US workers think they're pretty good at spotting phishing emails - but the reality is quite different

News
By published

Training is one thing - but a real-life attack is another

Businessman holding a magnifier and searching for a hacker within a business team.
(Image credit: Shutterstock)
  • Darktrace survey shows US workers overconfident in spotting phishing
  • 80% felt confident, but only 32% passed real-world test
  • AI makes phishing harder to detect; experts say conventional training lacks personalization and measurable impact

Many US workers think they are rather good at identifying phishing emails in their inboxes, but reality begs to differ, new research has claimed.

Darktrace recently surveyed 1,000 US office workers and around 430 IT and security decision-makers on security awareness training and actual preparation for modern phishing attacks, finding four in five (80%) were confident in their ability to spot a phishing email in their day-to-day work.

However, after using realistic messages in a real-world test, only a third (32%) were able to actually spot the attack.

Article continues below

Security awareness training is failing workers

Phishing has drastically evolved over the past couple of years. Before the emergence of AI, one could spot a phishing email simply by proofreading it, since the attackers are rarely English native speakers, and the messages would come with spelling and grammar errors, as well as clunky language construction.

Nowadays, with AI doing most of the writing, properly identifying a phishing email is more difficult, but not impossible.

Checking the sender’s domain, analyzing links before clicking, and looking for telltale signs such as a sense of high urgency or threats are still a solid technique.

The researchers said last year more than a third (38%) used “novel social engineering techniques, likely enabled by AI” in their attacks, suggesting that the landscape is evolving rapidly.

The report also says security professionals are “not strongly convinced” conventional security awareness training is keeping pace with modern phishing. The majority (62%) agree it is effective at preparing employees to identify phishing attempts, but only 11% “strongly agree”, and just 2% say they see “no limitations in conventional training”.

The biggest limitations are the lack of personalization (31%), focus on failure (27%), and being too difficult to measure meaningfully beyond completion or click rates (23%).

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.