---
title: "Latest Phishing Vulnerability Confirms Awareness Training is Insufficient | Phish Protection"
description: "Latest Phishing Vulnerability Confirms Awareness Training is Insufficient: Phishing prevention that primarily depends on awareness training is doomed to."
image: "https://phishprotection.com/og/blog/latest-phishing-vulnerability-confirms-awareness-training-is-insufficient.png"
canonical: "https://phishprotection.com/blog/latest-phishing-vulnerability-confirms-awareness-training-is-insufficient/"
---

Quick Answer

A team of\[ researchers discovered\](https://github.com/RUB-NDS/Johnny-You-Are-Fired/raw/master/paper/johnny-fired.pdf) several vulnerabilities in two technologies used for email authentication and verification:\[ OpenPGP\](https://www.openpgp.org/) and\[ S/MIME\](https://en.wikipedia.org/wiki/S/MIME). The vulnerabilities could allow attackers to spoof signatures on over a dozen popular email clients including Microsoft Outlook and Apple Mail.

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Flatest-phishing-vulnerability-confirms-awareness-training-is-insufficient%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Latest%20Phishing%20Vulnerability%20Confirms%20Awareness%20Training%20is%20Insufficient&url=https%3A%2F%2Fphishprotection.com%2Fblog%2Flatest-phishing-vulnerability-confirms-awareness-training-is-insufficient%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fphishprotection.com%2Fblog%2Flatest-phishing-vulnerability-confirms-awareness-training-is-insufficient%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Flatest-phishing-vulnerability-confirms-awareness-training-is-insufficient%2F&title=Latest%20Phishing%20Vulnerability%20Confirms%20Awareness%20Training%20is%20Insufficient "Share on Reddit") [ ](mailto:?subject=Latest%20Phishing%20Vulnerability%20Confirms%20Awareness%20Training%20is%20Insufficient&body=Check out this article: https%3A%2F%2Fphishprotection.com%2Fblog%2Flatest-phishing-vulnerability-confirms-awareness-training-is-insufficient%2F "Share via Email") 

![Phish Protection blog post image](https://media.mailhop.org/phishprotection/images/2019/05/phishing-prevention-tips-2277.jpg) 

_**Phishing prevention** that primarily depends on awareness training is doomed to fail._ That’s the implication of the latest research conducted at Ruhr University Bochum and Münster University of Applied Sciences

A team of[ researchers discovered](https://github.com/RUB-NDS/Johnny-You-Are-Fired/raw/master/paper/johnny-fired.pdf) several vulnerabilities in two technologies used for email authentication and verification:[ OpenPGP](https://www.openpgp.org/) and[ S/MIME](https://en.wikipedia.org/wiki/S/MIME). The vulnerabilities could allow attackers to spoof signatures on over a dozen popular email clients including Microsoft Outlook and Apple Mail.

[Email spoofing](https://en.wikipedia.org/wiki/Email%5Fspoofing) is a technique used to mislead email recipients about the origin of the email. It’s one of the main **phishing techniques** used by attackers. Theoretically, awareness training can combat email spoofing if users are taught to carefully inspect the email from address. That is, until now.

![Phishing prevention tips](https://media.mailhop.org/phishprotection/images/2019/05/phishing-prevention-tips-2277.jpg) 

According to an article on[ Hacker News](https://thehackernews.com/2019/04/email-signature-spoofing.html?fbclid=IwAR0HYTOsVG8fk-jsMfJe7IztmQ8uhCzaJHKhUsCwzgdbIrRswy%5FyVTnT5vI), “When you send a digitally signed email, it offers end-to-end authenticity and integrity of messages, ensuring recipients that the email has actually come from you. However, researchers tested 25 widely-used email clients and found that at least 14 of them were vulnerable to multiple types of practical attacks, making spoofed signatures indistinguishable from a valid one even by an attentive user.”

To make matters worse, “_researchers also found that some email signature spoofing attacks can also be used to spoof decryption results,_ causing the email client to indicate an encrypted message where in fact the plaintext was transmitted in the clear.” So, these vulnerabilities compromise authentication, verification AND encryption.

