Ninety percent of cyber attacks start with a phishing e-mail. Each week, Nationwide blocks 65 million suspicious e-mails, but associates remain the final filter for 23.5 million e-mails weekly that are not blocked by tooling. In place since 2014, Phishing Education provides learning to 52,600 associates, contractors, and agents.
Program Details
An experiential learning approach is applied to this learning need. A test e-mail is sent out to the population twice per year. Nationwide used a third-party Web-based solution in the past, but in 2016, it custom built targeted e-mails that focus on the types of phishing seen most frequently at Nationwide.
The program was designed to provide real-world phishing tests consisting of simulated e-mails with a link/attachment. If users “take the bait,” they receive immediate education to help them recognize the e-mail red flags. As soon as the attachment/link is clicked on, feedback appears indicating features of the e-mail they did not recognize. For example, some e-mail addresses look like an internal e-mail, but are not; some document extensions say exe.doc, and this is not a valid file extension; the sender might not be a real Nationwider.
The program also has curated resources, as well as informal discussions, cybersecurity events, and training intended to support the experiential approach.
Nationwide also has a generic e-mail address where suspicious e-mails can be sent. The Phishing Team reviews them and provides feedback to the sender.
Results
Since 2014, across all tests given to the target population, 22,423 associates never failed a test (low risk population); 15,425 failed once (learned quickly); 9,213 failed twice (learned via repetition); and 5,716 failed three or more times (high-risk population) Note: “failed” or “susceptible” is determined by opening an attachment or link in the test e-mail. This is when phishing causes the most risk.
Some 5,716 employees (11 percent of Nationwide’s population) are repeat offenders, having failed the phishing tests three or more times. It typically takes up to four consecutive tests, with a six- to eight-week break in between to change the behavior of a repeat offender.
In 2016, Nationwide had a 59 percent reduction in the number of users clicking on a second scenario, indicating that users are learning from the first to second test. Results of this type are consistent across all tests since 2014.
Users have increased reporting scenarios as suspicious by an average of 12 percent between first and second round tests each year since 2014. Independent of testing scenarios, users reported more than 48,000 potentially suspicious e-mails they received in 2015 and were significantly ahead of that pace for 2016.
