Many of the world’s most disruptive cyber attacks have a simple culprit: phishing emails. Since 2017, we have partnered with the Metropolitan Police Service to try to reduce its susceptibility to phishing attacks.
Together we created three types of preventative training. The first drew on advice from the Centre for the Protection of National Infrastructure (‘CPNI email’). The second was based on BIT’s own research and used simple rules of thumb for how officers could avoid phishing attacks (‘BI email’). The third used the same content as the BI email, but the content was delivered following a mock (i.e. non-malicious) phishing email. If officers clicked on the link in the mock phishing email and submitted their login credentials on a mock landing page, they would then be presented with the BI anti-phishing training (‘BI embedded training’), creating a ‘teachable moment’.
We randomly allocated more than 17,000 officers in 25 boroughs and six specialist units to receive either one of the three types of training or no training (control).
To evaluate impact, we sent mock phishing emails (closely resembling actual phishing emails from past attacks) to those officers three weeks (short term) and three months (longer term) after the training was delivered. We then measured whether officers clicked on the link in the mock phishing email and submitted their login credentials on the mock landing page.
We found that all three types of training were effective at reducing, although not eliminating, the number of officers who clicked on the link and the number of officers who submitted their login credentials. The training was still effective three months later.
Figure 1: Reduction in staff entering login credentials