeptical of the emails they receive.
Anti-phishing training isn’t too costly on an individual level, with basic online training averaging around $1 a month per employee, but it can rise to $5 or more per staff member per month. (Often, more tailored training providers charge their clients an annual retainer.) And for organizations with hundreds or thousands of employees, the costs can quickly add up.
Business leaders have historically seen that as money well spent. After staff are trained, they are tested with tantalizing emails every so often. If they click, they’re often subject to even more training. But a new study of 12,511 employees at a US fintech firm that the authors of the research declined to name suggests that anti-phishing training may be worse than useless.
“We thought we would see some kind of difference,” says Andrew T. Rozema, a researcher at Purdue University. “We figured that at least spending extra time doing interactive training and all that kind of stuff would improve the performance.” In reality, it didn’t make a difference “in any significantly measurable way,” says Rozema. “If anything, we saw a slight uptick in the amount of clicking people did on super-simple [phishing emails].”
The Surprising Results of a Mock Phishing Attack
As part of their work, Rozema and his colleague at Purdue, James C. Davis, split the staff into three groups. One-third of them got no training; one-third took a standard 15-video phishing awareness course; and the final third took the same 15-video course alongside interactive exercises designed to help users spot fakery.
Months after the fintech firm’s staff underwent the training, Rozema and Davis launched a mock phishing attack against the company, believing they’d see the training pay off and staff who had undergone more rigorous coursework become less susceptible to scams. It did not.
Around 10% of employees clicked on fake links sent by the researchers, regardless of their level of past training. The more involved interactive lessons improved employees’ likelihood of reporting phishing to bosses or IT teams by one percentage point, but paradoxically, they were slightly more likely to click a link than the control group that had no training.
The authors propose two potential reasons. Employees get used to spotting harder email tricks but get lazy at identifying the easier ones. Or they get primed to skim over emails that look like those they encountered in training, meaning they don’t pay enough attention to scammy missives when they hit their inboxes for real.
Get Our Best Stories!
Your Daily Dose of Our Top Tech News
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
“I just don’t think [anti-phishing courses are] a particularly effective training method,” says Rozema. In part, that’s because of their frequency. “If you want people to change a behavior, you need to work on that behavior consistently. Once every 365 days”—the amount of training some workers get—“seems like a not-sufficient timeline.”
Anti-Phishing Educators’ Marketing Claims Are ‘Too Optimistic’
The findings seem contradictory to what we’d assume, but are all the more important for it, experts say. “Security is so much better when based on empirical data, and this seems to suggest the ‘gut feel’ that has resulted in so much ‘education’ of users was misguided, and perhaps [there’s been] an overreliance on its effectiveness,” says Alan Woodward, professor of cybersecurity at the University of Surrey, UK.
“It reminds me of work that showed that some of the original advice about passwords proved wrong when it was checked with field studies,” Woodward says. He points out that well-intentioned guidance to change passwords monthly, for instance, would be taken to the extreme by organizations. Those companies would compel their staff to keep switching passwords, resulting in workers choosing more easily guessable passwords.
Woodward suggests that business leaders might want to think twice about the claims of effectiveness made by anti-phishing training service providers. “It looks like many of the marketing claims from those [selling] training packages are a little bit too optimistic in terms of the effectiveness,” he says. “It’s too easy for end organizations to tick a box after buying a commercial solution and, based upon the marketing blurb, thinking they have improved their security.”
Recommended by Our Editors
Of course, the research only focuses on one organization—something Woodward points out can’t necessarily be extrapolated across all businesses, even though the participant count is significant. “Having said that, that doesn’t detract from the paper,” he explains. “It simply shows how complex and nuanced the human factor is in all of this.”
However, organizations looking at the poor outcomes of training and considering cutting their anti-phishing training budgets may be constrained, Rozema says. “Most of us aren’t in a position to do that if we care to maintain our regulatory compliance,” he says. “We are forced by laws that we must do this sort of thing.”
While there is no single federal anti-phishing law, multiple laws—including the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA) for financial institutions—require security-awareness training, part of which might involve anti-phishing training.
Instead, it’s worth doubling down on the things that organizations can manage, which is the stuff far away from humans, before the emails even reach them. “‘Did I or did I not get tricked by your phishing simulation?’ might not be the metric that businesses really should be focusing on,” Rozema says.
“Technical controls are your best defense right now,” he continues. “There’s no human training you can do to teach somebody that ‘That email you get every week that has the sales report in it, the one time it gets hacked? Don’t click on that.’”
About Chris Stokel-Walker
Freelance Writer
