Every day worldwide, tens of thousands of employees fall prey to phishing scams. In the second quarter of 2022, the Anti-Phishing Working Group (APWG) saw 1,097,811 total phishing attacks, the worst quarter on record.
The results can be devastating: from lost data and identity theft to compromised security and even stolen funds. Cybersecurity is everyone’s responsibility, but the responsibility of the cybersecurity department is to train our human firewall to recognize the threats and act accordingly. With education, training, and employee engagement, any organization can get ahead of the threat by using the tools at their disposal – their colleagues – to spot and respond quickly when they see phishing activity, thereby eliminating its potential impact on business.
Training should be compulsory and monitored. Everyone should take part, from the CEO to the part-time college intern. For many companies, cybersecurity (notable phishing) awareness is an essential part of onboarding.
Testing the waters
To the layperson, it’s hard to understand how phishing scams work without seeing them in action. You could explain that a phishing email is a fake email that looks like it comes from someone you know, but explaining isn’t enough to help your colleagues understand how easily bad actors trick people and how devastating a successful phishing attack can be.
One way to test employees’ security awareness is through a simulated phishing attack. This would contain emails sent to employees, pretending to be from either an external source or one of their colleagues (which is easy for a bad actor to find out through the likes of LinkedIn), instructing them to take an action, follow a link, or open an attachment.
The goal of this exercise is twofold: firstly, you can see how well-prepared your colleagues are for the real thing; secondly, if they fall for the trap and click on something malicious, then you know what kind of training needs improving to prevent future attacks like these. It also immediately puts the importance of phishing awareness front-of-mind and makes it a part of organizational conversation.
We need to use examples that are personal, but not too personal. Something that has nothing to do with them personally, so they don’t feel singled out unnecessarily, yet something that hits close enough home so they’ll pay attention.
There are many different types of simulated attacks you can try out; here are just a few examples:
- An employee receives an email from HR with information about an increase in the company financial allowance for remote workers – but there’s something “off” about the messaging. It references remote locations where the company doesn’t have a presence or where no one works remotely. Also, the message is poorly written by HR standards.
- A colleague receives an invitation to a Microsoft Teams meeting from their superior, however, the company routinely uses Zoom for meetings, and the email layout and syntax seem a little bit suspect.
- Another message from HR, this time asking staff if they’d like to take part in the pizza lunch for Halloween, with a prompt to “Click here to add your name on the spreadsheet.” This message comes from a webmail account, however, and not the usual internal HR email address.
- “Proofread this for me?” Not the usual thing they’d expect from their manager, but it seems legitimate. Or does it? What type of attachment is that? If they look closely, they’ll see the odd spelling mistake in the email – including the company domain name!
- “Dear Jane/John.” A letter from the CEO requiring immediate action. They need a potentially sensitive document, NOW. It’s urgent and time-sensitive, but why would they be writing to the staff member directly and using their first name? Asking for something to be done that is not the norm is a classic indicator that a message could be malicious.
- As a bonus test, how many people blindly click on the “Unfollow” link at the bottom of an email? When colleagues receive bulk advertising spam about an upcoming topical event they should be adding them to their junk list. A pop up that says they’ve been phished when they click on “unfollow” would be seriously sobering.
There are plenty of possibilities; just keep the test achievable and realistic. This is an exercise in education, and colleagues should always have a chance to spot the attack. Show them what the dangers look like in the wild. This initial test is to demonstrate to other departments that phishing is a real threat, and that they can’t always trust the sender of, a link, an attachment in, or the content of an email.
Tell them what they need to know
Our colleagues don’t need to know the semantics of spear phishing, whaling, or smishing – they need to know the facts and the dangers, and how to react. Our employees are our best security asset, and this exercise is about mobilizing that asset and not overcomplicating things.
