Every day worldwide, tens of thousands of employees fall prey to phishing scams. In the second quarter of 2022, the Anti-Phishing Working Group (APWG) saw 1,097,811 total phishing attacks, the worst quarter on record.
The results can be devastating: from lost data and identity theft to compromised security and even stolen funds. Cybersecurity is everyone's responsibility, but the responsibility of the cybersecurity department is to train our human firewall to recognize the threats and act accordingly. With education, training, and employee engagement, any organization can get ahead of the threat by using the tools at their disposal - their colleagues - to spot and respond quickly when they see phishing activity, thereby eliminating its potential impact on business.
Training should be compulsory and monitored. Everyone should take part, from the CEO to the part-time college intern. For many companies, cybersecurity (notable phishing) awareness is an essential part of onboarding.
To the layperson, it's hard to understand how phishing scams work without seeing them in action. You could explain that a phishing email is a fake email that looks like it comes from someone you know, but explaining isn't enough to help your colleagues understand how easily bad actors trick people and how devastating a successful phishing attack can be.
One way to test employees' security awareness is through a simulated phishing attack. This would contain emails sent to employees, pretending to be from either an external source or one of their colleagues (which is easy for a bad actor to find out through the likes of LinkedIn), instructing them to take an action, follow a link, or open an attachment.
The goal of this exercise is twofold: firstly, you can see how well-prepared your colleagues are for the real thing; secondly, if they fall for the trap and click on something malicious, then you know what kind of training needs improving to prevent future attacks like these. It also immediately puts the importance of phishing awareness front-of-mind and makes it a part of organizational conversation.
We need to use examples that are personal, but not too personal. Something that has nothing to do with them personally, so they don't feel singled out unnecessarily, yet something that hits close enough home so they'll pay attention.
There are many different types of simulated attacks you can try out; here are just a few examples:
There are plenty of possibilities; just keep the test achievable and realistic. This is an exercise in education, and colleagues should always have a chance to spot the attack. Show them what the dangers look like in the wild. This initial test is to demonstrate to other departments that phishing is a real threat, and that they can't always trust the sender of, a link, an attachment in, or the content of an email.
Our colleagues don’t need to know the semantics of spear phishing, whaling, or smishing - they need to know the facts and the dangers, and how to react. Our employees are our best security asset, and this exercise is about mobilizing that asset and not overcomplicating things.
Colleagues need to be aware of the dangers of phishing, and it helps to show the links between phishing and cybercrime. They need to know how easy it is to fall victim to a phishing attack, and concrete examples of phishing and its effects will often have more impact than general warnings. Explain that phishing is one of the most common forms of digital extortion, allowing criminals to gain access to sensitive information, money, or customers’ personal data. Show them the numbers. Phishing also enables malware attacks - software designed specifically to grab details so that black hat hackers can steal from the business later on. Malware can range from spyware which tracks everything they do online (and sends this data back to hackers), to viruses that install themselves onto computers without permission and then go on to wreak havoc on systems across networks (sometimes causing irreparable damage). Tell them about the ramifications for the business - the PR fallout and the loss of revenue and reputation. Colleagues need to understand the severity of the situation but in a clear and simple way. Remember, not everyone is as IT savvy as the IT/security department.
Staff needs to understand the signs of a phishing email:
Importantly, staff also need to know how to report suspicious emails to the right people in the business so that they can be blocked and investigated.
Phishing is a very real threat to businesses, and with the right education and training, your staff can spot phishing efforts and respond quickly when they see it. As cybersecurity professionals, we’re not naturally teachers, so remember the following to help training go smoothly.
While there are plenty of online services offering phishing education, they invariably have a cost attached to them and aren’t “personal” to your business. Very often, all that’s needed is a strong awareness of the problem, direction toward what actions a colleague needs to take if they spot a malicious email, and reinforcement of that awareness.
There is an old adage that says, “Show, don’t tell,” which is doubly so when dealing with interfaces. Ideally, any training should be conducted in person, to give that personal touch. Here’s where the power of video comes into play. There are several good awareness videos out there on the general topic of phishing - just try YouTube or Vimeo - but it may be necessary for you to create your own video showing how to report a phishing scam if you use the likes of Outlook reporting or other systems, by simply screen recording the process and adding a short voiceover.
By creating your own content, it’s possible to provide relevant examples. For instance, show colleagues emails that have been sent to others in your organization (and how those recipients reacted). Discuss how these emails were crafted and what made them look legitimate enough for users to click on links included within them.
This can be used over and over again and will save a lot of time taken up by 1-to-1 training.
Cybersecurity is everyone's responsibility, and we should encourage employees to educate each other on how to spot and avoid being victimized by phishing attempts. There can even be an element of gamification here. When colleagues know what a phish looks like, they'll be better equipped to protect themselves - and if one of them gets tricked anyway, their colleagues will be there to offer advice and point them toward the proper channels for remediation.
Regular phishing tests are essential to keep the topic of cybersecurity on our colleagues’ radar. If you need more information on conducting simulated phishing attacks, try this article.
Testing semi-regularly means that they are always looking for the signs and the chance to report malicious communications. Monitoring this is important. It’s important to know who fell foul of the test by recording visits to links or when attachments are opened. Offering reeducation with more in-depth training may be necessary for repeat offenders, though please remember this isn't a shaming exercise - no matter how tempting it is to play “Never Gonna Give You Up” at full volume on their PC if they make a mistake.
If you want to reward people for reporting phishing attempts, consider offering a small incentive such as gift cards. This will encourage more employees to report suspicious emails and help you identify the phishing champions in your organization.
Good luck, and if you find yourself in a position where you need to persuade your colleagues of the importance of conducting in-house phishing tests, try showing them some of these numbers.
The post How to Teach Colleagues About the Dangers of Phishing appeared first on Blog.