Why Less Truly Means More in Phishing Simulation Emails

By Nitzan Gursky
image February 26, 2019 image 3 MIN READ

You are in the middle of another hectic work day, trying to complete a presentation for tomorrow’s meeting. You skim through your inbox when you notice this email:

There’s a link, waiting to be clicked on. What do you do? The simple (and correct) answer is: Delete this email! However, you’d be surprised to hear that over 23% of employees fall prey to this exact phishing email.  In other words – out of 100 people on your team, 23 people would click on this link.

What is ‘Difficult’, anyway?

If you find the phishing example above “too easy” and feel confident that you wouldn’t fall for it, you’re not alone. We often hear from our customers that some phishing simulation emails look “too simple” or “not sophisticated enough”.

But how can one define what’s “difficult” for organizational-wide training? Would you consider the math question (5 x 8 = ?) an “easy” or a “difficult” one? Well, if you ask a group of people who have never studied math in their lives, they probably won’t be able to solve it, whereas it may look super-easy to those of us who’ve learned and practiced similar math questions since our early years in school. This example show that “difficult” is really defined by the % of those who respond to a question correctly, hence the difficulty level of an email message can be evaluated only by analyzing the results after the fact.

One of the main challenges in organizational training is that different employees react to the same phishing simulation email differently and it’s hard to predict how each organization / employee group will do. The best way to tackle this is to send messages and adjust the difficulty level as needed. Our smart machine utilizes adaptive methodology to do just that: we usually start with messages that our data analysis has marked as ‘easy’ and work our way up – if a message is indeed ‘easy’ for some employees (meaning, they wouldn’t click on it), our 3D engine will optimize the next difficulty level to better fit that employee’s performance.

You know your team best – or do you really?

Some customers tell us that they know their team will not click on a simple message we’ve presented to them and request that we change it. Our response? We ask them to “trust the machine”. Our data shows that it’s hard to predict your team’s response to a phishing email; In fact, the simplest emails often generate the highest click rates.

Some of the email simulations we utilize even include typos or use poor language – which may seem to contradict the organization’s communication style. However, these represent language in real phishing attacks created by hackers, and we find it important to train employees to identify them exactly the way they are.

At CybeReady, we train millions of employees monthly. Our simulation emails are based on actual, real-time phishing attacks that are meticulously selected and replicated by our intelligence team. While we always listen to our customers and respect their input, we advocate against content changes that would compromise the employees’ learning and their ability to detect real phishing emails when those reach their inbox.

Instead, we encourage our customers to sit back, relax, and watch how our autonomous platform trains employees and gradually changes their behavior towards phishing attacks with nearly zero effort from the organization’s IT team.

It works! Quickly after customers start using our solution, they learn to “trust the machine”. In fact, many of them even find time to go on vacation while our smart platform continues to train their employees every single day. Learn more about how CybeReady’s security awareness training platform works!

Ready to learn more on the only autonomous training platform for enterprises? Request a demo with one of our experts to find out if CybeReady is the best fit for your organization.