Research

Users Getting Better at Identifying Phishing Attacks

• By Rhea Kelly
• 09/19/17

Users today are more likely to recognize a phishing attack than they were a year ago, according to new data from Wombat Security Technologies. In the 2017 Beyond the Phish Report, the security awareness and training company analyzed the results of more than 70 million questions answered by end users who completed its assessments and training modules, covering a variety of information security topics. The users came from a range of industries, including healthcare, retail, manufacturing and education. Across all industries, users performed better this year on questions around identifying phishing attacks, answering incorrectly only 24 percent of the time on average, compared to 28 percent in 2016.

Other bright spots include:

• Questions on social media were answered incorrectly 22 percent of the time, compared to 31 percent last year — giving the category the largest year-over-year improvement in the study;
• In the category of working safely outside the office, users answered incorrectly 20 percent of the time, compared to 26 percent last year;
• Overall, users did well in the area of protecting yourself against scams (a new category for 2017), answering incorrectly 14 percent of the time. Education users out-performed the average here, with just 10 percent of questions answered incorrectly; and
• Password safety was the best understood category, with users answering incorrectly just 12 percent of the time.

The report also revealed a number of challenges:

• The biggest problem area for end users across all industries was protecting confidential payment card and healthcare information. Questions on those topics were answered incorrectly 26 percent of the time overall. Education in particular was among the industries that struggled the most, with 29 percent of those questions answered incorrectly.
• The category of protecting mobile devices and information saw the biggest downturn in performance year-over-year. Users answered 24 percent of those questions incorrectly in 2017, compared to 15 percent in 2016.
• Across all industries, questions about protecting and disposing of data securely were answered incorrectly 25 percent of the time.
• Nearly everyone missed more questions this year about using the internet safely (19 percent in 2017 compared to 16 percent in 2016). In particular, education users were among the worst performers, with 21 percent of questions answered incorrectly.

"We continue to see in our year-over-year results that reinforcement and practice are critical to learning retention. As with any learned skill, organizations need to work on cybersecurity awareness and knowledge to see continual improvements," said Joe Ferrara, president and CEO of Wombat, in a statement. "Organizations that focus on building a culture of security and empowering their employees to be a part of the solution develop the most sustainable and successful security awareness training programs."

The full report is available for download on the Wombat site (registration required).