US workers think they're pretty good at spotting phishing emails - but the reality is quite different

Many US workers think they are rather good at identifying phishing emails in their inboxes, but reality begs to differ, new research has claimed.

Darktrace recently surveyed 1,000 US office workers and around 430 IT and security decision-makers on security awareness training and actual preparation for modern phishing attacks, finding four in five (80%) were confident in their ability to spot a phishing email in their day-to-day work.

However, after using realistic messages in a real-world test, only a third (32%) were able to actually spot the attack.

Security awareness training is failing workers

Phishing has drastically evolved over the past couple of years. Before the emergence of AI, one could spot a phishing email simply by proofreading it, since the attackers are rarely English native speakers, and the messages would come with spelling and grammar errors, as well as clunky language construction.

Nowadays, with AI doing most of the writing, properly identifying a phishing email is more difficult, but not impossible.

Checking the sender’s domain, analyzing links before clicking, and looking for telltale signs such as a sense of high urgency or threats are still a solid technique.

The researchers said last year more than a third (38%) used “novel social engineering techniques, likely enabled by AI” in their attacks, suggesting that the landscape is evolving rapidly.

The report also says security professionals are “not strongly convinced” conventional security awareness training is keeping pace with modern phishing. The majority (62%) agree it is effective at preparing employees to identify phishing attempts, but only 11% “strongly agree”, and just 2% say they see “no limitations in conventional training”.

The biggest limitations are the lack of personalization (31%), focus on failure (27%), and being too difficult to measure meaningfully beyond completion or click rates (23%).