Did You Know?
Simulating phishing attacks on your workforce allows you to assess the maturity of your organization regarding its security awareness posture, and subsequently, develop effective training initiatives. Put your users to the test and see where they stand in terms of their security awareness knowledge and skills.
Phishing attacks continue to make news headlines and target your employees. In the following story, we reveal some of the devastating effects of phishing attacks and show how phishing simulations can help build security resilience in your workforce.
As attackers may not be phishing your employees on a regular basis, controlled phishing simulations allow your employees to remain on alert and improve their detections skills continuously.
On a typical morning, Sam gets about 40 emails in her work account. She goes through the emails, deleting unwanted ones, reading ones of urgency, sending some out, scanning newsletters, opening shared documents, and checking her agenda for the day. All standard stuff.
These days, however, Sam faces her inbox with grim determination. Two weeks ago, she was under attack by a team of hackers whose goal was to phish Sam’s company. Sam got an email with a link to another site that appeared to be almost identical to the company name, but the domain ended with “.org” when the actual URL of the site should have been “.com.” Sam did not notice the subtle difference. After clicking on the link, she was directed to a page that looked like the original website, which asked her to input her username and password for an exchange of a downloadable document. Sam complied.
Within a span of three days, our unfortunate employee’s inbox was flooding with unrecognizable emails. Sam’s account was getting hit with unexpected messages and became full of messages with subject lines like, “Autoreply: Out of office,” or “Delivery Failure,” and messages from unknown senders asking her to stop emailing them.
After informing leadership of the suspicious activities, with a single glance the CISO identified that Sam’s email account was taken over and that it was used by the hacker to send phishing messages to other targets.
This event instilled paranoia in her, every email from an unknown recipient could have been fake. Every shared link, a trap.
Does this scenario sound familiar to you?
If so, you are undoubtedly asking: How do I avoid this from happening again?
Simulate Phishing Attacks: 3 Essentials
Simulating phishing is an efficient way to test your employees’ skills and measure their progress. A test provides data on which employees have been baited by the phishing email by clicking on the corresponding links. Your users can learn to identify suspicious emails, and in turn, apply security awareness best practices, by having the chance to experience a phishing attack.
So, how do you run an effective simulation?
1. Get Management on Board
The first step to any good phishing simulation is getting approval from management. Notify the least amount of people and instruct them on how to handle calls from users report the phishing message. Don’t forget, a user’s reaction once he detects a phishing message, real or simulated, should always be the same: Alert someone or contact the IT Service Desk. During simulations, you may not want to notify users that it is a test and just inform them that the IT department is handling it.
2. Plan Your Simulation
Next comes planning. Create a plan not to send tests too frequently, as your employees will come to expect them, and don’t send them too infrequently since you need to gather statistics, draw reports and keep users sharp at all times.
Don’t send phishing emails to the entire company at once as that might spark suspicion. Instead, send them to specific departments. For example, to the invoicing department, imbue your email with an urgent tone so that your employees act with haste. This is a common technique used by hackers to get people to click on links or download attachments.
Start thinking like a cybercriminal. What is going to get your employees clicking? Subject lines that include the terms ‘unpaid invoice’, ‘free’ or ‘exclusive offer’ draw users’ attention – greater the chances of falling prey to the attack.
3. Balance both training and reporting
During your phishing simulation campaign, make sure to track email open rates, attachment download, and information disclosure, and click through rates. Draw reports on the number of users who have fallen for the phishing attack, as well as how many employees have reported the incident to management. A trend of click-through rates declining while report rates increasing indicates that your simulations and awareness program are effective.
Phishing is arguably one of the largest problems organizations face. No two attacks are the same. Nonetheless, when you train employees on security awareness, you create a workforce that is quick to detect malicious emails and react according to cybersecurity best practices – for example, having the reflex to refer phishing emails to the appropriate security unit and notify colleagues of the threat so that they do not fall for the bait.
As you conduct your phishing simulation campaign, you are adding value to your overall security awareness initiative. By testing the knowledge and skills of your employees, you are contributing to behavior change at larger, whereby users are encouraged to train and become more informed and alert in matters of cybersecurity.
Do you have experience in simulating phishing attacks on your workforce? If so, were you successful in getting victims? What group did you target, and which type of phishing emails did you distribute? These are some of the many questions that will arise when deploying a phishing simulation campaign.
Accomplish more and bring your organization to new heights with phishing simulations.
Learn How to Improve your Defense Against Phishing Attacks
Fighting Phishing – 2020 Foresight by Gartner | Gartner [Fighting Phishing], [Peter Firstbrook, Neil Wynne], [19 july 2018]