Remedial Training: How to Help Users Who Click Phishing Emails

Phishing remains one of the most prevalent threats that companies face.

Effective phishing training is paramount to maintaining a human firewall capable of spotting social engineering attacks and reporting them to security teams.

When employees don’t adapt reporting behavior, companies risk of social engineers breaking through increases.

To support phishing training, we’ve introduced a group of three new automated remedial training approaches. Remedial training helps employees who struggle with key training concepts.

Approaches leverage reinforcement training and more intense training.

The main challenge we tackling first is repeat clickers, users who continue to click on phishing simulations.

There are several reasons someone would repeatedly click on phishing simulations: difficulty recognizing the social engineering cues or premise, not knowing that reporting is the desired behavior, of or even lack of interest in training goals.

‍

Addressing repeat clickers

The three automated remedial training approaches we’ve deployed to help repeat clickers change their behavior to reporting suspicious messages are:

• Assigning relevant training to the user
• Notifying the user’s manager
• Notifying additional accounts, like awareness managers or security officers

Let’s take a look at how these features work and what they solve.

First off, all of the features have the same trigger.

They are automatically activated if a user either clicks on a set number of simulations in a row, or reaches a total number of clicks on simulations in a timeframe.

Assigning relevant training to the user

When a user clicks on too many simulations, an effective approach is to provide more in-depth training to them. The training can cover the importance of reporting suspicious emails, how to report emails to security teams, and what are the main social engineering tactics.

The training is automatically assigned to the user, and they can be notified via email, Slack or Teams. The training content assigned to the user can be fully customized. Content from both Hoxhunt’s training library and customer created content can be used.

The main goal is to help the user understand why and how they should participate in phishing training.

By going through the training, the users understand the importance of reporting phishing attacks, and recall how to report suspicious emails.

Notifying the user’s manager

In this approach, the risky behavior is addressed more directly.

The automation sends a message to the user’s manager when too many clicks are detected.

The manager is notified via email, Slack or Teams.

The manager has the opportunity to bring a more personal approach to discovering the underlying reasons for the behavior.

Based on discovery, more relevant and personalized actions can be taken to help the clicker turn into a reporter.

The notification sent to the manager can be customized and translated.

It’s important that the manager’s response and actions to address their direct report’s risk behavior is in line with the organization’s security culture and values.

Notifying additional accounts

Sometimes notifying additional accounts, like awareness managers or security officers, is necessary for visibility and action.

With this automation, key stakeholders can learn about users' risky behavior throughout the organization.

This can be a replacement for the manager notification or a complement to involve additional help to more intensely address users clicking on phishing simulations.

‍

Managing phishing training can be smooth

Hoxhunt phishing training is already fully automated, so training managers can focus on the outcomes and more targeted training needs.

While our phishing training already automatically adjusts and works to fit users' needs, it’s recognized that additional training has it’s place.

The new features addressing repeated clicking behavior help scale and automate addressing one part of the challenges that phishing training managers, and participants, might face.

The goal of remedial training is to improve overall skills in identifying phishing messages, understanding security awareness topics, and increasing participating in secure cyber behavior.