{"id":690513,"date":"2025-09-17T13:35:12","date_gmt":"2025-09-17T10:35:12","guid":{"rendered":"https:\/\/buradabiliyorum.com\/en\/cybersecurity-training-programs-dont-prevent-employees-from-falling-for-phishing-scams\/"},"modified":"2025-09-17T13:35:12","modified_gmt":"2025-09-17T10:35:12","slug":"cybersecurity-training-programs-dont-prevent-employees-from-falling-for-phishing-scams","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/cybersecurity-training-programs-dont-prevent-employees-from-falling-for-phishing-scams\/","title":{"rendered":"Cybersecurity training programs don&#8217;t prevent employees from falling for phishing scams"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a2efae9f3f8e\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a2efae9f3f8e\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/cybersecurity-training-programs-dont-prevent-employees-from-falling-for-phishing-scams\/#Why_is_it_important_to_combat_phishing\" >Why is it important to combat phishing?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/cybersecurity-training-programs-dont-prevent-employees-from-falling-for-phishing-scams\/#Why_are_cybersecurity_trainings_not_effective\" >Why are cybersecurity trainings not effective?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/cybersecurity-training-programs-dont-prevent-employees-from-falling-for-phishing-scams\/#A_study_of_19500_employees_over_eight_months\" >A study of 19,500 employees over eight months<\/a><\/li><\/ul><\/nav><\/div>\n<div>\n<div class=\"article-gallery lightGallery\">\n<div data-thumb=\"https:\/\/scx1.b-cdn.net\/csz\/news\/tmb\/2025\/cybersecurity-training.jpg\" data-src=\"https:\/\/scx2.b-cdn.net\/gfx\/news\/2025\/cybersecurity-training.jpg\" data-sub-html=\"Researchers found that there was no significant relationship between whether users had recently completed an annual, mandated cybersecurity training and the likelihood of falling for phishing emails. Credit: Ioana Patringenaru\/University of California San Diego\">\n<figure class=\"article-img\">\n            <img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/scx1.b-cdn.net\/csz\/news\/800a\/2025\/cybersecurity-training.jpg\" alt=\"Cybersecurity training programs don't prevent employees from falling for phishing scams\" title=\"Researchers found that there was no significant relationship between whether users had recently completed an annual, mandated cybersecurity training and the likelihood of falling for phishing emails. Credit: Ioana Patringenaru\/University of California San Diego\" width=\"800\" height=\"418\"\/><figcaption class=\"text-darken text-low-up text-truncate-js text-truncate mt-3\">\n                Researchers found that there was no significant relationship between whether users had recently completed an annual, mandated cybersecurity training and the likelihood of falling for phishing emails. Credit: Ioana Patringenaru\/University of California San Diego<br \/>\n            <\/figcaption><\/figure>\n<\/p><\/div>\n<\/div>\n<p>Cybersecurity training programs as implemented today by most large companies do little to reduce the risk that employees will fall for phishing scams\u2013the practice of sending malicious emails posing as legitimate to get victims to share personal information, such as their <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">social<\/a> security numbers.<\/p>\n<p>That&#8217;s the conclusion of a study evaluating the effectiveness of two different types of cybersecurity training during an eight-month, randomized controlled experiment. The experiment involved 10 different phishing email campaigns developed by the research team and sent to more than 19,500 employees at UC San Diego Health.<\/p>\n<p>The team presented <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/ieeexplore.ieee.org\/document\/11023357\/\" target=\"_blank\">their research<\/a> at the Blackhat conference Aug. 2\u20137 in Las Vegas. The team originally shared their work at the 46th IEEE Symposium on Security and Privacy in May in San Francisco.<\/p>\n<p>Researchers found that there was no significant relationship between whether users had recently completed an annual, mandated cybersecurity training and the likelihood of falling for phishing emails.<\/p>\n<p>The team also examined the efficacy of embedded phishing training\u2014the practice of sharing anti-phishing information after a user engages with a phishing email sent by their organization as a test. For this type of training, researchers found that the difference in failure rates between employees who had completed the training and those who did not was extremely low.<\/p>\n<p>&#8220;Taken together, our results suggest that anti-phishing training programs, in their current and commonly deployed forms, are unlikely to offer significant practical value in reducing phishing risks,&#8221; the researchers write.<\/p>\n<p>                                                                                                        <!-- TechX - News - In-article --><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Why_is_it_important_to_combat_phishing\"><\/span>Why is it important to combat phishing?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Whether phishing training is effective is an important question. In spite of 20 years of research and development into malicious email filtering techniques, a 2023 IBM study identifies phishing as the single largest source of successful cybersecurity breaches\u201316% overall, researchers write.<\/p>\n<p>This threat is particularly challenging in the health care sector, where targeted data breaches have reached record highs. In 2023 alone, the U.S. Department of Health and Human Services (HHS) reported over 725 large data breach events, covering over 133 million health records, and 460 associated ransomware incidents.<\/p>\n<p>As a result, it has become standard in many sectors to mandate both formal security training annually and to engage in unscheduled phishing exercises, in which employees are sent simulated phishing emails and then provided &#8220;embedded&#8221; training if they mistakenly click on the email&#8217;s links.<\/p>\n<p>Researchers were trying to understand which of these types of training are most effective. It turns out, as currently administered, that none of them are.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Why_are_cybersecurity_trainings_not_effective\"><\/span>Why are cybersecurity trainings not effective?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>One reason the trainings are not effective is that the majority of people do not engage with the embedded training materials, said Grant Ho, study co-author and a faculty member at the University of Chicago, who did some of this work as a postdoctoral researcher at UC San Diego.<\/p>\n<p>Overall, 75% of users engaged with the embedded training materials for a minute or less. One-third immediately closed the embedded training page without engaging with the material at all.<\/p>\n<div class=\"article-gallery lightGallery\">\n<div data-thumb=\"https:\/\/scx1.b-cdn.net\/csz\/news\/tmb\/2025\/cybersecurity-training-1.jpg\" data-src=\"https:\/\/scx2.b-cdn.net\/gfx\/news\/hires\/2025\/cybersecurity-training-1.jpg\" data-sub-html=\"The team examined the efficacy of embedded phishing training\u2014the practice of sharing anti-phishing information after a user engages with a phishing email sent by their organization as a test. For this type of training, researchers found that the difference in failure rates between employees who had completed the training and those who did not was extremely low. Credit: Ioana Patringenaru\/University of California San Diego\">\n<figure class=\"article-img text-center\">\n            <img decoding=\"async\" src=\"https:\/\/scx1.b-cdn.net\/csz\/news\/800a\/2025\/cybersecurity-training-1.jpg\" alt=\"Cybersecurity training programs don't prevent employees from falling for phishing scams\" title=\"The team examined the efficacy of embedded phishing training\u2014the practice of sharing anti-phishing information after a user engages with a phishing email sent by their organization as a test. For this type of training, researchers found that the difference in failure rates between employees who had completed the training and those who did not was extremely low. Credit: Ioana Patringenaru\/University of California San Diego\"\/><figcaption class=\"text-left text-darken text-truncate text-low-up mt-3\">\n                The team examined the efficacy of embedded phishing training\u2014the practice of sharing anti-phishing information after a user engages with a phishing email sent by their organization as a test. For this type of training, researchers found that the difference in failure rates between employees who had completed the training and those who did not was extremely low. Credit: Ioana Patringenaru\/University of California San Diego<br \/>\n            <\/figcaption><\/figure>\n<\/p><\/div>\n<\/div>\n<p>&#8220;This does lend some suggestion that these trainings, in their current form, are not effective,&#8221; said Ariana Mirian, another paper co-author, who did the work as a Ph.D. student in the research group of UC San Diego computer <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/sciencee\/\" data-internallinksmanager029f6b8e52c=\"5\" title=\"Science\" target=\"_blank\" rel=\"noopener\">science<\/a> professors Stefan Savage and Geoff Voelker.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"A_study_of_19500_employees_over_eight_months\"><\/span>A study of 19,500 employees over eight months<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>To date, this is the largest study of the effectiveness of anti-phishing training, covering 19,500 employees at UC San Diego Health. In addition, it&#8217;s one of only two studies that used a randomized control trial method to determine whether employees would receive training, and what kind of phishing emails\u2013or lures\u2013they would receive.<\/p>\n<p>After sending 10 different types of phishing emails over the course of eight months, the researchers found that embedded phishing training only reduced the likelihood of clicking on a phishing link by 2%. This is particularly striking given the expense in time and effort that these trainings require, the researchers note.