Phishing is nothing new. In fact, phishing was one of the first social engineering attack methods on the internet, dating back as early as the 1990s via AOL email addresses. The problem with phishing awareness is that, while you might be familiar with the threats, reasons, and methods of attack, the employees in your organization may not be quite as aware. Although your employees may have been subjected to a phishing email test or two, there is more that goes into preventing phishing attacks and fostering phishing awareness training.
Oxford defines phishing as “the fraudulent practice of sending emails or other messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.”
Phishing is a type of social engineering cyberattack that focuses on exploiting human error. In phishing attacks, bad actors trick individuals into divulging sensitive information, such as passwords, credit card details, or company data, through fraudulent emails, websites, or messages that appear legitimate.
For example, an employee may receive an email with a link to update their password for an app your company uses routinely for payroll purposes. When they click the link and enter their personal information, the bad actor has everything they need to gain access to your business apps, networks, and sensitive data (especially if the employee uses the same password for all of their work apps).
However, email is not the only place where threat actors use fraudulent links to steal information. Search engines like Google may return results that lead to fraudulent links, or a bad actor may even set up a duplicate website to steal information that relies on simple typos. Content filters and DNS security can help thwart these attacks, but without employee awareness, your business is at a greater risk of falling victim to these relatively simple attack vectors.
Phishing poses a significant threat to organizations. Not only does it create a feeling of distrust between security teams and employees, as well as customers and companies when a breach occurs from a phishing attack or DNS attack, but it also causes real business impacts, with businesses losing billions annually. According to recent statistics:
The financial and reputational consequences of phishing make it imperative for IT managers to prioritize defense mechanisms, including employee training.
Getting your employees onboard with reducing phishing attack success starts with education. This should include everyone from the entry-level employees to the executive level. There should be consequences established for those who fail to take phishing seriously as well (within reason — we want to make people understand the importance without creating fear and chaos). There are a few simple steps you can take.
Keeping employees from falling victim starts with teaching them to recognize the most common phishing tactics, including:
You can also set up content filters to help catch phishing attempts and stop them before they can start.
To start, there are a few key best practices that can help employees recognize these tactics.
These best practices include encouraging employees to:
Simulated phishing tests are an excellent way to measure employee vigilance. These so-called “phishing email tests” help identify knowledge gaps and reinforce training by:
To implement your phishing awareness training, we have a recommended timeline with action items to get started.
Proposed Timeline and Guide for Phishing Awareness Training:
|
Week |
Activity |
Objective |
|
Week 1 |
Kick-off Meeting and Awareness Campaign |
Introduce the program to your security team, and then the greater organization and explain its importance. Establish consequences for repeated failure of phishing tests, such as an extended training session. |
|
Week 2 |
Basic Phishing Training |
Educate employees on recognizing phishing attempts. This can be done through a number of educational platforms, or through your own customized program. Further, train employees on your company procedure to report phishing emails. There should be an established email address, chat channel, or ticket submission process for employees to forward the offending email for IT and security to further evaluate the threat. Remember, this goes beyond simply “report as spam” or “report as phishing” in an email inbox. |
|
Week 3 |
Simulated Phishing Test |
Assess baseline awareness levels after initial training is complete. Remember, the subject line should be enticing but not cruel, and should solicit some type of sensitive information, even if it seems benign. Example examples of phishing subject line(s): - [Name] Shared a Document with You - FedEx International Notice #... - Immediate password check - Urgent account verification needed - [CEO name] needs assistance, can you help? Keep a log of which employees reported the phishing test through the proper avenues, which ignored or deleted it entirely, and who clicked any links in the phishing test email. |
|
Week 4 |
Follow-up Training and Feedback |
Address knowledge gaps identified in testing. Identify specific employees who will need more extensive training. Employees who deleted the email, but did not report it should receive education on the proper avenue to report the phishing attempt. Training can be completed through an outside vendor or through a course of your own internal creation. However, it should cover the basics beyond what a social engineering attack is, and how to recognize fraudulent links, fake email addresses, and fake phone numbers. |
|
Week 5 |
Advanced Training and Final Assessment |
Strengthen understanding and evaluate improvements, and provide employees who have failed phishing tests repeatedly with additional guidance. You may need to establish next steps with management for repeated failures, such as an extended training session or performance improvement plan. |
|
Ongoing |
Simulated Phishing Tests |
At randomly selected intervals, with randomly selected employees, conduct phishing tests. You will not want to do the entire company on the same day or time because employees are more likely to share with each other that a phishing test has gone out. |
Now the question: how do you know it works? To measure the success of your program:
Phishing training isn’t the only cybersecurity training that can benefit your organization. Getting everyone in the company involved in cybersecurity takes building a culture that not only complies with security awareness measures, but actively works to prevent and avoid threats.
Cyber threats evolve rapidly and bad actors find vulnerabilities quickly. Make sure to communicate the importance of all employees taking the following steps:
To take your security up a level from phishing awareness training, having your employees use a Virtual Private Network (VPN), like Access Server, can add an additional layer of security to your organization by encrypting internet traffic to protect sensitive data, securing remote access to company resources, and reducing exposure to phishing attempts through secure connections.
With CloudConnexa, you can also take advantage of features such as Cyber Shield content filtering, which can automatically block over 40 content categories to prevent successful phishing attempts and boost productivity.
Phishing awareness training is a vital part of any organization’s cybersecurity strategy. By educating employees, implementing simulated phishing attacks, and fostering a culture of vigilance, IT managers can significantly reduce the risk of successful phishing attempts.
Start building a robust phishing awareness training program today. Download our IT Admin’s Guide to Evaluating Network Security Solutions to find the right training programs and resources for your business.