Please enter your social security number and the last four digits of your credit card to complete the process.
Your credentials could not be confirmed. Please enter your mother’s maiden name, the first car you drove, and the number of dollars remaining on the mortgage to your house.
… when this happens to you, it’s a big problem. When it provides malicious attackers a backdoor into your healthcare delivery system, it’s a much, much bigger problem. Our institution, like many others, implemented a “phishing” training program, complete with online modules and test e-mails sent periodically to our institutional accounts.
But does it work?
Considering we’re starting from the bottom, the answer is a qualified “yes”.
In these authors’ report, they detail their experience with 5,416 unique employees at a single institution undergoing a campaign aimed at education about phishing. Their intervention and program consisted of 20 fake malicious e-mails sent periodically at 2- to 3-month intervals. Only 975 (17.9%) clicked on zero malicious links in e-mails during their educational campaign. An almost equal number, 772, clicked on five or more malicious links. Generally, over the course of the intervention, rates of click-through gradually decreased from highs in the 70% range to well below 10%.
Additionally, after 15 e-mails, those who had clicked on enough e-mails to be labelled “offenders” underwent a mandatory training program. Unfortunately, this training program had no subsequent effect on click-through rates. Those who had been offenders before, remained offenders – with click rates on malicious links of 10-25%, depending on the fake example.
Grim news for security consultants trying to prevent massive data breaches.
“Evaluation of a mandatory phishing training program for high-risk employees at a US healthcare system”
https://academic.oup.com/jamia/advance-article/doi/10.1093/jamia/ocz005/5376646