In February 2018, VinciWorks introduced the Phishing Training Challenge. The short assessment evaluates the susceptibility of employees to phishing emails by testing their ability to identify red flags in dummy emails. Phishing is a particularly pernicious attack because it circumvents most IT protection layers and preys on the psychological weaknesses of employees.

The Phishing Challenge was sent out to over 16,000 people across multiple industries, including legal, finance, healthcare, engineering and IT. It presented a series of 10 emails to employees and asked them to identify the red flags. An analysis of the data found that:

• 15% of employees were at high risk for phishing attacks. These employees missed at least half of the red flags.
• 49% of employees were at medium risk. These employees missed at least a quarter of red flags.

Education level does not affect risk level

The study did not find significant differences across industries. This is important because there might be a tendency to assume highly educated people, such as City lawyers, are at lower risk. This is not the case. The study included over 4,000 people from top-100 law firms. Their results mirrored those of other respondents.

Refresher training improves results significantly

The study found that employees who retested with new emails using VinciWorks’ Phishing Challenge 2.0 performed significantly better. In the refresher challenge with completely new emails and red flags, only 5% of employees were deemed high risk and 38% medium risk.

This improvement is likely due to the fact that employees had a more suspicious mindset and they were familiar with the basic red flags of phishing.

What is phishing?

‘Phishing’ is a cyber-security attack where hackers fraudulently pose as a trustworthy person in order to trick you into revealing information. This is usually done via email, but phishing also takes place by phone or text message.

Phishing attacks can be devastating. They have been the cause of major cyber outages in recent years, paralyzing international companies and even whole countries with devastating effect.

Preventing phishing attacks is not just the job of IT departments. It is everybody’s responsibility. One wayward click on a phishing email could let hackers infect your company’s entire system, causing untold chaos and bringing your business to the brink of crisis.

About the Phishing Challenge

The VinciWorks Phishing Challenge is a hands-on, practical assessment and phishing training tool in which users learn how to identify a phishing threat. Through a series of real phishing emails, users are quizzed on the common red flags that appear in scam emails.

The Phishing Challenge uses real-world examples to educate on the importance of cyber security. It can be used as refresher training for cyber security, or as a way to identify individuals within the organisation who are at high risk of falling into a phishing trap.

The red flags include:

• Email sender’s name and address are inconsistent or unusual
• Subject line is generic, such as ‘your account’, ‘valued customer’ or ‘invoice’
• The message does not contain your email address in the ‘To’ field
• There is an urgent tone, prompting you to take immediate action
• The email prompts you to click on links and take further action
• You do not recognise the sender’s name, or there is no sender that can be verified
• There is an attachment to the email with a .zip or other unrecognised file extension
• The message is written in awkward or poor language
• Hovering over a link displays an unexpected address

The Phishing Challenge is free for personal use, and can be licensed for use as part of your organisation’s cyber security response strategy. You can demo the latest Phishing Challenge here.