4 better ways to protect your business than dreaded (and useless) anti-phishing training

Just_Super/iStock/Getty Images Plus via Getty Images Follow ZDNET: Add us as a preferred source on Google. ZDNET's key takeaways Current anti-phishing training programs have little to no impact. Training methods lack what human learners need: engagement. These programs must be revamped and combined with supportive technologies. The scourge called phishing is one of the most prevalent and costly cybersecurity challenges faced by businesses today. We've gone far beyond the days of spray-and-pray scams and phishing emails claiming you've won the lottery. Phishing now can be far more advanced and sophisticated, with targeted emails carefully crafted for data theft and other malicious purposes. Also: Employees learn nothing from phishing security training, and this is why Many organizations rely on phishing training programs that studies suggest are not, and perhaps never have been, especially effective. This guide will explain what phishing is, why today's phishing programs fall short, and what businesses could consider as an alternative. What is phishing? Phishing is akin to "fishing" for information. Emails and fraudulent messages are designed to lure you in and entice you to part with sensitive information, which may include your personally identifiable information (PII) or financial data. An estimated 3.4 billion spam emails are sent every day, and 38% of all cyberattacks involve some form of phishing. These numbers don't reveal the scope of the problem; we've yet to discuss more sophisticated forms of phishing -- beyond mass spam emails -- known as spear phishing. Also: Clicked on a phishing link? 7 steps to take immediately to protect your accounts While many phishing emails are generic, full of spelling and grammatical errors, and easy to spot, carefully crafted spear phishing emails pose a far more serious threat to today's organizations. Cybercriminals may employ the following tactics to secure a foothold in a business, or to steal information that can be used in business email compromise (BEC) scams, fraudulent transactions, and more: Fake profiles : Cybercriminals perform reconnaissance on a target business, creating fake professional profiles and establishing links across platforms with employees to obtain their trust. This kind of deception can take days, weeks, or months before a request for information is made. : Cybercriminals perform reconnaissance on a target business, creating fake professional profiles and establishing links across platforms with employees to obtain their trust. This kind of deception can take days, weeks, or months before a request for information is made. Impersonation : Emails from senders impersonating a high-profile figure or leader at a targeted company will request that a fraudulent invoice be approved. Email addresses may be spoofed -- which means they are close to the genuine email address the individual would have used -- to make such requests more difficult to spot. To make matters worse, threat actors may use existing information leaked in past data breaches to appear trustworthy. : Emails from senders impersonating a high-profile figure or leader at a targeted company will request that a fraudulent invoice be approved. Email addresses may be spoofed -- which means they are close to the genuine email address the individual would have used -- to make such requests more difficult to spot. To make matters worse, threat actors may use existing information leaked in past data breaches to appear trustworthy. Tailored emails: This is where many employees are caught off guard. Fraudulent emails aren't always targeted explicitly at one victim or another, but they contain content that can entice employees -- often tired, stressed, and busy -- to click on a phishing link by accident. This can include emails concerning vacation and PTO requests, urgent meeting requests, end-of-year bonuses, and company product-related messages. Screenshot by Charlie Osborne/ZDNET Phishing training isn't working, studies suggest A recent study has confirmed what many of us suspected -- employee phishing training is simply not working. The research, conducted by academics from UC San Diego Health and Censys, analyzed the results of 10 phishing email campaigns sent to UC San Diego Health employees over an eight-month period. The result? There was little difference between the two groups: those who received annual mandated phishing training and those who did not, with failure rates averaging around the same. Furthermore, the researchers scrutinized whether anti-phishing programs conducted by organizations themselves had any impact. In these ongoing training exercises, fake phishing emails are sent, and if an employee clicks a link within them, they are made aware that it was a crafted phishing email. Again, there was little difference, with a reduced likelihood of falling for a phishing email of only 2%. Also: Hook, line and sinker: How I fell victim to phishing attacks Recall that I mentioned vacation policies as a potential hook for phishing campaigns? Over 30% employees clicked on one during the study. The longer a campaign continued, the more likely they were to fail the test, with failure rates rising from 10% in month one to over 50% by month eight. Taking a new direction The researchers cited a lack of engagement in modern phishing training programs as a significant point of failure, with anti-phishing training program engagement rates recorded as less than a minute, if any at all. Also: This 2FA phishing scam pwned a developer - and endangered billions of npm downloads In other words, we put training videos on mute and carry on with work, or speed click through online material and hope the answers we submit in the summary quizzes are correct -- or repeat them until we get them right. It's a real problem, and we may all be guilty of reacting to this training. But security can't be turned into a tickbox exercise to be effective; businesses should consider alternative methods instead. 