Contact us: +45 32 67 26 26
English

Does phishing training work? Yes! Here’s proof

Gry Myrtveit Gundersen
By: Gry Myrtveit Gundersen Cyber Security | 5 January

In this research-based article, we explore the effects of phishing training. Did you know that 80% of organizations report that phishing awareness training reduces the risk of employees falling for phishing attacks, or that phishing testing programs result in a 37-fold ROI on average? Our research shows that these two training methods are even more effective when combined – with a 60% reduction in mistakes after a few sessions. If you are interested in seeing more research about the effects of phishing training and learning how these effects are achieved, keep reading! 

Table of contents

Phishing is a serious threat

Before we dive into the effects of phishing training, we’ll look at why phishing training is important. Phishing is one of the biggest threats organizations are faced with today – and it strikes both small and large organizations all over the globe. This most likely includes your organization as well! There are several reasons why phishing is such a dangerous threat. We will highlight a few of them in the following sections. 

Phishing attacks are common

In 2021, phishing was by far the most common cybercrime based on the number of victims. Proofpoint’s 2022 “State of the Phish” report also shows that 83% of organizations suffered at least one successful phishing attack last year. And unfortunately, it looks like phishing attacks will be more common and more difficult to detect in the years to come. In fact, research from McAfee shows that 81% of organizations around the world have experienced an increase in email phishing attacks since 2020. This can be partly blamed on the pandemic and its side effects, such as remote work and increased digitalization, as well as the availability of phishing kits, which have made it easier than ever for cybercriminals to launch attacks. 

Phishing attacks are expensive to fall for

Phishing attacks are not only common, but they are also very expensive. On average, data breaches due to phishing attacks cost organizations $4.91 million in 2022. Most of that cost is split between detecting and escalating the breach (29%) and lost business costs (38%). Given the increased frequency and high costs of phishing attacks, they are estimated to account for losses of $17,700 per minute

Phishing attacks cost small companies $1.6 million

Many people believe that phishing only poses a significant threat for larger companies, but research from Symantec shows that smaller businesses have a higher rate of malicious emails – with 1 in 323 emails being malicious. Phishing attacks can also have large economic consequences for smaller businesses. On average, small and mid-sized organizations lose $1.6 million recovering from a phishing attack, and 60% of these companies go out of business within six months after falling victim to a data breach or cyber-attack.

Phishing attacks are difficult to detect

You might think it’s easy to detect phishing attempts, and that phishing therefore doesn’t pose an actual threat for you or your organization. After all, who has not yet understood that emails offering you a huge sum of money aren’t legit? However, the reality is that cybercriminals are constantly evolving their methods. One new method that is on the rise is spear phishing, which can be more than twice as successful as normal phishing. Cybercriminals are also making use of technology such as spell-check software. This makes phishing attacks more sophisticated and harder to detect than ever before.

1 in 5 employees click on phishing email links

With this in mind, it’s not surprising that many people still fall for phishing attempts. During Terranova’s 2020  “Gone Phishing” tournament, over a million fake phishing emails were sent out to organizations across 98 countries to test their resistance against phishing. The results showed that a staggering 1 in 5 employees clicked on the link in the phishing email and 13.4% of the employees submitted their credentials. These are worryingly high numbers, given that it only takes one employee sharing their credentials for your organization to be in danger.

Luckily, phishing training works!

So far, we have seen that phishing attacks are common, expensive to fall for, and difficult to detect. In other words, phishing attacks are dangerous, and you might feel like it’s almost impossible to protect your organization from them. But luckily there is hope. In fact, we have looked into the effects of phishing training, and the numbers are crystal clear: phishing training works! This is shown both by internal and external research, as well as feedback from our customers.

Phishing training reduces mistakes by 60%

We recently conducted research about the effects of phishing training, where we compared our users’ abilities to resist phishing attacks before and after participating in our training. The research showed that after continuous phishing testing and awareness training, our users had a 60% reduction in mistakes made during simulated phishing attacks. During the first test, an average of 15% of recipients submitted the personal information requested by the “cybercriminal.” By the third phishing test, that number went down to only 6% of employees.

Graph that shows reduction in people clicking on phishing mails after receving continuous trainingThis shows how impactful phishing testing and awareness training can be when combined, with fewer mistakes made after each new round of training. To understand how this effect is achieved, we will examine these two forms of phishing training separately. How do phishing testing and awareness training differ from each other, what are their proven effects, and why are they so successful when combined?

Phishing awareness training

Phishing awareness training is a sub-category of awareness training, which can be defined as different learning methods that aim to increase employees’ awareness of cybersecurity. In phishing awareness training, the goal is to make the employees more resistant against phishing by making them aware of the threat and their own online behaviour. The training can cover subjects such as how to spot the signs of phishing, the different kinds of phishing attacks and what to do when you get a phishing email.

