Email is one of the many weapons at the disposal of bad actors on the Internet, and your employees are in the firing line. Attackers try to hide behind a trusted entity, sometimes even masquerading as a known vendor or even as a representative of a group within your own organization, like HR or IT. They frequently offer something the victim might want or need, or a company or individual that the intended victim can relate to or might do business with – to get their quarry to download an attachment or click a link. This could be for various reasons; such as installing ransomware, stealing user data and passwords, collecting financial or system information, and other nefarious purposes. While email phishing dates back to the 1990s and is one of the earliest forms of cyberattack, it’s still one of the most prevalent, with phishing tactics becoming more and more sophisticated every day. Here are some data points that should give you pause, and start you thinking about your own enterprise’s security posture.
- 94% of malware is delivered by email and phishing attacks account for more than 80% of reported security incidents (CSO Online).
- 36% of breaches have involved phishing so far in 2021, 11% more than in 2020, year-over-year (2020 Verizon Data Breach Investigations Report).
- More than a quarter of U.S. employees admit to having problems in identifying a phishing email (2020 State of Privacy and Security Awareness Report).
Why create a simulated phishing attack across your company?
Email client software, which manages a user’s email account through a desktop application, will filter out some of these phishing attacks, but not all. The purpose of a simulated phishing attack shouldn’t be to make users feel irresponsible, ignorant, or uninformed, but rather to act as a company-wide way to highlight the problem and to protect your sensitive data. This shouldn’t be an exercise of blame, but it should be educational.
Setting out a plan to create a phishing attack
Creating a simulated phishing attack requires some preparation and planning. Having a plan will ensure internal approval to move forward. The following is a handy checklist to help ensure the most effective communication and identify your dependencies.
- How often will you be launching individual phishing simulations? How many do you propose to do? – 6 over 12 months? 8 over 18 months?
- How are you going to announce the campaign across your company? While individual phishing emails should be ‘secret’, the point of this is to raise awareness and prevent attacks. There’s no harm in letting people know this is going to happen if it fosters best practice and if staff are trained to know how to respond.
- What support documentation are you going to provide around the topic, and how will people be able to access it? Staff will need to know where they can report phishing emails and internal processes before your simulated attack takes place.
- Who are the main stakeholders and who needs to be aware of your imitation phishing attack before launch? This will critically involve your IT helpdesk team and members of your leadership team, and (potentially) department heads. This should be done on a need-to-know basis, as testing your workforce’s overall blind response is critical to the exercise.
- What form will your campaign take? Your first phishing email shouldn’t be complicated, but neither should it be too easy. Increasing the complexity is best done incrementally over time to establish measurable benchmarks. A fake online invoice requiring payment or a common software update might be a good start, for example.
- Who is going to create the phishing campaign and distribute the copy to your colleagues?
- How are you going to monitor open-rate, report-rate, and click-through? Measuring report rate is critical – it is, after all, what you want people to do.
- How are you going to present your findings, and what will you do with those findings to ensure best practices in the future?
Releasing the simulated phishing attack campaign
Get creative. You might want to consider buying a URL for each email you release, which will help sell the package but shouldn’t be overdone. Bulk mail software like MailChimp can be invaluable – especially as it has click tracking enabled by default. It may also be possible to liaise with your suppliers or distributors, using their accounts (and allowing them testing from your accounts in turn, if appropriate) to simulate compromised email accounts. As your campaign rolls out you’ll need to consider different creative content and different types of simulated phishing attacks. It’s important to test across the board. Try using the likes of national holidays (click here for your Christmas card from), software password reset requests, HR requests for details like network passwords, asking for accounts information around tax time, or whatever applies to your firm. It is important to test the complexity of different campaign elements.
As you don’t want your staff to actually perform an action it doesn’t matter where they finally find themselves. The click-through action should be measured, but the action doesn’t need a resolution – linking to a blank page, a 404, or even a Rickroll (no, not really) is fine.
How do you benchmark a satisfactory resolution?
While open-rate and click-through rate are interesting metrics, it’s report-rate (and its growth across time) that are critical. Reporting any phishing email to your IT helpdesk is the action we want staff to take. An increase in this, as you roll out each one of your phishing simulations over time, shows progress – an increase in awareness and knowledge of best practices across your company.
Remember, this is an opportunity for learning and awareness – not a witch hunt. Sharing numbers and results with staff puts the threat of phishing attacks back on their radar and raises the importance of phishing protocols again so that it’s front-of-mind. You may want to report findings by department, but doing so individually is something you should reserve for the later stages of any campaign, and then only for the individual education of repeat offenders while avoiding their embarrassment.
The best offense is awareness and knowledge, and we all learn best by experience. Conducting simulated phishing attacks is a learning opportunity, and a valuable and cost-effective chance to plug one more vulnerability hole on the road to company cyber safety.
Imperva’s Web Application Firewall solution can help you with phishing attacks
Phishing is the starting point for most network and data breaches. Cybercriminals are constantly looking for new ways to leverage compromised servers and lower the cost of phishing activities. Imperva’s Web Application Firewall provides real-time threat intelligence on known malicious sources, such as phishing URLs, fraudulent sites that are used in phishing attacks.
Get the latest from imperva
The latest news from our experts in the fast-changing world of application, data, and edge security.