The do’s and don’ts of phishing simulations

The do’s and don’ts of phishing simulations – Many businesses supplement ongoing security awareness training with simulated phishing tests for the business’s most targeted area: employees.

A phishing simulation/test sends realistic phishing-like emails to employees to gauge their awareness of attacks and assesses their willingness to report similar emails. Phishing simulations supplement ongoing security awareness training and educate employees about how these attacks work.

How is a phishing campaign created?

Cybercriminals use a range of tactics when creating actual phishing campaigns and COVID-19 has worsened the situation to leverage employees working from home and their need for frequent updates. Phishing emails related to COVID-19 news events, package delivery failures, and email issues are among frequent phishing emails directed at employees.

Why is phishing so dangerous?

A single click of a phishing email can cripple a business’s defence and leave a trail of destruction as malware enters the business, spreads through the network, and allows backdoor access for cybercriminals.

According to Proofpoint, 75% of organisations around the world experienced a phishing attack in 2020, and 74% of attacks targeting US businesses were successful. 95% of the sampled organisations delivered security awareness training for employees, but phishing is still the most likely cause of a data breach. 

A single click of a phishing email can cripple a business’s defence and leave a trail of destruction as malware enters the business, spreads through the network, and allows backdoor access for cybercriminals.

Proofpoint goes on to explain that the cost of a successful phishing attack can be broken down into these categories:

• User downtime
• Remediation time
• Damage to reputation
• Loss of intellectual property
• Direct monetary losses
• Compliance fines
• Loss of revenue and customers
• Response and remediation costs
• Legal fees

How to build a successful phishing defence

A well-orchestrated security awareness program that includes engaging materials, combined with simulated phishing simulations is the best way to transform employees from potential targets into a robust line of defence against social engineering attacks, like phishing.

Is it necessary to have both security awareness training and phishing simulations?

In short, yes. Cybercriminals relish change and uncertainty. During uncertain times, security awareness training provides a critical line of communication to users and a critical line of sight into user behaviour. You can also cross-reference users and groups to compare completed training statistics, scoring, and phishing simulation results.

How do I make our phishing simulations successful? The do’s and don’ts of phishing simulations.

The Do’s of phishing simulations is to:

• Bake simulations into your overall plan and user experience – Inform employees that simulated phishing emails will be sent as part of ongoing security awareness training.
• Security awareness training should include phishing training – how to spot a phishing email, how to identify strange links, actions to take, etc.
• Give employees a way out – make sure that there is a well-known process for reporting phishing emails.
• Give employees a way to report phishing consequences – make sure your employees know what to do once they’ve clicked on a link or entered their credentials. You should also have a process to investigate user devices for malware.
• Use an effective approach to improve areas of concern, especially when employees fall for phishing simulations – try to address issues as a team or use an approach that won’t draw attention to a specific employee.
• Always start with a baseline phishing simulation – this will help you measure improvement over time.

The Don’ts of phishing simulations is adverse:

• Unexpected phishing simulations can leave employees feeling targeted and have an adverse effect if you are trying to positively influence behaviour.
• If you have an inadequate or stagnant reporting process, then phishing simulations are not being effectively implemented.
• Naming and shaming employees that click on phishing simulation links usually do not win the hearts and minds of the business.

The famous saying by Peter Drucker is that “Culture eats strategy for breakfast” and this is true for phishing awareness.

The famous saying by Peter Drucker is that “Culture eats strategy for breakfast” and this is true for phishing awareness. The business culture will have a larger influence than planned security awareness and phishing simulations combined. The tone from the top, executive buy-in and support, and explicit communication about the importance of cybersecurity set a strong foundation to influence employee behaviour.