Phishing tests can be an effective way to improve cyber security awareness, empower employees, and defend against cyber attacks.
Phishing has now become the biggest cyber threat worldwide, and within the last year, scams have increased by 350% as cybercriminals exploit the fear and chaos caused by the coronavirus pandemic. Social engineering attacks like phishing rely on the attacker’s ability to exploit human vulnerabilities and emotions to achieve their goals.
With huge swathes of the workforce continuing to work from home, it’s vital that employees can recognise sophisticated phishing threats in their inboxes and know how to deal with them appropriately.
What Is a Phishing Test?
A phishing test, or phishing simulation as it’s otherwise known, is used by organisations to determine just how susceptible their staff are to phishing attacks. By using a safe controlled environment, organisations can send employees realistic phishing emails to measure their awareness of attack methods and find out how they would react had the threat been real.
These simulated attacks help employees identify current threats and provide timely education on how they can improve security behaviours. If an employee clicks on a phish, they are immediately presented with a point of need learning experience to help them recognise the signs of a phishing attack and encourage them to report phishing attempts.
Organisations can in turn use this data to identify areas of weakness, tailor training to address gaps in awareness, and chart progress over time.
How to Run an Effective Phishing Test
Establish a Baseline
Before launching your phishing awareness program, you will need to establish a baseline. This will help determine how susceptible your company is to fraudulent phishing emails and what percentage of your employees would’ve fallen for the attack had it been real.
You can either inform employees that you will be issuing a phishing test, explaining what your goals are and what you hope to achieve, or you can issue a surprise phishing test without any pre-education.
This decision is entirely up to your organisation, although the latter offers the clearest picture of how vulnerable your staff are to real world phishing attacks. Once you have recorded your baseline, you can use these results as a benchmark to track the effectiveness of future phishing simulation tests.
Plan Your Phishing Test
Once you have established a baseline, you can start to plan your phishing campaign for the year ahead. At this stage, employees should be notified and trained on how to identify a suspicious email and what to do if they receive one.
With any phishing campaign, it’s best to start off small and then build up. Your initial phishing tests should be relatively easy to detect and include classic signs of a phishing email such as a generic greeting, misspellings, and bad grammar.
However, as your campaign progresses, the level of difficulty should increase to reflect the real-world attacks that could be used to target your staff.
Stagger the Release of the Phishing Test
Timing is key to the success of your phishing test. A common mistake is sending out a blanket phishing test to the entire organisation at the same time. This just raises suspicions and staff members who have identified the email as a phish will start alerting colleagues.
If you don’t want to end up with skewed results, you should stagger your phishing test over different time slots to ensure more accurate reporting.
Include Senior Executives in Phishing Tests
All users are susceptible to phishing attacks but there are certain employees that have a higher risk profile than others. CEOs, CFOs, and Senior Executives are some of the most popular phishing targets due to their high-level access to valuable corporate information.
It’s vital these staff members are included in all phishing tests, not only from a risk perspective but also to demonstrate to other employees that they are taking cyber security seriously.
Use a Variety of Methods
Phishing simulation tests should accurately reflect the different threats that your employees face on a day to day basis. Cybercriminals are becoming more devious in their attack methods, so your phishing tests need to reflect this. Whilst many employees will be on their guard against external attacks, they may be more complacent with emails that appear to come from within the organisation.
Emails could be sent impersonating the HR department informing staff about holiday allowance or payroll. By mixing up the styles and techniques of your test, you will gain a better understanding of employee awareness.
The data produced from your phishing tests is crucial to finding out if your campaign has been successful. It will help you identify trends, vulnerable employees, training needs, and inform the planning of future phishing tests.
Your reports should analyse:
- Number of people who clicked.
- Number of people who submitted sensitive information.
- Number of people who reported the phishing email.
Over time, you should see a decrease in the first two categories and an increase in reporting. Employees that have clicked on the phishing email and/or submitted sensitive information should receive further training to improve security behaviours.
Staff need to understand the real-life consequences of a phishing attack and why it’s so important that they can effectively identify a suspected phish. It’s not about catching people out but about measuring awareness and identifying areas that could be improved.
Equally, employees that have demonstrated good security behaviours, identifying phishing emails and reporting them to IT staff should be commended.
Introduce Phishing Training As Part of a Wider Cyber Security Awareness Program
To be truly effective, phishing tests should be introduced as part of a wider cyber security awareness program. This is the best way to educate staff, improve security behaviours and create a more cyber resilient workforce. You can choose topics that address your organisational risks and use a blended approach to engage staff and increase awareness.
In addition to your phishing tests, targeted eLearning, blogs, posters, and infographics can all be used to help reinforce key messaging.
Once you have established your phishing awareness program, it’s important to keep up the momentum. Creating a culture of awareness takes time and can’t be achieved by a one-off annual exercise.
Regular phishing tests will help increase employee vigilance, improve awareness, and identify any areas of weakness that could pose a risk to the security of your organisation.