Skip to the main content.
Cracking the Phishing Filter Conflict

Cracking the Phishing Filter Conflict

Automated phishing tools certainly make personal email safer by catching spam and phishing attempts more quickly. But the truth is that no system is perfect, and sometimes phishing emails get through without being caught. But what happens when scammers and letters like this stop being sent so often?

Scientists have found an interesting event that they call the "prevalence paradox." It seems to say that people are more likely to fall victim to fake emails when they see them less often. Maintaining vigilance against malicious emails demands occasional exposure to phishing attempts. One useful strategy is to provide users with training versions of phishing emails. These simulations are most impactful when they closely resemble real phishing attempts reported to company information security departments.

Check Out A Case Study

Screenshot 2024-03-18 at 12.31.17 PM

But finding balance is very important. Being exposed to new threats all the time can make you tired, while only seeing them once in a while can make you lazy. Different users need different amounts of exposure and difficulty levels for these training programs to pay off. Some need to see them more often, while others only need reminders every so often. Everyone, no matter how different they are, can benefit from occasional exposure to harmless phishing scenarios to stay alert. Over time, not getting enough sunlight could make you less alert.

Screenshot 2024-03-18 at 12.34.02 PM another victim of the prevalence paradox – she clicked on a phishing email
because she was hungry!

Why Occasional Phishing Exposure Matters

Habit loops help people keep track of their email. We only start to carefully read and process an email's information when it makes us suspicious. Remember this example: how likely we are to believe new text messages are phishing emails affects how suspicious we are of them.

Seeing realistic phishing emails confirms what we already think about cyber risk, which makes us less trusting of suspicious emails in our inbox. In other words, we can spot real-world cybersecurity threats better if the training lessons are more like real-life risks.

Finding a Balanced Training Frequency

Security awareness teams have to find the best mix between keeping customers and users alert and secure and keeping them from getting tired of security. How often someone should train depends on their current level of skill. While some employees are usually more careful and may need less training, others do better with more direction.

Schedule A Demo

It would be great if phishing efforts could be tailored to each person's or company's needs, but most security professionals and awareness programs don't have access to the resources to do that. Studies show there should be at least four training campaigns a year to keep them successful and up-to-date. But companies should be careful not to give too many training tasks to users, as this can make them tired of security.

Screenshot 2024-03-18 at 12.32.31 PM

The Bottom (Phishing) Line

Finding harmful emails is a key skill that needs to be practiced and practiced again and again. To keep people alert to real threats, it's important to send them accurate phishing simulations. At least four campaigns a business year are suggested, but companies need to weigh the risk of security lethargy with the number of campaigns they run.

By making targeted training a top priority, businesses can make themselves less vulnerable to phishing attempts and better protect their data, networks, and other critical digital assets.

More from the Trenches!

Riding the Cybersecurity Wave: Supply Chain Networks

Riding the Cybersecurity Wave: Supply Chain Networks

Welcome to the intricate world of supply chain management and networks, where a multitude of organizations come together in a symphony of operations...

4 min read

The Current Landscape of Cyber Risk Management

The Current Landscape of Cyber Risk Management

In the quickly evolving world of cyber risk management, many organizations find themselves tethered to outdated methods. Often constrained by budget...

5 min read