Gamification might be teaching users the wrong lessons when it comes to today’s email-based fraud tactics. Cyber insurance claims from the 2025 InsurSec Report reveals that for the second year in a row, financial fraud was the single biggest source of loss for mid-market and small businesses. And, a shocking 83% of financial fraud incidents began with an email. At the same time, most companies have invested in security awareness training to ensure that employees can identify malicious emails. A 2024 survey conducted by the National Cybersecurity Alliance found that approximately 75% of respondents participated in annual cybersecurity training. But, while 52% of training participants reported they believed training increased their ability to identify malicious emails, the prevalence of financial fraud incidents says otherwise. Strangely, the apparent lack of effectiveness for cybersecurity training in stopping fraud may actually stem from efforts to improve the effectiveness or, rather, employee engagement, with gamification.
Cyber crime doesn’t have rules
Gamification has been extensively employed in training users to spot phishing attacks. At least part of the popularity of this approach is rooted in the ease of execution, since the “game” can be conducted leveraging an organization’s existing email system without needing to install or configure any new tools. But, while games have rules, criminal activity doesn’t. And, herein lies the problem. Gamification requires that players learn and become accustomed to the rules of the game. And, in the specific case of malicious emails, one of the rules that players have come to expect is that there will always be a “tell”. For years, users have been taught that malicious emails frequently contain misspellings, poor grammar, incorrect word usage, and other hallmarks indicating that it’s suspicious. Naturally, the phishing simulations that follow such training always feature emails that have these tells. The result is that users have come to understand that malicious emails always contain indicators of being malicious.
If these characterizations of malicious emails were ever reliable in the first place, they no longer hold in the era of ChatGPT and other generative AI tools. Anyone can craft believable messages with perfect grammar in any language they like and can even include colloquialisms and slang to regionalize the content as needed. These messages don’t contain any of the tells that employees have been trained to spot.
Adapting to today’s email-based threats
The loss signals are clear. Security and IT professionals need to reconsider their approach to fraud prevention.
First line of defense – adopt email security tools that are effective against fraud, not just phishing
Most traditional email security solutions are designed to stop malicious emails, not fraud. Finding fraud often requires analyzing and understanding the actual content of a message, not just sandboxing emails to identify malicious links or attachments. New approaches for fraud are needed. The latest generation of tools exemplified by vendors such as Abnormal and Sublime have incorporated the same generative AI capabilities to analyze messages that fraudsters are using to craft them. So, they are much more sensitive than legacy email security solutions to semantic indicators of fraud such as the usage of language intended to inspire urgency or any discussion of payment instructions. The drawback here is that newer, more capable email security tools cost more than legacy solutions that many small businesses already struggle to afford.
The second line of defense – re-assess administrative and procedural controls related to financial transactions
75% of fraud occurs as part of transactions with known vendors, and 89% occurs during an expected transaction. Thus, simply looking for something suspicious about an email to identify fraud isn’t enough. Companies should instead remove human judgement as a factor altogether. If employees can’t be trained to reliably spot emails that elicit fraud, then all emails of certain types should be considered suspicious. Instead of relying on “spot the phish”, companies should develop policies that require employees to authenticate and verify all high-risk emails that they receive before trusting them. Examples of emails that should always be considered suspicious include messages that provide an update to previously established payment arrangements, emails purporting to be from senior leaders when the recipient doesn’t normally receive messages from such persons, and emails directing the transfer of funds in any amount and for any purpose. Emails identified as suspicious can then be verified using phone calls, in-person meetings, and other non-email approaches.
In conclusion
Gamification may have been the catalyst needed to drive adoption of security awareness training in years past, but it’s not yielding the results that businesses need in the area of fraud prevention. By updating existing controls to gain the ability to detect the newest fraud tactics, while also deploying new controls to compensate for humans’ inability to spot the latest generation of fraud emails, companies can re-establish their resilience against today’s most prevalent cyber threat.
____
Author Bio
Adam Tyra is the CISO for Customers at At-Bay, the InsurSec provider for the digital age. A technology professional with two decades of experience in cybersecurity and cybersecurity operations, prior to joining At-Bay, Adam was a security leader at Kivu Consulting, Longbow (co-founder), McKinsey & Company, and EY. Before becoming a consultant, Adam worked as a software developer, architecting and implementing cybersecurity tools for the US defense and intelligence communities. He also served as a cybersecurity officer in the US Army.
Join our LinkedIn group Information Security Community!
