> - Training someone after they fall victim to a phishing attack makes them MORE likely to fall for future attacks.
Fascinating. A fair number of training programs seem to have the opposite of the intended effect. DARE (saying no to drugs) is a famous example.
To guess a mechanism: the training gives some specific examples of phishing, probably from a few years ago, which don't match current techniques. The phishers also know what's in popular training courses, so they avoid known trigger phrases. So people are less likely to recognize a novel scam than if they'd never seen any.
Had someone attempt to spearphish me today actually. They're definitely getting more sophisticated...trying to deduce organizational structure from linkedin or similar & impersonating more senior people based on that to add pressure (hi this is boss. this needs to get paid asap). Not particularly effective though given all the controls in place around payments.
...I've fallen for an alarmingly high % of the simulated "click on this" tests our internal security team runs though. Given that I'd classify myself and reasonably technically competent I dread to think what overall stats look like across entire company
I find the internal testing alarmingly effective at getting me to click links and also consider myself technically proficient. 1Password always saves me from filling the logins if I get tricked enough. I definitely think the less technical crowd probably is abysmal at these challenges and always fret for my family. The general population has a whole lot to learn.
Is there a sitewide policy about Arxiv links, posting the PDF vs the abstract page? I tend to prefer the latter for bookmarks and for sharing, as a default "entry point".
T = 15 months
in a corporate environment.
- 18-19 yo are most likely to fall for phishing
- people who use a computer in only a specialized fashion such as a single specialized program are most likely to fall for phishing.
- Gender doesn't have any relation to falling for phishing
- Training someone after they fall victim to a phishing attack makes them MORE likely to fall for future attacks.
- Warnings on emails are effective, longer warnings are less effective.
Those were the big ones I got interesting study maybe it will help InfoSec at my company not send out test phishing emails every week.