We are better trained than ever before on cyber risks, so why are we still getting tricked?
I was in my home office one night recently, chipping away at the security awareness training course each employee in my company is assigned annually. This ongoing ritual often gets a bad rap, with accusations of irrelevance and training overload being two of the common complaints. Some people just want to get through the training, finish and pass the quizzes, and get on with things.
We’re all busy.
Yet every year I have done this training I have learned something new or at least been reminded of something that would prove important later. What caught my interest in this year’s exercise was not that the attacks had changed. It was that I had.
First, some context. I have been the victim of a cyber extortion attempt along with countless phishing, vishing, smashing, and other -ishing attempts in the past few years.
One spear phishing email I received was so well crafted – with details about me that were just unique enough to build some credibility – that I paused on it for a long moment before passing it on to our security analysts who confirmed it was malicious. This watchfulness works both ways: I also stared at a legitimate email asking me to register for my annual health insurance for far too long even after carefully inspecting its various – and ultimately safe – elements.
Recommended: Fintech’s Digital Fortress Under Attack: Cybersecurity Challenges in 2025
During the training, I found myself puzzling over seemingly ordinary questions. In the intellectual property segment, we were asked if it was ok to make a backup copy of a legitimately purchased application. The right answer was yes, but I initially selected no after considering the risk of yet another source of value that could be compromised. I scanned the inventory of phishing attacks in the course to see if any new ones had been invented (they hadn’t).
I had become far more conservative, and frankly far more paranoid, worried that if I didn’t fully internalize each element of the training that that would be the exact avenue someone would use to victimize me.
It is estimated that the world spends more than $200 billion each year on a myriad of security products and controls to protect itself from cyberattacks.
It’s a staggering sum, and the sophistication of the products that have been invented is awe-inspiring, with design & engineering at their core that is a true marvel. Yet it’s also estimated that 90% of successful cyberattacks start with a humble phishing email.
The reason for this is simple: security controls and the researchers behind them are wonderful at dealing with technical risks both known and unknown, but it’s hard to program for how human beings think, feel, and react to the world around them as they are going about their work and personal lives.
How do you control the risk that a busy, stressed-out person with too many thoughts running through their mind may click their mouse on a malicious link just one time and unleash some form of digital havoc?
Part of the answer lies in a mindset shift. Instead of thinking of security awareness training as a done or not done exercise, it should be thought of as an ongoing practice, something we are continuously refining our abilities on. Much like a basketball player who stands at a free throw line in practice for hours at a time practicing the same shot over and over until the mechanics have been solidified and are repeatable, we too must continuously practice how to think about and respond to security risks during our busy lives. We may still miss a shot, but our probability of success will greatly improve.
There’s something else at play: the quality of phishing emails is on the rise. It wasn’t too long ago that we would all get a chuckle out of the grammar and spelling mistakes in a routine phishing email, laughing it off due to its obvious intent. Not so much anymore. I’ve noticed a shift in the past year, with these emails having some better polish applied to them.
Read CyberTech News: SentinelOne & Lenovo Team Up for AI-Powered PC Security
What’s behind this?
Well, I think a simple experiment may help illuminate part of the reason:
Me: I am a non-native English speaker. Can you help me write a good-sounding phishing email for training?
ChatGPT:
Subject: Important Update: Your Account Requires Immediate Action!
Dear [Employee Name],
We have detected unusual activity on your account, and as a result, we need to verify your identity to ensure your account’s security.
Please confirm your account information by clicking the secure link below within the next 24 hours, or your account may be temporarily suspended.
Click here to verify your account: [phishing link]
If we do not receive your verification, we may be forced to lock your account for security purposes.
Thank you for your immediate attention to this matter. We apologize for any inconvenience caused.
Best regards,
[Fake IT Support Team Name]
[Fake Company Name]
With this starting point in hand, I can make a few simple tweaks – remove a too-enthusiastic exclamation point, add a bit of personal context that I researched on you, and increase the probability of success. If I can catch you in a busy moment, I may increase my luck further.
We’re not going to get any less busy, so we will need to adapt in other ways. There are certainly opportunities to improve this training – by making more context-aware training available for example – but what’s commonly available now has unquestionable benefits. Security awareness training is an opportunity to practice in an ideal setting how we will react to risk in a real-world, game-day setting with various factors working against our ability to think perfectly logically.
The practice may not always make perfect, but the odds of success go up, and that matters.