A recent phishing quiz promoted to U.K. users to see if they could identify the phish revealed dismal results where nearly all users couldn’t tell the difference 100% of the time.
Everyone knows no layered security can stop 100% of all phishing emails. According to recent research, the average employee visits a phishing domain once every 3 days. So, your users end up becoming the last line of defense. Now, you can probably tell when an email is fake. So, surely your users can as well, right?
According to a recent poll of 1,000 U.K. users U.K.’s Computer Disposals Limited asked to identify whether an email or text was legitimate or not by choosing to either click the provided link or delete the message, 95% of them failed to properly identify all 10 examples. Even when simply erring on the side of caution and choosing to delete messages rather than engage with them, only 44% identified the authentic messages.
This quiz demonstrates that it’s very difficult these days to spot the fake message from the real one. The really bad part of this is the examples provided don’t even use real logos (e.g., “PayMe” instead of “PayPal”), making us lose confidence in an untrained user’s ability to easily differentiate between what’s business-related and what’s a phish.
That’s the bad news.
The good news is, as with any skill, users need to be trained repeatedly on what to look for in a phishing message. Users that undergo continual Security Awareness Training are better equipped to scrutinize emails and text messages, able to identify telltale signs that the message is a scam.
If you’re not training your users, you need to assume they don’t (and won’t) know the difference between an email that’s going to move your business forward and one that will take it down. The only way to bridge this security gap is with proper Security Awareness Training.