Phishing is one of the most common methods used by cyber criminals to strategically gain access to employee passwords and other access credentials. Criminals will send fake emails to trick employees into clicking on links to malicious websites or into opening attachments containing malware. Through successful phishing attempts, criminals are able to gain access to organizational systems and compromise sensitive information.
According to the 2018 Verizon Data Breach Investigations Report, 98 percent of incidents and 93 percent of data breaches involved some form of phishing or pretexting. And with the average cost of a phishing attack at $1.6 million, the impact to an organization can be significant.
Although you may be thinking that it shouldn’t be that hard to weed out the fake e-mails from the real ones, cyber criminals are relentless and are constantly changing their approaches. Some phishing e- mails are easily identified by indicators like poor grammar or spelling, or just by looking at the sender’s e-mail address. Many will ask for usernames or passwords that should not be solicited or provided via e- mail. However, as criminals have gotten smarter and more strategic, phishing e-mails have become more sophisticated and will often spoof e-mail addresses to match the organization’s domain, or use names or titles of actual employees to appear legitimate. In one recent incident, a Texas school district was targeted with a business email compromise attack in which the district issued an electronic payment of $609,615.24 into a fraudulent account rather than the legitimate company’s account. Through a simple e-mail, attackers were able to fool an employee into re-routing the payment.
Most organizations will train their users not to click on links or open attachments in suspicious e-mails, but for many employees, their daily job responsibilities include opening attachments from customers and clicking on links within e-mails to review information, so it can be difficult to determine which e- mails are legitimate and which are fraudulent. This is why it is so important to provide employees with ongoing training on how to spot potential fraudulent e-mails, and how and where to report messages they are unsure of. In situations like the school district mentioned above, it may also be important to update procedures that require a phone call or in-person verification to validate any financial account changes that are requested via email.
Phishing tests, or phishing simulations, can be a great complement to awareness training and can be used to increase employee engagement. These tests provide employees with real-life scenarios to improve their security awareness in a controlled environment without any actual risk. The mock phishing emails will contain various characteristics of phishing emails, but actually come from the organization’s IT staff or from a third-party organization hired to provide phishing tests. Simulated phishing attacks help keep employees on their toes and will educate them on the different methods used by attackers and what they should watch out for.
During the test, the organization can keep track of which employees click on links, open attachments, or provide passwords to fake websites, and use the results to better understand their overall security vulnerabilities and make improvements.
Below are some best practices to follow when implementing a phishing test for your staff:
- Train Users First. As part of your security awareness training, be sure to explain the different indicators of phishing emails and tips on what to look out for (i.e. urgent requests, odd ‘from’ address, variations in website URL, etc.). As part of this training, you can also let your staff know that you will be running phishing tests to help educate them further and increase their overall awareness. You don’t have to provide a lot of details, but it is a good idea to give them a heads up that the organization is performing cybersecurity tests within a specific timeframe, so they don’t feel like they are being tricked.
- Use different methods of phishing to provide employees multiple opportunities to learn. The first test emails might follow a basic phishing template, but some emails should utilize more sophisticated social engineering tactics just as the bad guys will.
- Target groups or individual employees. If you can target specific employees with the type of emails that would be normal for them to get – an e-mail from the CIO or an e-mail from HR, etc., they will be more likely to trust what is familiar. If employees get a message from a supervisor or executive they recognize within the organization, it is more likely to elicit a response. The point in this isn’t to trick or “catch” them, but to get them to realize that they need to be constantly on-guard and watchful against attacks.
- Include the executive team in the phishing tests. They should not be considered above the exercise, and your staff will appreciate knowing that everyone is included in the tests. These high level executives also often have access to some of the most important data and are likely some of the largest targets within your organization.
- After the simulation, inform employees of the results. Don’t single out any employees, but rather present final statistics organization-wide. You can congratulate those who were successful and did not click the links or open attachments, and let them know that they are doing a great job protecting your business. You can also email or reward entire departments if their results are the best across the organization. Perhaps the winning department gets lunch catered in or some other incentive.
- For those who did fall for the phishing message, you may want to simply send an email that notifies them of their mistake and provides additional training materials on how to spot a phishing email. You can let them know that more phishing tests are coming so they will have an opportunity to succeed if they are more careful! Some employees may feel embarrassed that they fell for the e-mail, so you should never publicly shame or punish employees who click phishing emails links or attachments, or give out sensitive information. The tests should just be used as a learning tool and as a way for you to help determine if additional training is needed. If certain employees continue to fall victim, they may require additional training or support.
- It is also important to give all users an easy way to report potential phishing. You can create a specific email address (e.g. email@example.com), and tell employees to forward any suspicious emails to that address for IT to evaluate. It may also be possible to embed a “Report Phishing” button into each employee’s inbox so they can easily pass along any messages they aren’t sure about directly to IT. The IT department can then let the employee know if the message is legitimate before they take any action. By providing this option, your organization can open up the lines of communication. You want employees to feel comfortable talking with your IT Security department about any struggles they might have with cybersecurity. By letting staff know how much you appreciate them working with you to verify emails, they will begin to see cybersecurity as a shared responsibility and understand their own individual impact.
- One last thing to keep in mind is that phishing testing should not be a one-off exercise that is done and then forgotten. Use the results to improve your overall training and education process. Protecting your organization from cyber security breaches is an ongoing concern, so it is important to conduct periodic tests.
A recent study from the Ponemon Institute revealed that real-time phishing simulations have proven to double employee awareness retention rates, and yield a near 40% ROI, versus more traditional cybersecurity training tactics. Are you actively phishing your employees? If you are, have you seen improvements in the number of employees responding to messages over time? If you haven’t run any tests yet, now might be a good time to discuss this option with your executive team. If you have questions or would like to brainstorm possible strategies with our penetration testing team, contact your dedicated CRM.
Some additional guidance from our Penetration Testing Team below:
[Wheeler]: Security is only as good as its weakest link (and I mean that in the least derogatory way). All it takes is one employee to click on an email (if they have the right access or if other security controls are poorly configured) to give the keys to the kingdom away. When phishing tests are performed, employees who fall victim should be re-trained. And I don’t mean “Joe, you are being required to take this 30 minute phishing training/module.” Instead, sit down with Joe, ask him questions. Is he doing multiple peoples’ jobs and was rushing through email and missed the indicators? Did he not recognize the indicators because he didn’t know what to look for? Learn what really happened to learn how to fix it.
[Sullivan]: Performing regular internal phishing exercises provides insight into areas of your organization that might otherwise be a blind spot. Knowing which users are vulnerable, knowing what degree of compromise occurs, and learning the indicators of compromise; all of these things add up to stronger organization. Instead of being seen as a way to punish ‘bad’ employees, use regular phishing exercises to highlight the need for more visibility into your environment, automated defenses, and better training.