Only 17% spot emails correctly in spear-phishing simulation

October 12, 2015

As I mentioned in our Ten tips on not getting spear-phished post last week we have launched a game-like web based spear-phishing simulation on our website called Can You Spot the Impostor.

Can You Spot the Impostor shows players 7 emails in the web browser — all are personalized for the player but some are legitimate and others are spear-phishing. The player has to decide whether an email is legitimate or a phish. The game takes 2-3 minutes for the average person and teaches the player on how to spot phishing emails as you go through it.

It has been interesting to see the response to the game, and based upon some of the requests I thought we would share some of the insights we are seeing.

spear phishing results

1. Only 17% were able to discern all 7 emails in the game correctly.

2. Interestingly within this 17% there were many players who played Can You Spot the Impostor multiple times — and stopped when they got to 100%.

3. The majority of the players either got 5 or 6 of the 7 emails correctly.

4. Fortunately, only 25% of all the players spotted 3 or more emails incorrectly.


What do these results mean for the security of a medium or large enterprise? If you have hundreds or thousands of employee’s — will your employee response pattern be similar to the one above? Can you live with this risk? How do you mitigate it?

Stay tuned for more..


National Cyber Security Awareness Month –  Interactive Simulation & Downloadable Guide
Can You Spot the Impostor is a easy 2-3 minute way to see first-hand examples of how hackers might try to spear-phish you and learn how not to get phished. A downloadable 1 page guide on ten tips to not getting spear phished is also available here.

About Us
Gagan Prakash is the Founder, CEO of Astra IDentity, Inc. Astra IDentity’s product PhishingGuardian integrates with existing organization messaging infrastructure to provide protection, tools, alerts and in-line training for phishing and social engineering attacks carried out via e-mail. Request a demo today.