Many Employees Are Overconfident at Spotting Phishing Emails

Have you conducted phishing email training for employees recently? Looking at the results of a widespread study, it may be necessary. Many employees are overconfident that they can spot a phishing email. When faced with a simulated or a real phishing message, they actually click on it without thinking twice.

There are many reasons why workers cannot spot all the phishing email red flags. The cybersecurity team at CyberFlow is aware that a part of the problem is the Dunning-Kruger effect. People who do not have a lot of knowledge on a specific topic actually believe that they are experts at it. It may appear a paradox, but it works exactly like this.

How Serious Is the Issue of Missing Phishing Email Red Flags?

Leaving the reasons behind, let’s see just how many workers wrongly believe that they can spot a phishing attack. As part of the study, the participants said that they can confidently spot:

• Phishing email – 86%
• Voice phishing – 83%
• Social media phishing – 83%
• SMS phishing – 82%.

In reality, when faced with a phishing attack, the same employees:

• Clicked on phishing emails – 24%
• Were tricked by social media scams – 17%
• Were tricked by deepfake scams – 12%.

What is worse, a significant proportion of these attacks do not get reported.

Who Is Most Likely to Overestimate Their Ability at Spotting a Phishing Scam?

The study also revealed some patterns relating to the employees who are most overconfident in identifying cyber threats. Men report higher confidence levels than women. Also, younger employees (25-34 age group) feel the most capable of identifying all types of online scams compared to older colleagues.

Geographically speaking, respondents from the UK and South Africa reported the highest levels of confidence – 91%. However, South Africa leads the top of the highest level of falling victim to a phishing scam with 68%.

At the other end of the spectrum, only 32% of French employees feel confident in recognising phishing email red flags.

Employees Often Do Not Report Phishing Attacks to the IT Team

After falling victim to a phishing email or message, very few employees will go to the IT team to report it. The participants in the study said that they did not contact the IT department because:

• They did not know how to reach them – 38%
• They found the process of contacting them too difficult – 31%
• They were too scared to report the attack – 22%.

For our cybersecurity specialists, this is a worrying trend. And it is not isolated. A separate study conducted in 2024 indicated that over 50% of employees are afraid to report cybersecurity mistakes due to potential repercussions, including being fired.

The Solution: Phishing Awareness Training Instead of Blame Placing

Any successful cyberattack may cripple a company and ruin its good reputation. Thus, the obvious solution is to close any potential gateway for hackers. This includes helping employees recognise email scam warning signs before making them accountable for their actions.

Our specialists use a hands-on approach, including theory and practical tests with phishing email examples for training. While phishing may take various forms, it always has a few traits in common:

• Poor language style or grammar
• Addressing the recipient by a generic name (“Dear user”)
• Creating a sense of urgency with a threat or a promise to win free money or other valuables
• Asking the user to download and install an application or browser extension.

Do not postpone this essential step in safeguarding your company’s IT systems and devices. Contact CyberFlow today and let us help your employees recognise phishing emails with genuine confidence!