Around two-thirds of emails that trained users reported as suspicious were false positives, according to newly released F-Secure telemetry.
Overreporting is exactly what executives want, says Riaan Naude, U.K. director of consulting for the company. But the flood of emails to check risks analyst fatigue.
"With phishing awareness, there's a lot of emphasis in the industry on click rate of emails. There is a lot of emphasis on increase the reporting. But it's very important to consider what happens after that," he said. Still, "at the end of the day, you only have finite resources to actually attend to these emails. You need to automate what you can automate. Analyst fatigue is a very real thing in the security operation center."
The data, released Wednesday, showed that out of 200,000 emails reported through F-Secure's Office 365 plugin, roughly one in three were malicious. The data comes from users who F-Secure trained in phishing awareness.
According to the data, for every thousand people in an organization, employees flagged 116 emails. Analysts without an automated system to investigate reports can spend between 29 and 580 hours a month checking to see which emails are actually threats. With automation, that time decreases by around 90%.
In terms of what triggers an employee to report an email, F-Secure requires users to submit at least one red flag from a form list of potential tip-offs. Fifty-nine percent of emails were flagged as having a suspicious link and 54 percent were flagged as having a suspicious sender.
Only 7% of flagged emails had a suspicious document, which Naude believes may owe more to security products filtering emails with malicious attachments before they reach users than any inattention.
A full 15% of suspicious emails had the phrase "click here."
The good news was that trained users did regularly catch suspect emails and send them for analysis. Naude hopes the bad news, the time it can take to investigate, will lead organizations to invest in automated analysis.
"I simply want to emphasize the plight of the analyst. They are at the forefront of these sorts of attacks, required to be able to respond as quickly as possible," he said. "If you have hundreds of these things to work through in a day, you're going to be ineffective. You're never going to get to all of them."