Behavioral Conditioning, Not Awareness, Is the Answer to Phishing


You don’t stop phishing attacks by raising user awareness. A recent study conducted by a German university confirms what we at PhishMe have known all along: Focusing on awareness isn’t the point. The real solution is behavioral conditioning.

The study, conducted by Friedrich-Alexander University (FAU) of Erlangen-Nuremberg, Germany, used 1,700 students to simulate spear phishing attacks. An August 31 Ars Technica article published preliminary results of the study showing at least 50% of students clicked simulated phishes, even though they understood the risks.

With its headline, “So Much for Counter-phishing Training: Half of People Click Anything Sent to Them,” the article appears to suggest training is pointless. But we see it differently. While the article confirms what our own research has revealed – that awareness isn’t the problem – the proper conclusion to draw isn’t that training is futile. PhishMe tends to agree with this sentiment and encourages organizations to focus on conditioning their employees to identify and report security risks.

We focus our training on conditioning human behavior, and the results speak for themselves. Our customers spend 22 seconds reviewing phishing education, and yet their susceptibility to phishing decreases significantly. Why? It’s the experience we put them through that changes behavior. Even when they are aware of the risks, as studies show, they are susceptible to opening email from unknown users and clicking suspicious links. But conditioned through the real-world examples we provide in our simulations, users are much less likely to click.

Enterprise Relevance

The FAU study focused on students, who were sent emails and Facebook messages with links purporting to be for photos from a New Year’s Eve party held a week before the study. “Links sent resolved to a webpage with the message ‘access denied,’ but the site logged the clicks by each student.”

It’s dangerous to use research results conducted on a student population to Enterprise workers. We have several problems with the approach as described. For starters, it wasn’t created by people in the trenches who understand real-world threats, but by academics in a computer science department. We already know the bait used by the study’s authors works on students, as well as consumers, but is far less effective with enterprise users. Yet, readers of the Ars Technica article are concluding the study’s results apply to enterprise environments.

We know that because we’ve started to get messages with their reactions. So we feel an obligation to point out the study didn’t use a realistic scenario, from an enterprise point of view. Real-world enterprise phishes are more likely to be emails pretending to be files from a scanner, a document with a job evaluation, or a message that someone has signed for a package addressed to the user.

There’s also a difference of perspective between students and enterprise users. Students, whose primary experience with computing revolves around mobile devices such as tablets and smartphones, don’t worry about cyber risks. Clicking a link from a smartphone isn’t going to compromise the device because such devices are nearly impervious to attacks. But click the link from a computer, and the story is quite different.

It also appears the FAU study focused only on clicking links, but phishing threats aren’t limited to one vector. Others include data entry, password credentials, clicking attachments, and email conversations that don’t involve links or attachments. Replicating some of these vectors in a real-world simulation is a bigger challenge than the method used by the study.

Focus on Reporting

A PhishMe-commissioned study found 94% of office workers know what phishing is and the risk it presents to organizations. The study also found that 94% of office workers know how to report suspicious emails in their organization. And that’s where the focus of training needs to be – reporting. When users are conditioned to report suspicious email, even if they do so after already clicking on it – maybe they had a lapse – the reporting is still valuable because it helps your security operations teams.

Learning to identify suspicious emails through conditioning is far more effective than general efforts to raise awareness. PhishMe simulator provides customers with templates that include the exact content used by threat actors.  By deriving content from our Phishing Intelligence platform we provide experiences that are relevant to enterprise users.   This method allows customers to condition users to spot potential phishes, avoid interacting with them, and report them to their security teams.

While we appreciate the FAU’s study’s confirmation of what our own research has shown about awareness, we fear it may lead enterprises to make decisions based on the erroneous conclusion that training doesn’t matter. This perspective could lead to the compromise of a network with disastrous results. To avoid such an outcome, we at PhishMe stand ready to work with any academic institution or researcher that could benefit from our experience in the trenches to produce meaningful research about phishing.