Colleagues need to be aware of the dangers of phishing, and it helps to show the links between phishing and cybercrime. They need to know how easy it is to fall victim to a phishing attack, and concrete examples of phishing and its effects will often have more impact than general warnings. Explain that phishing is one of the most common forms of digital extortion, allowing criminals to gain access to sensitive information, money, or customers’ personal data. Show them the numbers. Phishing also enables malware attacks – software designed specifically to grab details so that black hat hackers can steal from the business later on. Malware can range from spyware which tracks everything they do online (and sends this data back to hackers), to viruses that install themselves onto computers without permission and then go on to wreak havoc on systems across networks (sometimes causing irreparable damage). Tell them about the ramifications for the business – the PR fallout and the loss of revenue and reputation. Colleagues need to understand the severity of the situation but in a clear and simple way. Remember, not everyone is as IT savvy as the IT/security department.
Staff needs to understand the signs of a phishing email:
- Suspicious attachments
- Poor grammar
- Spelling errors
- An undue sense of urgency
- An unfamiliar tone
- Inconsistencies in email addresses
- Discrepancies in domain names
- Unusual requests
- Credential requests
- What is social engineering?
Importantly, staff also need to know how to report suspicious emails to the right people in the business so that they can be blocked and investigated.
Phishing is a very real threat to businesses, and with the right education and training, your staff can spot phishing efforts and respond quickly when they see it. As cybersecurity professionals, we’re not naturally teachers, so remember the following to help training go smoothly.
- Don’t use jargon or slang. Use the correct terminology so everyone has a common grounding; explain the types of phishing attacks you see in your organization, and explain what each one is trying to do.
- Be concise, but explain things properly. People, especially our management teams, want to get through this quickly so they can get on with their day. The goal is to give them a quick overview of what phishing looks like without overwhelming them with technical information or cliches that won’t stick in their minds.
- No one wants to be taught by Benny Hill, but the odd joke helps people remember.
Finding your Spielberg
While there are plenty of online services offering phishing education, they invariably have a cost attached to them and aren’t “personal” to your business. Very often, all that’s needed is a strong awareness of the problem, direction toward what actions a colleague needs to take if they spot a malicious email, and reinforcement of that awareness.
There is an old adage that says, “Show, don’t tell,” which is doubly so when dealing with interfaces. Ideally, any training should be conducted in person, to give that personal touch. Here’s where the power of video comes into play. There are several good awareness videos out there on the general topic of phishing – just try YouTube or Vimeo – but it may be necessary for you to create your own video showing how to report a phishing scam if you use the likes of Outlook reporting or other systems, by simply screen recording the process and adding a short voiceover.
By creating your own content, it’s possible to provide relevant examples. For instance, show colleagues emails that have been sent to others in your organization (and how those recipients reacted). Discuss how these emails were crafted and what made them look legitimate enough for users to click on links included within them.
This can be used over and over again and will save a lot of time taken up by 1-to-1 training.
A team effort
Cybersecurity is everyone’s responsibility, and we should encourage employees to educate each other on how to spot and avoid being victimized by phishing attempts. There can even be an element of gamification here. When colleagues know what a phish looks like, they’ll be better equipped to protect themselves – and if one of them gets tricked anyway, their colleagues will be there to offer advice and point them toward the proper channels for remediation.
Revisit the pool
Regular phishing tests are essential to keep the topic of cybersecurity on our colleagues’ radar. If you need more information on conducting simulated phishing attacks, try this article.
Testing semi-regularly means that they are always looking for the signs and the chance to report malicious communications. Monitoring this is important. It’s important to know who fell foul of the test by recording visits to links or when attachments are opened. Offering reeducation with more in-depth training may be necessary for repeat offenders, though please remember this isn’t a shaming exercise – no matter how tempting it is to play “Never Gonna Give You Up” at full volume on their PC if they make a mistake.
If you want to reward people for reporting phishing attempts, consider offering a small incentive such as gift cards. This will encourage more employees to report suspicious emails and help you identify the phishing champions in your organization.
Good luck, and if you find yourself in a position where you need to persuade your colleagues of the importance of conducting in-house phishing tests, try showing them some of these numbers.
Try Imperva for Free
Protect your business for 30 days on Imperva.