(7 min read)

Using online security awareness training to lower your click rate

Recognizing a potential phishing email is the first step in avoiding falling victim to a cyber attack. The next and most important step is knowing what to do with this email.

Ideally, you want your employees to report the phishing email to you and then delete the message. However, curiosity is extremely powerful. People tend to trust the sender and the legitimacy of the messages they receive, so they click.

Then because they’re busy or don’t expect to be targeted by cybercriminals, they keep clicking.

Knowing how to manage and respond to repeat clickers is a universal challenge for CISOs and security leaders. It can be frustrating because your employees may have participated in online security awareness training, so they should know how to detect a phishing email.

But knowing and responding correctly are two very different things. We know that humans are inclined to trust, and that most people never expect to be targeted by a cybercriminal. In fact, we hear people say “Why would a cybercriminal target me? I’m not rich and I don’t own a big company.”

Why do Employees Keep Clicking?

Why do employees keep responding to the shopping discount emails or the emails that appear to come from their boss? Why, even though there are spelling errors or obvious mistakes in the URL do people still click?

Cybercriminals use emotion and the inclination to instinctively trust someone else to get people to act quickly with giving little thought to the request or source of the request.

Realizing that you fell victim to a phishing message will trigger one or more emotions:

Fear: strong and threatening language is used to convince victims that if they don’t act quickly, there will be negative ramifications for them or someone they know. For example, an arrest will be made, or a bank account will be seized.

Respect: the victim feels compelled to respond because the email appears to come from a company employee who has authority over them. They do not question sending a wire transfer to a new partner or providing the senior HR manager with confidential employee details.

Greed: everyone wants something for nothing. By preying on our natural instinct for greed, cybercriminals trick phishing victims into acting with the promise of receiving money, a prize, or the chance to benefit from a great new business.

Helpfulness: people want to trust and help one another. This is how people are fooled by social media messages from distant relatives or by emails that use language such as “please help” or “I’m in trouble and only you can help me”.

Complicating things further is the very nature of phishing:

  • Savvy social engineering tactics that exploit human nature to trust and to want to help.
  • The use of urgent language that encourages recipients to act quickly.
  • Emails that exploit the time of the year (holiday sales), current events (COVID-19), or human behavior desire for prizes, discounts, and rewards.
  • People are busy, they receive lots of emails, and phishing is not top-of-mind.
  • Legitimate emails that look like they came from Amazon, their manager, or the government.

So, while people have taken security awareness training and have heard experts talk about phishing, spear phishing, and business email compromise (BEC) scams – there is a disconnect.

Your employees keep clicking because they simply are not aware of the risks and in understanding that they (and everyone else) are a target of cybercriminals.

To reach repeat clickers, online security awareness training needs to use the same tactics as those used by cybercriminals:

  • Real-world scenarios that happen on a day-to-day basis.
  • Personalized, bite-sized, dynamic, and engaging.
  • Delivered on any device – smartphone, tablet, or computer.
  • Uses language that appeals to your employees and speaks directly to them.
  • Uses consistent and repetitive messaging delivered in easy to read formats.

Watch Five Stages of Being Phished webcast to learn more about repeat clickers and what motivates them to click.


How CISOs and Security Leaders can Manage Repeat Clickers

To manage repeat clickers, your role as a CISO or security leader must shift from thinking about protecting your organization to thinking about how you can motivate your employees to protect themselves, and eventually your organization and their colleagues.

Your biggest line of defense against phishing attacks and cyber threats is your employees.

To manage and reach repeat clickers, do the following:

  1. Deliver consistent and repetitive messages about phishing and cyber security. Use email newsletters, posters, and micro- and nano-learning videos to give your employees the same message about phishing and the signs of phishing.
  2. Make security awareness part of your organization’s culture. Identify your intrinsically motivated employees and make them cyber heroes. These employees can be proactive in talking about cyber security and phishing with employees who are extrinsically motivated or disconnected from the risks.
  3. Give employees personalized and high-quality security awareness training that is engaging, interactive, and relatable. Take advantage of self-directed online learning, gamified training, and real-world scenarios.
  4. Use phishing simulations to measure how well employees are responding to the training. These simulations help you identify your repeat clickers, allowing you to rethink the training they receive and understanding where training is not resonating.
  5. Many people are motivated by competition and rewards. If this fits your organization’s culture, set up a way to reward people who change their click rate response and recognize their improvements.
  6. Communicate with your repeat clickers that there are consequences to their behavior. Use real-world examples or simulations to emphasize the personal and professional impacts of clicking a link or downloading an attachment. Help people understand the severity of repeat clicking.
  7. Consider taking real action – disabling email or blocking Internet access when a repeat clicker does click. Show people the potential harm that comes with a successful phishing attack.
  8. Depending on your organizational culture, communicate with repeat clickers that there are real-world personal consequences to their actions. Consider sending a note that details these consequences and how they can easily access online security awareness training and phishing simulations. Make it clear that you want to help and support them.


This is for employees

Know the Signs of a Phishing Email    

Phishing emails are effective because cybercriminals use savvy language and advanced social engineering techniques to trick you into clicking. Everyone is a target for phishing emails. It doesn’t matter what your job is, how much money you earn, or where you work.

Because of this, we want you to know these six signs of a phishing email:

  1. Sender. Pay close attention to the sender’s email address. Is it spelled correctly? When you hover your mouse over the email address, what does it look like? Cybercriminals will use email addresses that look real but are fake – [email protected] instead of [email protected].
  2. Salutation. Beware of emails that use “Dear client”, “Dear Customer”, or “Dear Valued Customer”. If the email does not use your name, be on guard.
  3. Content.  Look out for urgent language that encourages you to act quickly or uses threats. Are there spelling or grammatical errors? A real organization will not send an email with these mistakes. Emails that ask you for your personal or financial information or ask you to update your account information should be reported to your IT service desk.
  4. Link or button. Unless you know who sent you the email, do not click any links or buttons in the email. Cybercriminals use these to take you to a fake website or to install malware on your computer.
  5. Attachment. Pay close attention to all attachments. Before clicking, hover your mouse over the attachment and look at the filename. Never click filenames that have an .exe extension. Clicking an .exe can install malware on your computer and network, disabling our organization. Never click attachments from senders you do not know.
  6. Contact information. No organization will send you an email without including contact information. If there isn’t a phone number or address – do not trust this email. Remember that some cybercriminals create fake phone numbers that they include in their phishing emails. Always type in the URL of the company or organization emailing you into your browser and use the contact information on the official website.

Above all else, when in doubt, do not click. We want you to be suspicious. Take your time, read the email carefully, and if you’re not 100% confident – talk to us. We are here to help you.


Five Stages of Being Phished webcast

Watch Five Stages of Being Phished webcast to learn more about repeat clickers and what motivates them to click.