If your organization has tried to improve your workforce´s security awareness by using phishing simulation software but have found it not to have been effective in reducing susceptibility to phishing, there are several reasons why phishing simulations don´t always reflect real life.
Phishing simulation software is a great tool for improving a workforce´s security awareness, but it is not always as effective in real life as some vendors claim it to be. There are several reasons for this depending on the type of software deployed and the software´s capabilities.
Unrealistic Phishing Scenarios
Most phishing simulation software is provided with a library of phishing templates which are supposed to reflect real life situations. Too often this isn´t the case. Many include topics users will likely ignore (i.e., HR policy updates) or “put aside to read later”, but never get around to.
For this reason, simulated phishing emails don´t always get opened; or, if they do, the attachments or phishing links in the email are rarely interacted with (because users don´t care what the new dress code is). Consequently, the “pass rate” for phishing simulation tests is misleadingly high.
Repetitive Phishing Simulations
Another reason why pass rates can be misleadingly high is because the same phishing tests are used time and time again. This may be because the organization is limited in the number of templates it has to use or because they have no way of recording which tests have been used before.
The date on which phishing tests are sent can also be a giveaway that – for example – an email requesting a password reset is a phishing simulation. Consequently, an employee receiving a password reset request on the 2nd of each month knows not to interact with it.
Every Phish Gets Sent at the Same Time
A big issue with many phishing simulation solutions is that phishing tests are sent at the same time. As soon as one person realizes the phishing email they have just interacted with is a test, word spreads through the organization so everyone knows not to interact with the test email.
Because of the communication between employees and departments, the phishing simulation test returns a high pass rate. However, in real life, cybercriminals do not send warnings that everyone will receive a phishing email, so simultaneous phishing testing is fairly meaningless.
Emotional Triggers Are Not Sufficiently Granular
Most phishing awareness training revolves around the five emotional triggers of greed, loss, curiosity, helpfulness, and fear of missing out, yet many phishing templates lack the granularity to tempt recipients into interacting with them because they lack the right type of trigger.
For example, one employee may be more curious about playing in a department softball game than attending a department dinner (even though both would be categorized as social events), while another might be more inclined to an animal charity than a disaster relief charity.
Simulations are Too Often One-Step Events
Whereas the preceding four reasons why phishing simulations don´t always reflect real life are likely to skew phishing tests to show more positive results, the fact that they are too often one-step events can have the opposite effect and record an employee as susceptible when they are not.
An example of a one-step event is when an employee is sent a simulated phishing email with a link to click on. As soon as they click on the link, they are informed the email is a phishing test which they have failed. However, some phishing simulation solutions take the employee to a landing page where they are asked to complete login credentials.
The second step of asking for login credentials can often prompt the employee to consider whether or not this is a good idea. If they choose not to enter their credentials and report the email as a phish, the employee should be considered to have passed the phishing test – or at least passed with concerns about clicking on links in unsolicited emails.
If These Reasons Seem Familiar To You … …
If these reasons why your existing phishing simulation software have not been effective in reducing employee susceptibility seem familiar to you, you might wish to consider SafeTitan – an enterprise-scale security awareness training and phishing simulation platform from TitanHQ. SafeTitan has the capabilities required to simulate real life situations, and includes:
- Customizable phishing templates, including the option to send phishing tests from internal sources.
- An intuitive administration dashboard that shows which phishing tests have been sent to who and when.
- A “burst” capability that sends a mixed selection of simulations to a mixed selection of the workforce at mixed intervals.
- Granular reporting to identify which type of emotional trigger prompts interactions from each employee.
- The option to add a second step to each simulation, plus a one-click plug-in to simplify the reporting of suspicious emails.
To find out more about SafeTitan or to organize a free demo of our phishing simulator in action, do not hesitate to get in touch. Our team of cybersecurity experts will be happy to answer any questions you have about reducing the susceptibility of your workforce to phishing emails and discuss any issues you have experienced in the past with phishing simulation software.