After the Phishing Simulation: Filling the Awareness Gap

A phishing simulation is a great way to gauge your users’ cybersecurity awareness. But what happens after the simulation? According to Verizon’s 2020 Data Breach Investigations Report, click rates increase and reporting rates drop in the time that elapses between trainings.

The limitations of a phishing simulation

There are a few reasons why overall awareness and reporting drops after a simulation. A phishing simulation is typically designed from a template—it simply is not the real thing but a manufactured phishing email. Not only this, but simulations tend to be generic to the point that they can be sent to many users at once.

Because of the above reasons, a generic phishing test might not reflect the reality that an employee faces on a day to day basis. The result is a training experience that doesn’t stand the test of time.


The importance of training in context

In September 2020, the Journal of Cybersecurity released a report examining the effectiveness of phishing training, including a standard phishing simulation. In “Categorizing human phishing difficulty: a Phish Scale,” the authors reveal that simulated phishes that lack contextual relevance result in lower click rates.

This is not surprising considering that users likely will not react to emails that are irrelevant or from brands or vendors they don’t do business with. The resulting low click rates can give businesses a false sense of security and even a false sense of the effectiveness of training, according to the report.

Additionally, the report notes, with respect to real phishing emails: “Click rates will vary based on the contextual relevance of the phish, with highly contextually relevant phish resulting in extreme spikes in click rates—despite years of phishing awareness training.”

The above tells us that the more targeted the email, the more successful the phish. Context is therefore critical to training, and simulations that lack context are not only unlikely to result in a click but also unlikely to teach any sort of meaningful lesson.

[Related] Phishing Attacks: Advanced Techniques That Evade Detection 


The need for continuous training

The average user is not an IT or security expert. To them, cybersecurity might be nothing more than a required course they attend once or twice annually, if at all. These vulnerable users need more than a phishing test sent at random to improve their awareness.

Continuous training helps keep cybersecurity top of mind at all times. Many phishing training platforms allow admins to schedule and even automate a training schedule. This is key in maintaining a cadence of training for users.

Scheduled trainings, however, don’t take into account that a lot will happen between today’s simulation and the next. Depending on the quality of the business’s email security solution, the user might receive five phishing emails in the time that elapses between scheduled, simulated phishes. If the phishing simulation was out of context, it might not have been an effective training session at all.

Not only this, but these phishing training platforms can be expensive—a deal breaker for some small businesses. They can also be time-consuming and resource intensive—a deal breaker for many MSPs.

What businesses need is something between phishes that is both in context and delivered continuously—when the user least expects it but needs it most—when they’ve been phished. 


Combining continuous and contextual training

Continuous training should be delivered not only on a schedule but based on a user’s behavior. While some users are more prone to fall for phishing attacks than others, nearly everyone slips at one time or another. When this happens, users need to receive additional training immediately.

In a best-case scenario, the business discovers the incident or breach immediately. When it comes to phishing, however, many businesses don’t discover breaches until long after they have occurred.  According to Verizon, in 2019, 56 percent of data breaches took months or longer to discover.

Discovering an incident, then, requires one of two things: First, IT needs to recognize that a user received a phishing email. Second, a user needs to report it. Unfortunately, in many cases, IT has no way of knowing a phishing email bypassed their filter unless the user reports it. According to Verizon, only 24 percent of businesses had phishing reporting in place in 2020, and no single industry achieved a 50 percent reporting rate.

To combat these challenges and combine continuous and contextual training, Vade developed Threat Coach, automated phishing awareness training for Vade for Microsoft 365. Threat Coach is powered by two automated technologies: Auto-Remediate, which removes email threats post-delivery, and the Vade Feedback Loop, an integrated reporting feature.

Auto-Remediate and the Feedback Loop provide Threat Coach with real phishing email samples captured by Vade. If a phishing email is detected by Auto-Remediate, any user who interacted with the email prior to remediation is invited to participate in Threat Coach phishing awareness training.

The user is guided through a series of interactive questions that gauge their ability to recognize phishing in different presentations. The phishing samples the user sees on the quiz depends on the original phishing email they interacted with. For example, if the user clicks on a Microsoft phishing email, the quiz will focus on Microsoft phishing.

Unlike phishing simulation platforms, Threat Coach is fully automated, with no templates to create or trainings to schedule. For MSPs, it’s a simple way to provide an added-value cybersecurity service without the added costs.


Are your users still clicking on phishing emails?
Simulated phishes and periodic training are not enough. Learn how Vade delivers automated phishing awareness training when users need it most.

Learn more