|
|
|
|
|
|
by _8j50
2831 days ago
|
|
|
Too targeted would for example be something too relevant to their job. They'd know what the typical emails and logins are so they won't fall for it easily. If the training is for spearphishing, it should contain extensive detail about the user. I mean really, you can't train someone who combats phishing as their day job against spearphishing. The only real threat training combats against is untargeted dragnet attacks which typically use generic content or attacks that target organizions(not individuals). In other words,you want them to be trained for the technology threat not the content threat. You want them know the difference between mail.company.com and mail.company.com.seemslegit.site . Currently,training seems to focus on "email looks suspiciois,why did you click on the link" not "what about the link made you think it was legitimate? and this is why you were wrong." Also,training is done as a campaign at most places.a few users fall for it and suddenly everyone knows about it before opening their inbox. Mostly theatrics. It shouldn't be "send phishme emails to a 1000 users today",it should be more like "pick 50 users out of 1000 at random and send them a new campaign everyday for the next 20 business days quarterly" |
|
|