Sometimes I wonder whether all this “security awareness training” has any effect at all.
I had a coworker that had the best strategy about phiahing emails.
He just never read his emails.
Sometimes I wonder whether all this “security awareness training” has any effect at all.
Nope lol.
My org sends out phishing tests randomly. I used to report every single one and have never clicked on any. But we all have to take the stupid training regardless of whether we successfully detect/report them or not. So I’ve just stopped reporting them since there’s no incentive whatsoever.
I came to say the same thing
I reported the test phish (the only phish we ever got) and laughed at coworkers who had to take the training only to turn around and see I needed to take it too
Yep.
Most of them are phishing test emails (where the org sends out fake “phishing” emails which have a UUID link tied to your email address) so they KNOW who clicks on these and who reports them. Until I stopped giving a fuck, I had reported 100% of them and clicked on 0. But since that doesn’t let you “test out” of the 45 minute quarterly security awareness training, I stopped wasting my time and just delete them
About 9 years ago I wrote a script that looked for links to domains registered to wombat (the company that most companies seem to use for phishing simulation) and would autoreport and delete them. So just never saw them.
Still had to do the training. Every six months.
One of my former managers had this habit of setting up email rules for known phishing simulation domains whenever he started somewhere new.
Microsoft domains listed in a table here for anyone else unfortunate enough to have to use their products within your org.
Isn’t the big difference that they have to take it everytime they fail and open one they shouldn’t? At least thats how it is at my place. They get a lecture, and then retake the course. Everyone else does it once a year along with all the other mandatory training we need to do for compliance.
Its also not about the individual. The company is doing an assessment of their security and vulnerabilities. If your company has any sort of restrictions on email attachments or methods of sharing files, theyre probably a result of people failing these tests
*reports the training invitation*
You say that but do you have any objective data?
I’d love to see studies of phishing success in orgs that do vs. do not have regular trainings.
I bet it works like PSA advertising. It’s stuff everyone should know and 98% of people already do. But it also helps keep the issues closer to conscious awareness and is actually educational for the 2%
There is a 2025 study that was widely reported:
In summary, our results confirm the ineffectiveness of current phishing training approaches while offering a refined study design for future work.
training interventions showed no significant main effects on click rates (p=0.450) or reporting rates (p=0.417), with negligible effect sizes
Thank you. I stand corrected, and with my Bayesian priors updated.
It is compliance theater.
I report suspected phishing emails… And meeting requests with links from people I don’t know, and culture surveys with external links, and ‘subscription’ emails from services used in our stack, any ‘surprise’ email with an attachment… I’ve set up rules that automatically forward emails from specific senders directly to security.
Don’t tell an autist that you want them to be paranoid about phishing unless you’re ready for the consequences.
Seconding the thread of folks being like, “I gotta do the training anyway so fuck it,” BUT I did think it was very funny that frequently after sending out a phishing test or whatever, this would be followed up with an email requesting the security training, and invariably a bunch of people would report THAT.
My work literally just says “report it to it” no other instructions. Like, do we put in a ticket? Email the entire group? Send a teams message? Walk over there and start talking about how its weird that the CEO wants my specific login to help him with his major issue? We have SOPs that out line every specific step you take so anyone can just blindly follow and do it, yet there’s not even a statement on how they want it reported.
I forwarded the one phishing attempt I received before we were warned, and there was zero response from them. So I’ll just continue deleting them and moving on with my day.
Honestly, thats kind of odd. It does absolutely make sense to have some procedures established and communicated.
I did a security class for all our employees. 25% failure rate before, 6% after. Also, I dropped a booby trapped thumb drive by the printer. It sat there for 4 days until someone put it on the table.
If training isn’t working that’s because it’s boring as shit and people aren’t engaged.
Well done. I must admit that most security / data protection courses I’ve personally seen were pretty boring.
sometimes the report button doesn’t show up on Outlook at my job :(
I just leave it untouched or immediately trash it without opening it. No need to report it, a billion more from completely different addresses will just keep coming in.
The fact we even continue to use this deeply, deeply flawed protocol is just begging for trouble. End email now!
Do you consult people with a psych or education background for your trainings? If not then no, I guarantee you your training does not work. Even if you did consult someone it’s a toin cross on whether you consulted someone who really knew how to design it. Vomiting out info on an online training is a really good way to get it all ignored.
I report all the emails from my security team
Anything from IT gets immediately reported as phishing.
It’s really funny when I do it to their phishing training reminders