<\/p>\n<p>Researchers also found that more employees fell for the phishing emails as time went on. In the first month of the study, only 10% of employees clicked on a phishing link. By the eighth month, more than half had clicked on at least one phishing link.<\/p>\n<p>In addition, researchers found that some phishing emails were considerably more effective than others. For example, only 1.82% of recipients clicked on a phishing link to update their Outlook password. But 30.8% clicked on a link that purported to be an update to UC San Diego Health&#8217;s vacation policy.<\/p>\n<p>Given the results of the study, researchers recommend that organizations refocus their efforts to combat phishing on technical countermeasures. Specifically, two measures would have better return on investment: two-factor authentication for hardware and <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>lications, as well as password managers that only work on correct domains, the researchers write.<\/p>\n<div class=\"article-main__more p-4\">\n<p><strong>More information:<\/strong><br \/>\n\t\t\t\t\t\t\t\t\t\t\t\tGrant Ho et al, Understanding the Efficacy of Phishing Training in Practice, <i>2025 IEEE Symposium on Security and Privacy (SP)<\/i> (2025). <a rel=\"nofollow\" target=\"_blank\" data-doi=\"1\" href=\"https:\/\/dx.doi.org\/10.1109\/sp61157.2025.00076\" target=\"_blank\">DOI: 10.1109\/sp61157.2025.00076<\/a><\/p>\n<\/div>\n<div class=\"d-inline-block text-medium my-4\">\n                                                Provided by<br \/>\n                                                                                                    University of California &#8211; San Diego<br \/>\n                                                    \t\t\t\t\t\t\t\t\t\t\t\t\t<a rel=\"nofollow\" target=\"_blank\" class=\"icon_open\" href=\"http:\/\/www.ucsd.edu\/portal\/site\/ucsd\" target=\"_blank\" rel=\"nofollow\"><br \/>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t<svg>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<use href=\"https:\/\/techx.b-cdn.net\/tmpl\/v2\/img\/svg\/sprite.svg#icon_open\" x=\"0\" y=\"0\"\/>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/svg><br \/>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/a><\/p><\/div>\n<p>                                        <!-- print only --><\/p>\n<div class=\"d-none d-print-block\">\n<p>\n                                                <strong>Citation<\/strong>:<br \/>\n                                                Cybersecurity training programs don&#8217;t prevent employees from falling for phishing scams (2025, September 17)<br \/>\n                                                retrieved 17 September 2025<br \/>\n                                                from https:\/\/techxplore.com\/<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/news\/\" data-internallinksmanager029f6b8e52c=\"2\" title=\"News\" target=\"_blank\" rel=\"noopener\">news<\/a>\/2025-09-cybersecurity-dont-employees-falling-phishing.html\n                                            <\/p>\n<p>\n                                            This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no<br \/>\n                                            part may be reproduced without the written permission. The content is provided for information purposes only.\n                                            <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p><script id=\"facebook-jssdk\" async=\"\" src=\"https:\/\/connect.facebook.net\/en_US\/sdk.js\"><\/script><\/p>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMN63nwsw68G3Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more Like this articles, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/buradabiliyorum.com\/en\/category\/sciencee\/\" target=\"_blank\" >Science category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/techxplore.com\/news\/2025-09-cybersecurity-dont-employees-falling-phishing.html\" target=\"_blank\" >Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Researchers found that there was no significant relationship between whether users had recently completed an annual, mandated cybersecurity training and the likelihood of falling for phishing emails. Credit: Ioana Patringenaru\/University of California San Diego Cybersecurity training programs as implemented today by most large companies do little to reduce the risk that employees will fall for&#8230;<\/p>\n","protected":false},"author":1,"featured_media":690514,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/scx2.b-cdn.net\/gfx\/news\/2025\/cybersecurity-training.jpg","fifu_image_alt":"","footnotes":""},"categories":[16],"tags":[],"class_list":["post-690513","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-sciencee"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/690513","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=690513"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/690513\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/690514"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=690513"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=690513"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=690513"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}