Phishing is nothing new. In fact, phishing was one of the first social engineering attack methods on the internet, dating back as early as the 1990s via AOL email addresses. The problem with phishing awareness is that, while you might be familiar with the threats, reasons, and methods of attack, the employees in your organization may not be quite as aware. Although your employees may have been subjected to a phishing email test or two, there is more that goes into preventing phishing attacks and fostering phishing awareness training.
Understanding the phishing threat
What is phishing?
Oxford defines phishing as “the fraudulent practice of sending emails or other messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.”
Phishing is a type of social engineering cyberattack that focuses on exploiting human error. In phishing attacks, bad actors trick individuals into divulging sensitive information, such as passwords, credit card details, or company data, through fraudulent emails, websites, or messages that appear legitimate.
For example, an employee may receive an email with a link to update their password for an app your company uses routinely for payroll purposes. When they click the link and enter their personal information, the bad actor has everything they need to gain access to your business apps, networks, and sensitive data (especially if the employee uses the same password for all of their work apps).
However, email is not the only place where threat actors use fraudulent links to steal information. Search engines like Google may return results that lead to fraudulent links, or a bad actor may even set up a duplicate website to steal information that relies on simple typos. Content filters and DNS security can help thwart these attacks, but without employee awareness, your business is at a greater risk of falling victim to these relatively simple attack vectors.
The impact of phishing on businesses
Phishing poses a significant threat to organizations. Not only does it create a feeling of distrust between security teams and employees, as well as customers and companies when a breach occurs from a phishing attack or DNS attack, but it also causes real business impacts, with businesses losing billions annually. According to recent statistics:
- 83% of organizations reported experiencing phishing attacks in the past year.
- The average cost of a successful phishing attack is over $4 million, factoring in downtime, recovery costs, and reputational damage.
- Phishing attacks account for 36% of all breaches, making them the most common vector for cyber intrusions.
The financial and reputational consequences of phishing make it imperative for IT managers to prioritize defense mechanisms, including employee training.
Creating and implementing a phishing awareness training
A Comprehensive Phishing Awareness Training Program
Getting your employees onboard with reducing phishing attack success starts with education. This should include everyone from the entry-level employees to the executive level. There should be consequences established for those who fail to take phishing seriously as well (within reason — we want to make people understand the importance without creating fear and chaos). There are a few simple steps you can take.
Recognizing Phishing Attempts
Keeping employees from falling victim starts with teaching them to recognize the most common phishing tactics, including:
- Spear Phishing: This tactic utilizes personalized emails targeting specific individuals or roles. The phishing message may be harder to spot in these campaigns, because they may be very personalized to the victim’s company role.
- Clone Phishing: In clone phishing, bad actors replicate legitimate emails to lure victims. For example, someone may clone the CEO’s email address. Executives, HR, and finance roles are the names most often used to target victims in clone phishing attempts.
- Business Email Compromise (BEC): The BEC attack tactic relies on impersonating executives to authorize fraudulent payments.
You can also set up content filters to help catch phishing attempts and stop them before they can start.
Best Practices for Employees
To start, there are a few key best practices that can help employees recognize these tactics.
These best practices include encouraging employees to:
- Verify the sender’s email address and links before clicking. If something looks suspicious, it is best to have the IT or security team take a look to verify.
- Avoid sharing sensitive information through email. This includes any personal information, credit card or other financial information, or addresses.
- Report suspicious emails to the IT department promptly. There should be an established security email address, chat channel, or ticketing system in place for employees to use to report suspicious emails.
Incorporating Simulated Phishing Attacks
Simulated phishing tests are an excellent way to measure employee vigilance. These so-called “phishing email tests” help identify knowledge gaps and reinforce training by:
- Sending realistic phishing simulations to employees. However, please refrain from using any subject lines that might have a negative impact on employee morale, like “Your bonus information is attached” or “You’re getting a raise!” The goal is to assess without cruelty.
- Tracking click rates and subsequent reporting. If someone is clicking on the phishing link often, it’s time for more extensive training. Remember: cybersecurity mistakes happen. But repeated errors can be a sign that someone needs more training.
- Providing immediate feedback to participants. Anyone who clicks a phishing link should undergo at least one training session. If someone doesn’t click the phishing link, but also doesn’t follow the correct process to report it, they may need a reminder of the correct avenues to report any attempted phishing attempt.