1. Adopting rules of engagement As a former teacher, I believe security training must incorporate the fundamental lessons of imparting knowledge and promoting engagement that all educators learn. Teachers are trained in techniques that engage learners' interest and attention. These include reducing lecture and "teacher talking time" while increasing "student talking time," encouraging collaboration and conversation around subject matter. Also: Battered by cyberattacks, Salesforce faces a trust problem - and a potential class action lawsuit You lose this when you rely only on online materials that require someone to watch a short video, answer a quick quiz, and then move on to the next topic. While anti-phishing training programs can use these options to augment training, unfortunately, sometimes that's all there is. When someone in the middle of a busy workday has to complete this training, they are likely going to skip through as quickly as possible to get back to their work tasks. Instead, consider programs that include on-site discussions and/or virtual meetings with a trainer who can hold attendees' attention, run through examples, and tailor their classes to the kinds of phishing campaigns that employees are most likely to encounter. And give employees the time to attend -- rather than expecting them to check the tickbox of online phishing training when they have a spare five minutes. 2. Gamification I've seen several examples of anti-phishing programs attempting to use gamification to improve user engagement; unfortunately, however, what I've seen so far is horrendous. Creating a 20-minute animated video involving Sheriff GDPR and cybercrook Mr. Phish is not the answer. Internal security competitions and interactive learning modules could be beneficial, especially if incentives are provided. However, this comes with a caveat: In my experience, gamification is only worthwhile if participants have a competitive streak or genuinely care about the learning material. 3. A layered security approach Augmenting employee training with technology defenses is essential. As phishing becomes more complex and sophisticated, technology that reduces the likelihood of successful phishing campaigns also lowers the importance of human detection. Advanced email filtering, for example, can help prevent phishing emails from landing in employees' inboxes in the first place. Businesses should also consider adopting endpoint and network monitoring technologies that, when combined with behavioral analytics able to pinpoint suspicious activities, can help prevent an intrusion if a phishing campaign has been successful. In addition, robust authentication controls and multi-factor authentication (MFA) should be adopted to add a layer of security for corporate accounts. Even if a phishing attack is successful and employee credentials are stolen, attackers are less likely to utilize them, as they won't have access to a secondary authentication device or app. Also: Why multi-factor authentication is absolutely essential Phishing campaigns launched against businesses often have a financial angle and are the first step in BEC scams or financial fraud. Implementing additional approval controls for financial transactions can prevent this, thereby eliminating a single point of failure in financial chains. For example, an emailed invoice request sent to the financial department should also be reviewed and signed off by a manager, which provides a second opportunity for employees to identify phishing and potentially fraudulent activity. Employees should also have access to phishing email reporting tools. These tools can give their organizations insight into current threats and potential phishing attack vectors cybercriminals are using, which may help refine existing security policies. 4. Take the pressure off Ultimately, it's up to the leaders of organizations to take security seriously, and this means treating training as more than a mere compliance measure to pass audits. It only takes one successful cybersecurity incident to bring a company to its knees. Although it is no longer a matter of if, but rather when an incident occurs, risk can be reduced if employees are able to properly engage with cybersecurity training initiatives. Also: Why AI-powered security tools are your secret weapon against tomorrow's attacks They can't be expected to fully engage with anti-phishing training when it is shoehorned into already high-pressure and stressful workdays. As with any form of learning and information retention, we need time to process what we've learned. In addition, I'd argue that today's phishing training and trick emails do nothing more than isolate individuals, point out their failures, and cause frustration or annoyance that may make them less willing to learn in the first place. Instead, organizations should create an environment where training is engaging and employees feel comfortable reporting when they may have mistakenly clicked on a phishing email. What do I do if I click on a phishing email? Considering how sophisticated phishing campaigns can be these days -- and not to mention the impact generative AI is having in the criminal underground to reduce the cost of them -- anyone can fall for a phishing email. Also: Clicked on a phishing link? 7 steps to take immediately to protect your accounts There's no shame in letting your organization know if you believe you have fallen for a phishing scam. Indeed, the more quickly you do so, the sooner a potential security incident can be contained. Humans make mistakes, and regardless of whether you have had anti-phishing training or not, it's a tough ask to expect employees to be infallible. But keeping quiet can make a situation far worse.