Why You Need To Phish Your Employees

December 13, 2017 2:42 pm David Bisson

Phishing emails, quite simply, are a one-way ticket to gain access to your organisation, whether it be via your drives, network or information assets. The simple way to solve this? Do not click on the link!

Unfortunately, it is not that simple. Cybercriminals are clever and they are targeting individuals with email content that is guaranteed to get their attention. Once an employee becomes curious about the catchy title or the mysterious link – they have been hooked. Phishing emails are also designed to appear as ordinary, everyday emails such as an invoice from a colleague, a scanned contract or even an email from your IT Support team.

For those of us who have been exposed to or indeed duped by phishing emails before, we know what warning signs to look out for and know not to click on links. Despite this, it is extremely difficult to predict how your employees would react to such an email. Employees are, more often than not, the weakest link in the organisation and it is important that you understand how they would react. They need knowledge on how to defend against phishing attacks.

By availing of phishing simulation software such as MetaPhish you can expose your staff to targeted mock phishing emails. The reporting function allows you to see in real-time the staff that had clicked on the phishing link as opposed to those who have reacted appropriately.

The purpose of this software is not only to evaluate how many of your employees would click the link but also to increase their sensitivity to and awareness of these types of emails. The more and more exposed your staff become to phishing emails, the more they are likely to detect the warning signs and realise that it is not a genuine communication. Furthermore, for those who fail to spot the phish, they are offered the opportunity to work through a learning experience in order to obtain education on the risks associated with phishing.

By engaging with your staff this way, you will be able to measure your current level of exposure to a phishing attack. If a large number of employees are clicking the links – you know you are highly exposed. Combine a phishing attack with social engineering and it will be a company’s worst nightmare.

It is vital that your staff know what to look out for in a phishing email.

Some of the early warning signs are as follows:

• Vague greeting

• Bad grammar or punctuation

• You are addressed as “user” as opposed to your name

• “Links” to document downloads

• Subject line that is irrelevant to the body of the email?

These are some of the obvious signs but cybercriminals are clever and they are determined to catch you out. Spear-phishing and whaling are more sophisticated methods of phishing (read more on these types of phishing threats here) and are not as easy to spot, mostly due to the fact that these emails have been designed specifically for you and will appear genuine.

In this scenario what you can look out for are:

• Emails signed by a colleague that you know but have been sent from a different email account

• Suspicious zip file attachments

• Requests to pay a large sum of money into an account

Spear-phishing and whaling attacks will have been created by a cybercriminal who has monitored you on social media, perhaps under the guise of a colleague. They will have targeted you by creating a fake profile of said-colleague or if your social media profiles are set to public, they will have gathered the information on their own.

All it takes is for one individual to click the link, download the attachment or pay that huge sum of money and it means that the cybercriminal has won. You have given them access to what they need, the information that they want, downloaded any malware or ransomware and given them a hefty reward!

Invest in educating your staff about phishing so they know what to look out for and what to do if they suspect they have fallen victim to an attack. Is this of interest to you? then request a demo of our simulation software MetaPhish or our eLearning module Essential Phishing Awareness. You can also contact us to arrange a Staff Awareness Day on phishing.