It’s easy for people to think they would never fall for a phishing email because getting a weird message from a random sender with bad spelling and a suspicious link seem easy enough to spot, right? But, the problem is that phishing emails do not always look like that anymore.
Compliance training provider Skillcast did some research and found that 85% of public sector employees are sure they could spot a sophisticated phishing attempt. That sounds reassuring until you look at the training behind that confidence. More than a quarter said they had either not received effective cybersecurity training during the past 12 months or had never received it at all.
The findings come from Skillcast’s report Careless Clicks: How to reduce the risk of cyber attacks in the public sector?, based on a survey of 200 UK public sector employees. The report asks an interesting question. Are employees really as good at spotting cyber attacks as they think they are?
What Makes Phishing Emails So Convincing Now?
Many people have become used to spotting suspicious emails filled with spelling mistakes and awkward wording. According to Skillcast, attackers have adapted.
The report explains that AI tools can now produce realistic emails, copy writing styles and personalise messages for individual people. Instead of sending one obvious scam, attackers can build familiarity over multiple interactions before asking someone to click a link or hand over information. Deepfake technology has also made voice and video impersonation much easier. Skillcast spoke of the case of a finance worker in Hong Kong who transferred $25 million after fraudsters impersonated senior colleagues during a video call.
Skillcast says remote and hybrid working has also created more opportunities for mistakes. Employees now rely on email, messaging platforms and cloud services throughout the working day, often using different devices and locations. That routine can make a convincing fake message much easier to miss.
Are Everyday Habits Making Things Easier For Attackers?
Skillcast’s survey found plenty of habits that could leave organisations exposed.
Just under 17% of respondents said they connect work devices to public WiFi networks in places such as coffee shops or on public transport. Another 45% admitted they use work devices for personal emails or social media at least occasionally, creating more opportunities for phishing attempts.
Knowledge of workplace policies also varied; although 82% said they were familiar with their organisation’s cybersecurity and data handling policy, 16% were only aware that it existed and 2% did not know about it at all.
Skillcast also carried out a Freedom of Information request which found that only 10% of local councils have robust cybersecurity policies in place, even though they manage highly sensitive information.
More from Cybersecurity
- Certs, Degrees or Bootcamps: The Real Roadmap Into Remote Cybersecurity
- Britain’s Museums Are Sitting Ducks For Cyber Attacks And The Government Has No Plan To Fix It
- Utilities Face Mounting Cyber Pressure From Ageing Systems And Unpatched Infrastructure
- Hackers Used A Small Business’s Own Server To Spam 9 Million People With A Fake Boots Survey
- Who Is Responsible When Children Use VPNs To Access Banned Platforms?
- SpyCloud Report Finds Phishing Attacks Surge As Employee Data Is Exposed At 86% Of Fortune 100 Companies
- Meta Confirmed About 20,000 Instagram Accounts May Have Been Hacked
- FIFA World Cup 2026: Why Have Big Sporting Events Become A Target For Cyber Criminals?
Is Annual Training Enough Anymore?
Sofia Chaqiri, Senior Client Partner for the public sector at Skillcast, believes organisations need to rethink how they teach cybersecurity.
She said, “Cyber attacks are getting more sophisticated and widespread and the public sector is a key target because of the amount of data organisations hold, and the potential disruption to vital services in sectors like healthcare and transport.
“The government signalled its determination to tackle the threat of cyber attacks in the public sector at the start of the year with the launch of its Cyber Action Plan.”
Speaking about the survey, Chaqiri said, “Our data suggests that while most people are confident they could spot a phishing email, and generally follow good practices, there are clear gaps in training.
“The fact that some people haven’t received effective training for at least 12 months is particularly worrying. They may understand the risks in theory, but it’s easy to let your guard down when you’re working quickly, or at home casually scrolling through social media on a work device.”
Chaqiri also believes training sessions need to feel more realistic, and she said, “Compliance training has to evolve beyond one off, yearly or generic sessions that don’t reflect the reality public sector workers are facing today. Just because it’s serious doesn’t mean it has to be dry. Quizzes, phishing simulations, and instant feedback are more engaging and help people stay up to date.
“Personalised training is also valuable because risks vary according to an individual’s role. Someone on the front line in admin or customer service may see different challenges to line managers, so sessions should be relevant and matched to their capabilities.”
Can One Person Make All The Difference?
Dr John Kingston, Senior Lecturer in Cyber Security at Nottingham Trent University and a contributor to the report, believes people are still one of the biggest targets.
He said, “People who spend a lot of time online are increasingly aware of cyber risks, sometimes through direct experience. The difficulty for organisations is that it only takes one or two employees who lack that awareness, or don’t care enough about their organisation’s policies, for attackers to break in.”
Kingston also believes AI has made phishing much harder to recognise. He said, “Absolutely. Particularly as AI tools have become more powerful and simple to use. AI has also made it much easier to produce phishing attacks that appear highly credible, with attackers now personalising their output to their potential victims. Unfortunately many of the barriers to this kind of social engineering now no longer exist. Attackers don’t need a lot of technical knowledge or manpower to attempt cyber attacks at scale.”
When asked how organisations should respond, Kingston kept returning to education. He said, “Education takes time to be fully effective, so attackers can often outflank organisations that are trying to protect themselves. But that only reinforces how important it is to train staff properly. Organisations cannot afford to stand still. Technology and cyber threats are evolving too quickly for that.
“Delivering regular and in depth training that reflects real life scenarios is the best way for organisations to stay agile. Cybersecurity has to be made an ongoing and high priority concern from top to bottom, not to stoke fear, but to build a healthy and rational vigilance among staff.”