Methods to increase phishing awareness

Because the goal is to keep employees constantly aware, a one-off crash course isn’t enough. Instead, training is often split up into smaller sections and spread out over a longer period, so the employees do not forget the information immediately but stay aware longer. Awareness training can take place through digital e-learning, physical teaching, or a mixture of both. It can also include short videos and interactive elements like quizzes to increase learning. Cybersecurity posters can also be hung up in the workplace to keep employees aware throughout the day.

Phishing awareness reduces the risk of falling for phishing attacks

When done right, phishing awareness training can be very effective. According to Proofpoint’s comprehensive 2022 “State of the Phish” report, 80% of all organizations said that awareness training reduced their employees’ susceptibility against phishing attacks. If you want some advice on how to create an effective phishing awareness training program, you can check out our guide on how to succeed with awareness training. 

Osterman Research also reports that phishing awareness training  dramatically increases the users’ abilities to recognize threats. Their research shows that before employees receive awareness training, only 23% of IT security professionals report them as “capable” or “very capable” of recognizing cyber-attacks. After they receive phishing awareness training, that number increases to 68%. Our research shows that employee's ability to recognise cyber-attacks increases even more when phishing awareness training is combined with another form of active training: phishing simulations.  

Phishing simulations

Phishing simulations or phishing testing is a security training exercise that tests your organization’s preparedness against phishing by sending out simulated phishing attacks to your employees. While awareness training covers the theory, phishing simulations are where the employees put everything they’ve learned into practice.  

During a phishing campaign, simulated phishing emails are sent out to employees. You can do this yourself or in cooperation with an external partner. These emails usually include typical elements you would find in a real phishing email, such as requests for sensitive information, bad grammar, or emotional appeals. Not only does phishing testing train your employees to spot and report phishing attacks, but it also gives you an overview of how well your team would perform if faced with the real deal. This can be a useful baseline when planning further anti-phishing measures.

Smart CTA_phishingcase EN

Phishing simulations are efficient and profitable

Phishing testing has proven to be an efficient learning method. When employees get to test their knowledge in a real-life scenario, the learning retention rate dramatically increases. Research from InfoSec shows that after a phishing simulation program is implemented, learning retention rates are doubled within 12 months. And the Ponemon Institute estimates that traditional phishing tests on average achieve 75% training retention rates. 

Simulated phishing attacks also yield a high return on investment (ROI). According to the Ponemon Insitute, the least effective training program still had a seven-fold ROI, and the average-performing phishing testing program results in a 37-fold ROI . In other words, phishing simulation programs are worth the cost.

Combining awareness training and phishing simulations

In our experience, the most effective defence against phishing attacks is awareness training combined with phishing simulations. As we saw earlier, this combination reduced our users’ mistakes by 60% after few rounds of training. By combining these training methods, you get the best of both worlds by covering both theory and practice. This increases learning retention and makes your employees more prepared for phishing attacks, which in turn significantly strengthens the security of your organization.

Combined phishing training can increase motivation

There are several other benefits of complementing awareness training with a phishing simulation program. For instance, while some employees might not see the need for phishing training at first, they will probably be more motivated after realizing how difficult it can be to spot a realistic phishing email.

Simulations show how well your training works

Phishing simulations also serve as an evaluation of how successful the awareness training has been. With our Security Platform, you can follow the results of the campaign in real time and quickly get an overview of how many people opened the emails, clicked the links, and submitted data. Additionally, phishing simulations show you whether employees know the organization’s procedure for reporting phishing attacks. Based on these insights, you can identify weak spots in your cybersecurity and devise strategies to further educate your employees.

Our customers agree that phishing training works

One of our customers who uses both our awareness training and phishing testing services is DTU Biostustain. When we asked them how our phishing training has helped their organization, their Head of IT, Mads, told us that the training has made their employees more aware of phishing:

“I used to get an email from maybe one person saying ’I’ve received this email, and my colleagues also got it. Is it real or a phishing email?’ Now, I receive several emails every time something happens, or a mail is out there. Even if it’s an email that looks legit like it’s coming from a person from DTU people write me ‘The thing this person is writing is a bit strange. Is it one of those emails we are warned about by CyberPilot?’” 

Mads also says:

“I used to write ’This email is circulating.’ I don’t need to do that now. People are aware."

Employees are more aware and warn each other

Another customer of ours is the company Firtal. Their CFO, Rune Udby, has also seen positive effects from our phishing training.  

“It was great to see how our team responded to the initiative. We’ve made a game out of discovering phishing emails before the others. The employees say that they feel much better equipped to see through the daily attempts at fraud that they are exposed to, now that they know what to look for.” 

This shows that phishing training is effective, and that it can be both empowering and fun.

Final words

In this article, we’ve seen why phishing training is important, and we are happy to see that research and our customers agree that phishing training works. 

If you’re interested in trying our awareness training, we offer a free trial – no credit card needed.  

You can also test our phishing simulations by booking a free demo with one of our phishing experts.  

If you want to learn more or need help with implementing phishing training in your organization, please don’t hesitate to contact us. We are more than happy to help.