How a few PhD students revealed that phishing trainings might just not work: Lock and Code S03E03

How a few PhD students revealed that phishing trainings might just not work: Lock and Code S03E03

You’ve likely fallen for it before—a simulated test sent by your own company to determine whether or not its employees are vulnerable to one of the most pernicious online threats today: Phishing.

Phishing has evolved in recent history, and as scammers have rolled out increasingly clever—and increasingly complex—phishing lures, companies have had to respond with increasingly better defenses. Most employees at large companies have a phishing “reporting” button that is embedded directly into their email client, and nearly just as many employees might have a phishing email detection system integrated into their email client, so that when a “fishy” email comes through (sorry), they are warned with a small notification at the top of the email.

But one of the primary defenses used today by countless companies is the practice called “contextual” or “embedded” training, and it’s a practice that, as we learn today on the Malwarebytes podcast Lock and Code with host David Ruiz, might not work.

It could be a little worse than that, actually—this practice could make things worse.

That’s one interpretation coming out of a 15-month long study run by several PhD candidates at the ETH Zurich university in Switzerland. By working with a company of tens of thousands of employees, these researchers were able to test what phishing defenses actually provided the best results, and after experimenting with embedded and contextual training in a voluntary format, they learned that the phishing resilience of those test subjects actually diminished.

Daniele Lain, who helped conduct the phishing research, told us:

“What we saw is that, very interestingly, if you do it like this—when you get training appearing when you fall for simulated emails—somehow it becomes much more likely that you actually fall for the subsequent phishing attempts.”

Daniele Lain

To say it’s a surprise is an understatement.

Tune in to hear all this and more on this week’s Lock and Code podcast by Malwarebytes Labs.

You can also find us on Apple PodcastsSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.