Step-by-Step Implementation Guide
To implement your phishing awareness training, we have a recommended timeline with action items to get started.
Proposed Timeline and Guide for Phishing Awareness Training:
|
Week |
Activity |
Objective |
|
Week 1 |
Kick-off Meeting and Awareness Campaign |
Introduce the program to your security team, and then the greater organization and explain its importance. Establish consequences for repeated failure of phishing tests, such as an extended training session. |
|
Week 2 |
Basic Phishing Training |
Educate employees on recognizing phishing attempts. This can be done through a number of educational platforms, or through your own customized program. Further, train employees on your company procedure to report phishing emails. There should be an established email address, chat channel, or ticket submission process for employees to forward the offending email for IT and security to further evaluate the threat. Remember, this goes beyond simply “report as spam” or “report as phishing” in an email inbox. |
|
Week 3 |
Simulated Phishing Test |
Assess baseline awareness levels after initial training is complete. Remember, the subject line should be enticing but not cruel, and should solicit some type of sensitive information, even if it seems benign. Example examples of phishing subject line(s): - [Name] Shared a Document with You - FedEx International Notice #... - Immediate password check - Urgent account verification needed - [CEO name] needs assistance, can you help? Keep a log of which employees reported the phishing test through the proper avenues, which ignored or deleted it entirely, and who clicked any links in the phishing test email. |
|
Week 4 |
Follow-up Training and Feedback |
Address knowledge gaps identified in testing. Identify specific employees who will need more extensive training. Employees who deleted the email, but did not report it should receive education on the proper avenue to report the phishing attempt. Training can be completed through an outside vendor or through a course of your own internal creation. However, it should cover the basics beyond what a social engineering attack is, and how to recognize fraudulent links, fake email addresses, and fake phone numbers. |
|
Week 5 |
Advanced Training and Final Assessment |
Strengthen understanding and evaluate improvements, and provide employees who have failed phishing tests repeatedly with additional guidance. You may need to establish next steps with management for repeated failures, such as an extended training session or performance improvement plan. |
|
Ongoing |
Simulated Phishing Tests |
At randomly selected intervals, with randomly selected employees, conduct phishing tests. You will not want to do the entire company on the same day or time because employees are more likely to share with each other that a phishing test has gone out. |
Measuring Threat Prevention and Next Steps
Now the question: how do you know it works? To measure the success of your program:
- Track metrics such as phishing report rates and simulated test results.
- Conduct regular refresher sessions to ensure knowledge retention.
- Leverage analytics to identify high-risk areas or departments.
Building a Culture of Cyber Awareness
Phishing training isn’t the only cybersecurity training that can benefit your organization. Getting everyone in the company involved in cybersecurity takes building a culture that not only complies with security awareness measures, but actively works to prevent and avoid threats.
Encouraging Continuous IT Updates
Cyber threats evolve rapidly and bad actors find vulnerabilities quickly. Make sure to communicate the importance of all employees taking the following steps:
- Keep systems and software up-to-date. If a patch or software update is available, install it as soon as possible.
- Conduct regular vulnerability assessments. This can be done through internal teams or through outside vendors who can routinely attempt to hack your systems to find weak spots.
- Share industry news and updates with employees to keep them informed. Inform, don’t fear-monger, but share what is going on and any social engineering attacks that are consistently popping up in your particular industry. The more everyone knows, the more likely they are to update their systems and stay aware.
Leveraging OpenVPN for Enhanced Security
To take your security up a level from phishing awareness training, having your employees use a Virtual Private Network (VPN), like Access Server, can add an additional layer of security to your organization by encrypting internet traffic to protect sensitive data, securing remote access to company resources, and reducing exposure to phishing attempts through secure connections.
With CloudConnexa, you can also take advantage of features such as Cyber Shield content filtering, which can automatically block over 40 content categories to prevent successful phishing attempts and boost productivity.
Conclusion
Phishing awareness training is a vital part of any organization’s cybersecurity strategy. By educating employees, implementing simulated phishing attacks, and fostering a culture of vigilance, IT managers can significantly reduce the risk of successful phishing attempts.
Start building a robust phishing awareness training program today. Download our IT Admin’s Guide to Evaluating Network Security Solutions to find the right training programs and resources for your business.