Learning Not to Take the Bait: An Examination of Training Methods and Overlearning on Phishing Susceptibility

Abstract

As phishing attacks become increasingly common and sophisticated, anti-phishing training must extend beyond teaching individuals about cues and rules associated with phishing. Specifically, training methods that teach individuals effective allocation of time and attentional resources to the nature and context of emails should be examined, as well as strategies for improving skill retention from training. Thus, the present study compared the effectiveness of rule-based and mindfulness training, as well as the influence of overlearning on training, on two tests of skill retention on phishing susceptibility (i.e., email identification tests and mock phishing attack tests). Participants were 453 university undergraduates who received training and practice and then were tested immediately following training using an email identification test. Participants were then sent mock phishing emails 1 week and 8 weeks after training, as well as an additional email identification test 10 weeks after training. Results showed that individuals who received mindfulness training were significantly better at discriminating between legitimate and phishing emails, less susceptible to phishing attacks, and more cautious of phishing compared to those who received rule-based training. However, the discriminability effect of mindfulness training was subject to a similar rate of skill decay as rule-based training. Although training did not differ as a function of overlearning, individuals who received 100% overlearning were significantly less susceptible to phishing attacks and more cautious of phishing compared to those who did not receive overlearning. Results are discussed regarding implications for implementing effective anti-phishing training to protect individuals and their respective organizations and institutions.