Why do they click?

Aug 22, 2022

We may be inclined to take punitive action against the employees who repeatedly fail phishing tests. But before swinging the hammer, consider this: Although malicious user intent is within the bounds of possibility, it’s rare — extremely rare.

Users don’t want to fall for a phish — quite the opposite. So why do they do it?

Any of us, even security professionals, can be tricked into clicking a dangerous link or opening a malware-laden attachment. If we’re honest, we’ve all done it on occasion. The reasons have less to do with intention or intelligence and more to do with environmental factors.

What factors most influence users’ ability to identify phishing emails?

We trust that employees care about not exposing the company to phishing risk. They have a natural incentive not to put the company in jeopardy, as much as they care about their next paycheck or the approval of their colleagues.

So what factors make it harder to discern the true from the false? What makes employees more susceptible to deception, and what can we do about it?

Stress. Every email presents a series of micro-decisions. Someone who is experiencing high levels of stress will find it more difficult to see the signs of a phishing attempt.

Volume. This factor has the advantage of being measurable and also manageable. An employee who must evaluate hundreds of messages per day will have to take cognitive shortcuts to handle high workloads. Encouraging internal email etiquette can help. (Don’t send email messages when a phone call or IM will do.) Another preemptive step is to shift business processes involving email to other kinds of systems. For example, instead of having your HR department accept resumes and cover letters through email, insist that candidates make submissions through an HRIS (Human Resources Information System) so that submitters have some degree of authentication and limits to what they can send for review.

Exotic but normal messages. Some companies and business functions involve a lot of legitimate but highly variable content and attachments. An example would be the equity analyst who receives reports that take the form of Word, Excel and Acrobat Reader files, perhaps from places that would normally set off alarm bells such as Eastern Europe.

Infrequent or irregular testing. Experience teaches us that memory has an arc. Users retain the lessons taught through a phishing test and the feedback it offers for about 7-10 days. Many companies conduct phishing tests monthly, quarterly, or worse — semi-annually or annually.

Tests without lessons. Each and every phishing test must include a clue that the message should be reported. It is possible to devise a perfect phish that nobody can spot. But we know from reviewing countless messages that such attacks are rare in the wild. When we design a phishing test, we want to include at least one clue and know why we’re including it. Without at least one clue, the phishing test has no value.

The wrong security training. KnowBe4 and other user awareness training providers offer huge libraries of training videos, posters, bulletins, and other tools. They vary by application, quality, subject matter and so on. Too many companies force repeat-offenders through the same generic security training that they’ve undergone before, making training feel like punishment. Security awareness training should never be punitive. It is best to assume that some users need a different perspective on phishing instead of punishment. Switching videos, even if they address the same subject matter, can help.

Training the wrong people. Most users are quite capable of spotting phish with minimal training. The typical success rate among our clients is in the range of 70-95%. Of those, 50% or more are consistently successful at avoiding malicious emails. Concentrate on the 10% that consistently fail to identify and report phish. Speak to a representative sampling of those users to form an understanding of their stressors, working conditions, workload, etc. Then concentrate your efforts accordingly. You’ll achieve more benefit from doing so and perhaps even make friends among individuals who most need the security team’s help.

Putting too much trust in one layer. The human firewall is a great idea, but it’s the last layer. Make sure that the messages that reach users are filtered reliably before they have to reach for the Phish Alert Button. As security professionals, we can have a lot of positive impact on the business by reducing the friction that’s caused when users must pause and think too hard about whether or not a message is safe. The best phish is not the one that users report, but the one that they never have to evaluate.

A lack of direct coaching for repeat offenders. Security awareness training and testing are viewed by users as impersonal and burdensome, and with good reason. Even the best programs lack the human element. Direct coaching can help.

Victim blaming. Nobody (there may be rare outliers) wants to be the victim of a phishing scam. Shame and fear will change behavior, but they won’t deliver positive results. Instead, they’ll discourage openness, transparency, and therefore cut off communication between users and the security team. Study your repeat offenders. Find out why they’re having trouble spotting phish. Assume good intent and approach the victims (they are innocent victims after all) with sympathy and compassion.

Preventing phishing isn’t a simple affair. However there are few simple routes to success. But the keys are to understand how people use email to do their jobs, minimize factors that cloud their thinking, and enable them to discern between legitimate and illegitimate messages. How do we do this? At a high level, we do three things:

  1. Measure user behavior and mail processing system performance regularly and often.
  2. Provide feedback to the employees, managers and email systems administrators
  3. Train and coach to change beliefs and values to improve behavior, not just to educate.

This is the first in a series of articles about security culture. For more about how Alchemy helps clients reduce the risk of phishing through Managed Security Culture, subscribe to our blog or reach out to us at sales@alchemysecurity.com.


How harm reduction can more effectively reduce employee risky behavior