New research has revealed that although 86% of employees believe they can confidently identify phishing emails, nearly half have fallen for scams.
The study, conducted by KnowBe4, surveyed professionals in the UK, USA, Germany, France, Netherlands, and South Africa and revealed a growing chasm between confidence and competence in identifying cyber threats.
Interestingly, South Africa leads with both the highest confidence levels and the highest scam victimization rate, suggesting that confidence is unwarranted and fuels a false sense of security, leaving workers more susceptible to advanced cyber threats.
Fluctuating Confidence Levels
Across all demographics, confidence levels depended largely on the type of scam. Employees said they were most prepared to detect traditional cyber threats but struggled with more sophisticated deception tactics. Some 86% believe they can confidently identify phishing emails, 83% claimed the same about vishing and social media phishing, followed by smishing 82%, social engineering attacks 67%, and deepfake scams 65%.
However, 24% of those surveyed have fallen for phishing attacks, and 12% have been tricked by deepfake scams, and over two thirds (68%) of South African employees reported falling for scams—the highest victimization rate.
A Complex Interplay of Factors
“The significant variation in confidence levels across regions regarding cyber threat identification stems from a complex interplay of factors,” explains Javvad Malik, Lead Security Awareness Advocate at KnowBe4. “Cultural differences in risk perception and self-assessment play a crucial role, as do the quality and frequency of cybersecurity awareness training programmes.”
He says exposure to cyber threats, regulatory environments, and media coverage of security issues are also a factor, and technological infrastructure, digital literacy, and language barriers in non-English speaking countries contribute to these disparities. “Corporate culture, historical context of cyber incidents, and socioeconomic factors affecting education and access to technology round out the influential elements,” Malik adds.
He says these differences suggest a need for a tailored, culturally sensitive approach to cybersecurity training. “This disparity also underscores the importance of not relying solely on self-reported confidence levels when assessing cybersecurity preparedness. Instead, actual performance in simulated phishing tests may provide a more accurate picture of employees’ abilities to identify and respond to social engineering attempts.”
Susceptibility Factors
Anna Collard, SVP content strategy and evangelist, KnowBe4, adds that overconfidence fuels a “dangerous blind spot”—employees believe they are wise to scams, but, in reality cybercrooks can exploit more than 30 susceptibility factors.
These include psychological and cognitive biases, situational awareness gaps, behavioural tendencies, and even demographic traits, Collard explains. “With phishing, AI-driven social engineering, and deepfake scams evolving rapidly, organizations must counteract misplaced confidence with hands-on, scenario-based training. True cyber resilience comes not from assumed knowledge but from continuous education, real-world testing, and an adaptive security mindset.”
The survey findings emphasize the critical need for personalized, relevant, and adaptive training that caters to employees’ individual needs while considering regional influences and evolving cyber tactics. Organizations that prioritize this approach will not only reduce risk but also cultivate a genuine security-first culture. In the battle against digital deception, the most dangerous mistake employees can make is assuming they are immune.
Fostering a Transparent Culture
Over and above training, the report highlights the importance of fostering a transparent security culture. While 56% of employees feel “very comfortable” reporting security concerns, 1 in 10 still hesitate due to fear or uncertainty.
The report factored in the security behaviours of over 12,000 employees around the world. The full survey findings, “Security Approaches Around the Globe: The Confidence Gap,” are available for download here.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.