Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
Phishing is a major and growing threat to businesses.But phishing awareness training has a minimal success rate.Researchers urge organizations to invest in countermeasures.
A new study has confirmed what many of us suspected — employee phishing training is simply not worth the effort.
The study, conducted by UC San Diego Health and Censys researchers, found that phishing-related cybersecurity training programs had no effect on whether or not employees were duped by phishing emails.
After analyzing the results of 10 different phishing email campaigns sent to over 19,500 employees at UC San Diego Health over eight months, the researchers found “no significant relationship between whether users had recently completed an annual, mandated cybersecurity training and the likelihood of falling for phishing emails.”
Also: Battered by cyberattacks, Salesforce faces a trust problem – and a potential class action lawsuit
The team also investigated whether embedded phishing training — when organizations send simulated phishing emails to see if their employees will fall for them — was effective. Simply put, it wasn’t, and there was almost no difference in failure rates for those who completed the training versus those who did not. The groups were separated by a reduced likelihood of falling for a phishing email of only 2%.
This is especially concerning, given that phishing was found to be the leading cause of ransomware this year, fueled by infostealers and the abuse of AI tools, according to a new SpyCloud Identity threat report. Phishing was also the most reported attack vector by businesses participating in the research and was cited by 35% of affected organizations — up from 25% in 2024.
What is phishing?
Phishing is a constant scourge and is a threat that impacts individuals, SMBs, and enterprises alike. Phishing campaigns often take the form of spray-and-pray fraudulent emails or targeted messages designed to elicit curiosity, panic, or fear in their recipients.
By crafting messages that inspire fear or urgency, cybercriminals hope that their victims will not take a step back and think rationally, but will, rather, panic-click a button or hand over sensitive information that can be used in identity theft, to conduct fraudulent transactions, or for use in broader cybercrime.
Also: Scammers are now faking the FBI’s own website – here’s how to stay safe
When the threat is so serious, and a phishing-related breach can lead to severe consequences for an organization — including data theft, destruction, financial consequences, ransomware deployment, and reputational harm — companies, naturally, will look for solutions.
Phishing training programs are a popular tactic aimed at reducing the risk of a successful phishing attack. They may be performed annually or over time, and typically, employees will be asked to watch and learn from instructional materials. They may also receive fake phishing emails sent by a training partner over time, and if they click on suspicious links within them, these failures to spot a phishing email are recorded.
Why phishing training doesn’t work
UC San Diego Health and Censys researchers said subject matter was important to the success of a phishing email in their study. For example, barely anyone clicked a link to update their Outlook password, whereas over 30% of participants clicked on a link in an email pretending to be an employer update to vacation policies.
The longer a phishing scheme continued, the more likely an employee was to click a fraudulent link, rising from 10% of participants in month one to over 50% by the eighth month.
Also: This 2FA phishing scam pwned a developer – and endangered billions of npm downloads
“Taken together, our results suggest that anti-phishing training programs, in their current and commonly deployed forms, are unlikely to offer significant practical value in reducing phishing risks,” the researchers said.
According to the researchers, a lack of engagement in modern cybersecurity training programs is to blame, with engagement rates often recorded as less than a minute or none at all. When there is no engagement with learning materials, it’s unsurprising that there is no impact.
Potential solutions
To combat this problem, the team suggests that, for a better return on investment in phishing protection, a pivot to more technical help could work. For example, imposing two or multi-factor authentication (2FA/MFA) on endpoint devices, and enforcing credential sharing and use on only trusted domains.
Also: How passkeys work: The complete guide to your inevitable passwordless future
That’s not to say that phishing programs don’t have a place in the corporate world. We should also go back to the basics of engaging learners. As a former teacher, I would suggest that tabletop discussions, in-person seminars, and even gamification could provide the missing link between training and positive outcomes.
