Scientist showing two emails, one phishing, one confusing

Phishing awareness subsides after just a few months, recent studies show

A paper presented at the USENIX SOUPS security conference last month revealed that phishing awareness diminishes with time, and employees need to be trained at least once every 6 month for it to remain useful.

Researchers from several German universities took advantage of their mandatory phishing awareness training courses that go on in the public administration sector. The academics surveyed 409 of 2200 employees of the State Office for Geoinformation and State Survey (SOGSS).

The reason behind the testing was to determine how effective the phishing training would remain over periods of time. Testing at regular intervals, they would try to establish at exactly what point the employees would lose their ability to spot these phishing emails.

The employees were split into groups, and were tested for different lengths of time, 4, 6, 8, 10 and 12 months, after receiving their phishing training.

After four months since the initial training, the employees were still able to successfully identify the phishing emails, however even just two months after this they were no longer able to identify these same threats.

The researchers also created reminders for the groups to retrain them after taking their survey in an attempt to “replenish the employees’ phishing awareness and knowledge.”

They developed four different reminders;

“Four reminder measures were distributed to four groups (one per group): (a) text, (b) video measure, (c) interactive examples, and (d) a short text.

“Twelve months after the tutorial, we compared the knowledge retention of the four reminder groups […]. Among the four reminder measures, the video measure and the interactive examples measure performed best, with their impact lasting at least six months after being rolled-out.”

The academics concluded that; yes, this training is vital, however what is just as important is the frequency of which re-training occurs. Training at least every 6 months is crucial, using interactive or video training measures for the most optimal results.

As the old saying goes, “use it or lose it”.

At, we go a step further. We recommend training your employees every month, with bitesize, easy to digest content that keeps phishing and security awareness front of mind. This method of “little and often” training has proven to be an incredibly efficient way to protect your organisation and users from cyber threats.

Has your organisation lost its ability to detect and mitigate these dangerous phishing emails?

Find out now in our Free Click-Prone® Test.

Recent posts