Security News > 2022 > January > New study reveals phishing simulations might not be effective in training users
A new study at unprecedented scale revealed that embedded phishing training in simulations run by organizations doesn't work well.
Those simulations pretend to be real phishing email landing in the employees' mailboxes, without any malicious payload. They show a realistic phishing page and collect statistics about who clicked with or without providing credentials, how many users reported it to the security staff, etc.
The method used consisted of sending either phishing emails leading to a phishing page, or emails containing a malicious file enticing the user to perform a dangerous action when launched, like providing credentials or enabling macros on an attachment.
ETH researchers said that "a rather large fraction of the entire employee base will be vulnerable to phishing when exposed to phishing emails for a sufficiently long time."
More surprising, the users who did get the educational page after falling for a phishing ploy clicked more on later phishing pages.
The study said that users kept reporting phishing emails over time and that there was no kind of "Reporting fatigue" in the company.