The Intersection of Financial Institutions and Technology Leaders

Phishing Training That Works

August 23, 2024

By Laura Alix

Employees are the first line of defense against phishing and social engineering attacks, but rote corporate training may not effectively convey the gravity of that role. By using a training program that engages staff, emphasizing the benefit of that education to individuals’ personal lives and incentivizing those who spot phishing attempts, organizations can better ensure that this education doesn’t simply become a check-the-box exercise. 

Phishing, in which a fraudster attempts to gain sensitive information by impersonating a legitimate person, website or company, is one of many types of cybersecurity threats today. According to Verizon Communications’ 2024 Data Breach Investigations Report, phishing accounted for 31% of social engineering attacks between Nov. 1, 2022, and Oct. 31, 2023. What can make phishing particularly devastating is the quickness of the attack. “The median time for users to fall for phishing emails is less than 60 seconds,” wrote the report’s authors. Phishing attacks have also become more sophisticated. The days of laughably misspelled scam emails are largely behind us.

Examiners require banks and credit unions to train employees to recognize phishing attempts, but many organizations default to computer-based training that may cause some employees to zone out and not really absorb the information. 

On some level, it’s understandable that companies don’t always know the most engaging way to deliver that material, says Steve Sanders, chief risk officer and chief information security officer at CSI. “Most companies aren’t designed to be trainers, and they don’t think about what’s involved in putting together meaningful training.” 

Compared with other industries, financial institutions do relatively well training and testing their employees, says Cy Sturdivant, principal with Forvis Mazars. But even a 2% click rate on phishing emails means that some attempts are getting through, and bad actors only need to reach one person to be successful. 

Many institutions tend to view phishing training as a bare-minimum exercise they need to engage in to please regulators, which is the wrong mindset. “It’s almost as though they view the training as a friction point. That’s a dangerous bias and a dangerous perspective,” Sturdivant says. 

An effective phishing awareness program should emphasize that scammers often play on human emotions like fear or guilt or curiosity. Employees should also understand that phishing emails may use messaging around employees’ healthcare options, payroll or retirement investments, says Sturdivant. 

And effective training programs should keep up with how phishing is evolving in the real world, including information about the tactics that cybercriminals are currently using. It should cause employees and executives to pause whenever they encounter something out of the ordinary and alert IT staff, says Sturdivant. 

Organizations also need to test employees — including executives — regularly to make sure they’ve retained what they’ve learned. At a minimum, institutions should test staff quarterly, but monthly or twice-monthly is ideal, he says. More often than that, and employees might think every single email could be a test. 

Ben LeClaire, a principal at Plante Moran, recommends supplementing interactive training programs with ongoing reminders that keep cybersecurity principles top of mind. That could look like posters in common areas, educational emails that bring employees up to date on the latest scams or lunch-and-learn sessions. For example, Plante Moran sometimes brings hacking tools or penetration testers, also known as ethical hackers, to in-person training events for client institutions. 

Demonstrating to an audience what happens behind the scenes after a successful phishing attempt can help them better understand what hackers will do with stolen information and what’s at stake in this training. “I don’t think a lot of people really understand what happens after somebody clicks a link, but we see a lot of ‘Aha!’ moments in the room when we’re sharing that,” LeClaire says. “If you can show them why that’s important through talking about some of the tools and tactics hackers are using in the background, that’s an eye-opening experience that naturally helps [employees] remember the information.” 

Sanders says training should also emphasize how cybersecurity awareness can benefit employees’ personal lives outside the workplace, where they will inevitably encounter phishing attempts

“While we are loyal to our workplaces, we care more about why it’s benefiting us,” Sanders says. “Individuals are, day-to-day, susceptible to fraud, susceptible to computers being taken over and used in a bad way, which can cause them embarrassment, expense, loss of identity. Most people don’t realize how serious that is until they fall for it.” 

Also, consider recognizing and rewarding employees who do well on phishing tests or alert the organization to direct phishing attempts, Sanders says. 

At the end of the day, phishing attempts work because they’re able to exploit basic human fallibility. Executives who lead training programs should think about how they can make normal human tendencies and emotions work in their favor. 

Think about the human psychology aspect of it,” Sanders says. “People like recognition. They like being told they’re doing well, and they like knowing they’re part of a team.” 

Laura Alix is the Director of Research at Bank Director, where she collaborates on in-depth strategic research for bank directors and senior executives, including Bank Director’s annual surveys. She also writes for BankDirector.com and edits online video content.