Despite increasing awareness and ongoing cybersecurity campaigns, a significant number of professionals still fall victim to phishing scams—often without realizing it.
A recent study commissioned by Dojo, surveying 2,000 UK employees and executives, reveals a stark disconnect between perception and reality. While many respondents expressed confidence in their ability to identify phishing scams, 56% were unable to distinguish legitimate emails from fraudulent ones.
Cybersecurity’s Human Blind Spot
Phishing remains one of the most prevalent attack vectors for cybercriminals—not because of system vulnerabilities, but because of human error. This study confirms that employees across all levels, including senior executives, are routinely misled by increasingly sophisticated scams, many of which are now powered by artificial intelligence.
Key findings from the study include:
-
53% of all respondents failed to recognize phishing emails presented in the test.
-
Only 38% correctly identified all legitimate emails.
-
47% missed clear warning signs in a fake Google alert email.
-
57% fell for a counterfeit Google Sheets invitation.
-
48% were fooled by a scam Dropbox message with a fake URL.
Even more concerning, AI-generated phishing emails proved especially deceptive. These emails, designed using ChatGPT to simulate Google-style alerts, included fabricated URLs and urgent language prompting file downloads. Among participants:
-
64% of non-executive employees and 66% of executives failed to spot AI-generated scams.
-
90% of executives claimed confidence in detecting AI scams—yet two-thirds were deceived when tested.
-
Founders performed the worst among senior leadership, with 73% falling for AI-generated scam content.
Entry-Level Employees and Executive Targets Alike
The research also tested a classic CEO impersonation scam, exploiting urgency to prompt unauthorized action. Common phrases like “quick signature” and “end of the day” were used to prevent recipients from verifying the sender.
-
64% of non-executives failed to detect the impersonation.
-
68% of graduate-level employees mistook the phishing attempt for a genuine executive request.
The Bigger Picture: People Are the Primary Risk
Daniel Houghton, Cyber Protect Officer at the City of London Police, emphasizes that the real risk isn’t outdated software—it’s people.
“Cyber criminals rarely hack systems; instead, they target individuals through phishing and social engineering,” says Houghton. “Up to 88% of cybersecurity breaches stem from human error—weak passwords, poor digital hygiene, or clicking a suspicious link.”
This reinforces the urgent need to place people at the center of any cybersecurity strategy.
What Organisations Can Do
To build resilience against phishing threats, businesses must evolve beyond standard awareness campaigns:
-
Implement smarter training programs
Use interactive phishing simulations tailored to real-world threats. Train employees to examine email headers and identify spoofing, rather than relying on grammar or spelling errors. -
Adopt a zero-trust mindset for AI
Assume that every email—even internal communications—could be a potential threat. Educate staff on the growing sophistication of AI-generated attacks. -
Strengthen email security protocols
Utilize domain-based authentication tools such as DMARC, SPF, and DKIM to verify sender legitimacy and prevent email spoofing. -
Prioritize the front line
Provide focused support and training for those in high-risk roles such as administrators, receptionists, and finance teams who are frequently targeted.
Conclusion:
The findings from Dojo’s research serve as a wake-up call. Confidence does not equal competence when it comes to phishing threats—especially with AI in the mix. At Jypragroup, we believe that true cybersecurity begins with an informed and empowered workforce. Ongoing training, humility about technology, and robust preventative measures are not optional—they’re essential.
