Before adding and sharing your Fraud Alert please check to see if a similar alert has already been posted, thank you:

To Mitigate Phishing Risk, Let Employees ‘Fail Forward’

Post a Fraud Alert:

Failure, not surprisingly, gets a bad rap. Yet, learning from failure is often the quickest path to growth. Take young children learning to walk for example: children will fail many times before getting it right, but at what point do we tell kids to stop? We don’t. We teach them instead to learn and adjust rather than chastise them for falling. In other words, until we know something doesn’t work, we can’t make corrections. This is true in life, business and phishing defense.

(Temporary) failure helps to fight phishing
Learning from mistakes is vital to a strong anti-phishing program. A program must strategically allow for failure before a threat actor attacks. By exposing users to a learning environment where it is safe to fail, companies empower users to strengthen its security infrastructure. 

This method works by crafting realistic simulated phishing emails, which clients send to employees—after they’ve explained the program and its educational purposes. The idea is to condition people to recognize and report suspicious emails, so the security team can examine them and, if they’re malicious, respond. 

This also helps to take advantage of the “wisdom of the crowd.” That is, the more broadly the simulation engages users in the fail forward process, the more likely one of them will correctly identify and report the next threat.

According to our recent report, such an approach pays off in two ways. Firstly through reduction in phishing susceptibility over time and second, through increases in resiliency to all kinds of phishing attacks.

The tendency to fall for a phishing email, or susceptibility, is best addressed through repeated phishing simulations. Research demonstrates that companies using simulation training reduced their susceptibility rate year over year. 

It’s okay to raise the difficulty factor. Simulations should progress over time to challenge employees and keep them aware of the latest phishing tactics. After learning to identify basic attacks by failing first, people who reach a level of competence should be ready to fail again when they face complex or unfamiliar phishes.

Example: one business had reduced organizational susceptibility across 4,500 employees in multiple countries to just above five percent. Employees could recognize standard phishing emails, but it was time to raise the bar. The business adopted a phishing simulation program targeted by department, which brought some departments to over 40% susceptibility. Success! No pain, no gain.

The chart below shows that programs improved resiliency even as they got harder, using targeted attacks, personalization and other phishing tricks.

Article source: