Phishing is a serious problem for companies of all sizes and all sectors. But by using phishing simulation exercises, an organisation can take control of this insidious threat.
Cybercriminals love to phish employees to steal credentials and data, and infect companies with ransomware. The Anti-Phishing Working Group’s (APWG) Phishing Activity Trends Report shows that phishing hit an all-time high in Q2 of 2022. Additionally, these attacks showed a 7% increase in credential theft against enterprise employees.
The result is often catastrophic when a password or other data is stolen: a phishing attack resulted in the U.S. Department of Defense handing over $23.5 million (£19.3 million) to a cybercriminal; the Open University in London experienced over one million phishing attacks over nine months, causing massive disruption, the list goes on.
Why Are Phishing Simulation Programs Important?
Phishing is arguably one of the most successful tools in the cybercriminal arsenal to obtain sensitive information. A RiskIQ report into losses due to cybercrime found that $17,700 (£14,500) per minute was lost because of phishing attacks.
Phishing is a clever method of social engineering that tricks employees and other users into doing things that benefit the hacker. Cybercriminals widely use phishing, with 83% of organisations targeted by phishing attacks in 2021.
As time passes, the hackers behind phishing emails become wise to the automated software systems that prevent phishing, such as anti-spam/email gateway platforms. As a result, the hackers change how phishing scams operate and the content of those emails so that they can evade email gateways.
For example, a report analysing 55.5 million emails sent to Microsoft Office 365 found that 25% of phishing emails containing malicious attachments were allowed through the email gateway built into Office 365. The result is that phishing emails are hard to prevent, and the phishing email ends up in an unsuspecting employee’s inbox, ready to trick them into handing over login credentials or installing malware.
However, this unsuspecting employee can become a cyber-savvy, knowledgeable, security aware employee using regular simulated phishing exercises.
What Happens In A Phishing Simulation Attack?
Simulated phishing attacks are designed to look exactly like an actual phishing attempt. A simulated phishing platform is used to generate simulated phishing emails as part of a dedicated security awareness training campaign. Employees and any other user group needing Security Awareness Training should receive these simulated phishing emails.
The phishing test platform will interact with the user to help train them on the dangers of phishing. However, the platform should also record and audit what happens when that user receives the simulated phishing email. For example, does the user open the email, do they click on a link or download an attachment, and so on?
These events are logged, and reports generated that can be used to assess how successful Security Awareness Training is and which areas need to be improved.
Key Features of The Best Phishing Simulation Software
Advanced simulated phishing software must have several important features:
Mimics Real Phishing Emails
The system must create realistic phishing emails that reflect current phishing campaigns seen in real-life.
Provide a Wide Choice of Templates
The phishing simulation platform should come with a large set of templates that can be used to design a realistic-looking phishing email. The templates should be configurable to match well-known brands and create ‘lookalike’ domain names and URLs.
Can Be Tailored to Reflect Roles
Fraudsters are known to target specific organisational roles, such as HR and accounts payable. Executives are also a targeted group and should be involved in simulated phishing exercises as specific cyber attacks such as Business Email Compromise may affect the C-Level. Therefore, simulated phishing messages should be tailored to groups of employees.
People learn best when they are engaged and have an interactive learning experience. A platform that delivers point-of-need learning allows employees to learn from their mistakes. For example, employees will receive a warning notification if they click on a malicious link.
A point of need interactive experience helps to explain what has happened and the dangers associated with a phishing email. Some advanced systems will take this further and educate the employee on avoidance strategies to help prevent future phishing attempts.
Provides Language Options
Many companies employ English as a second language staff or offices in non-English speaking countries. Therefore, simulated phishing email templates must be able to offer other language support.
Audit and Reporting
The metrics of a simulated phishing exercise are essential as they offer an insight into how well Security Awareness Training is progressing. In addition, metrics detail how many employees are vulnerable to phishing attacks.
Some advanced systems will provide a granular breakdown of phishing metrics to analyse specific departments and user groups. Reports generated from these metrics demonstrate the effectiveness of a phishing simulation program and identify weak areas in staff’s understanding of what phishing entails.
How Effective Are Phishing Simulations?
According to a Cisco survey, phishing emails are difficult to spot, with 86% of companies having at least one employee click a malicious link. And it only takes one employee to click a link and enter login credentials to a spoof website to open the doors to your network. Phishing simulations offer a way to minimise the risk of that one disastrous click.
How Frequently Should You Send a Phishing Simulation?
A USENIX study into the longevity of Security Awareness Training found that employees could still spot phishing emails four months after the initial training. Still, after six months, the employees lost the ability to spot malicious emails.
The report also highlights that videos and interactive training produce the longest lasting results, this level of training lasting a further six months. Therefore, the report recommends that training should be performed every six months. In addition, regular phishing simulations are a good idea because the security landscape also tends to change frequently.