“Our attacker model does not include any form of **social engineering**. The user opens and reads received emails as always, so awareness training does not help to mitigate the attacks,” the researchers said.

![Phishing prevention best practices](https://media.mailhop.org/phishprotection/images/2019/05/phishing-prevention-best-practices-2970.jpg) 

The one common theme to **phishing attacks** is the attackers’ never-ending ability to find and exploit some kind of technological weakness in email communications. There’s no doubt that this recently-discovered vulnerability will be patched eventually. There’s also no doubt that attackers will find some other vulnerability to exploit in the future. It’s just how this goes. There’s just too much to be gained from a successful phishing attack.

Awareness training is good, but it alone will never be a match for advanced phishing attacks. Only technology can combat technological exploits. Technology like[ real-time link click protection](/products/advanced-threat-defense/).

Even when hackers execute the perfect phishing attack, one that gets a lot of people to click on a malicious link, real-time link click protection can save the day. _By checking email links when they’re clicked, every time they’re clicked, users are protected._

It’s time to stop believing that awareness training alone can give you [protection from phishing](/content/phishing-prevention/). If you want to quickly, easily and affordably use the latest [phishing prevention](/) technology to combat advanced exploits.

## Topics

[ Phishing Awareness ](/tags/phishing-awareness/) 

![Brad Slavin](https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg) 

[ Brad Slavin ](/authors/brad-slavin/) 

General Manager

Founder and General Manager of DuoCircle. Product strategy and commercial lead across DuoCircle's 2,000+ customer base.

[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) 

## Protect your inbox from phishing attacks

Real-time email security with 60-day free trial. No credit card required.

[Start Free Trial](https://portal.duocircle.com/cart.php?a=add&pid=101&brand=phishprotection) [View Pricing](/pricing/) 

## Related Articles

[  Foundational 5m  0ktapus, Okta Breach Helps Attackers Launch Sophisticated Supply Chain Attacks  Sep 5, 2022 ](/blog/0ktapus-okta-breach-helps-attackers-launch-sophisticated-supply-chain-attacks/)[  Foundational 14m  12 Real-World Spear Phishing Examples And The Red Flags You Missed  Feb 4, 2026 ](/blog/12-real-world-spear-phishing-examples-and-the-red-flags-you-missed/)[  Foundational 2m  8 million Android users fell prey to SpyLoan malware on Google Play Store  Dec 5, 2024 ](/blog/8-million-android-users-fell-prey-to-spyloan-malware-on-google-play-store/)[  Foundational 1m  A Big Part of the Phishing Problem is You  Sep 17, 2019 ](/blog/a-big-part-of-the-phishing-problem-is-you/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"Phish Protection","url":"https://phishprotection.com","description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Latest Phishing Vulnerability Confirms Awareness Training is Insufficient","description":"Latest Phishing Vulnerability Confirms Awareness Training is Insufficient: Phishing prevention that primarily depends on awareness training is doomed to.","url":"https://phishprotection.com/blog/latest-phishing-vulnerability-confirms-awareness-training-is-insufficient/","datePublished":"2019-05-08T08:47:02.000Z","dateModified":"2026-04-17T15:43:10.000Z","dateCreated":"2019-05-08T08:47:02.000Z","author":{"@type":"Person","@id":"https://phishprotection.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://phishprotection.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://phishprotection.com/blog/latest-phishing-vulnerability-confirms-awareness-training-is-insufficient/"},"articleSection":"foundational","keywords":"Phishing Awareness","wordCount":449,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/phishprotection/images/2019/05/phishing-prevention-tips-2277.jpg","caption":"Phish Protection blog post image","width":1200,"height":630},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://phishprotection.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://phishprotection.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://phishprotection.com/foundational/"},{"@type":"ListItem","position":4,"name":"Latest Phishing Vulnerability Confirms Awareness Training is Insufficient","item":"https://phishprotection.com/blog/latest-phishing-vulnerability-confirms-awareness-training-is-insufficient/"}]}
```