They arrive in our inboxes in all forms – deals from brands we love, urgent requests from a new manager, invitations to connect on LinkedIn and Facebook. Sometimes they are easy to spot and we scoff at their poor grammar and obvious misspellings. Other times they are tricky to spot, near carbon-copies of an email we might typically engage with. And no matter how hard we try to stop them phishing emails just keep coming.
If we can’t block phishing emails entirely, then what should we do? Simple: train and educate everyone on how to spot phishing emails by regularly sending phishing simulation emails coupled with real time education if someone clicks on a link or opens an attachment.
Who are phishing simulations for?
Phishing simulations are an excellent tool for businesses of all sizes. All it takes is one click on the wrong email to open the door for an attack. And since real phishing emails target everyone from accounting and HR to the CEO and BOD, phishing simulations should be sent to everyone in the organization, top to bottom.
- Managing phishing simulations (i.e. building and launching campaigns, producing and sharing reports, etc.) typically fall to either IT or HR.
- Metrics on clicks and training completion should be reviewed by managers or senior leadership to better understand trends and where new tools or processes might be needed to enforce safe email habits and protect sensitive company data.
What are phishing simulations?
Phishing simulations are actual emails sent to employees that are meant to mimic real life, recent, and relevant phishing style attacks. These simulated attacks help guard your business against social-engineering threats by training your employees to identify and report them.
Typically, a phishing simulation is paired with a point-of-failure training when someone clicks on a link or opens an attachment. These trainings commonly come in the form of a a quick quiz or short video meant to reinforce the practice of carefully reviewing emails and following proper protocol for when a phishy email arrives, like calling the sender to confirm authenticity or reporting to IT, etc.
When do phishing simulations matter?
Regular, but unpredictable phishing simulation emails help protect employees from falling victim to an actual phishing attack by keeping them on alert and knowing what to be on the lookout for. Consider a a monthly cadence to help reinforce best practices for avoiding a phishing attack. This schedule also gives leadership a chance to review reports and continue to collaborate with teams to improve cybersecurity processes and posture.
Where does a phishing simulation occur?
The phishing simulation email will typically be sent using a web-based tool specifically designed to develop and deliver these kinds of emails and track their opens, clicks and training completions. A phishing simulation email will be sent directly to each employee’s inbox. How do phishing emails make it through spam and junk filters? Often times the phishing tool’s IP address can be whitelisted to ensure deliverability.
To keep everyone on their toes, the emails may not all be sent at once. They may be staggered over the course of hours or even days. It will be important to encourage employees not to share on the company messenger when they click on a phishing simulation. This way everyone has a chance to potentially participate in valuable training that could prevent someone from actually clicking on a phishing email that might cause expensive and/or irreparable damage.
Why are phishing simulations important?
- In 2019, 94% of malware was delivered via email. By regularly receiving phishing simulations employees are better equipped to recognize suspicious emails and protect your business from a cybersecurity incident.
- Regular phishing simulations reinforce email best-practices. By clicking on phishing simulation email links and attachments and completing training, everyone learns how to recognize and avoid phishing attacks. Email users are more likely to slow down and pay attention to the sender, the links in the email, and any attachments—all ways malware can be delivered.
- Phishing simulations train your team to be cyber-defenders! Now that your employees know what they are looking for they will be more likely to report suspicious emails to IT who can in turn warn the rest of the company and block the sender.
With no end to phishing emails coming from attackers in sight and no sure-fire way to prevent them from hitting our inboxes, it’s important to make sure everyone is on alert and educated—about the risks and the methods used to lure unsuspecting victims in.
Employing a phishing simulation tool is a key part to continuously improving cybersecurity posture. Just like you’ll find at the local sporting goods store, there are quite a few choices out there. The good news is, some will even do the job for you. It’s your turn, go phish!