Phishing attacks are one of the most dangerous, and the most common, email threats that modern organizations are facing. Over half of attempted phishing attempts were successful in 2019, as attackers continue to exploit our dependence on email communication in an increasingly digital world. But what do phishing attempts look like?
Phishing targets end users, and it’s important that IT security teams know how these attacks work so they can help protect potential victims. So imagine that you’re in the office, working hard to meet a pressing deadline, when you receive a new email from one of your regular vendors. They’ve sent you an invoice with an updated mailing address. You sign it off, thinking of the bubble bath you’re going to treat yourself to this evening having met your deadline.
Except that you won’t be able to enjoy that bath, because your boss makes an announcement a few hours later that the company has mysteriously lost a few thousand dollars. You check the email from the vendor and your heart sinks as you notice an odd typo in the sender’s address…
Traditional phishing emails target hundreds of recipients at a time. They trick users into opening a link to a webpage where they’re asked to enter personal information. As we’ve learned about their existence, though, we’ve become better at ignoring or reporting phishing emails. However, attackers have developed a more targeted method of phishing: spear-phishing. This is where it becomes personal. The attacker impersonates someone that you trust, such as a regular stakeholder, so that you’re less likely to question them when they ask you for sensitive information. The best way to tackle the threat of phishing is to implement a multi-layered solution. This means combining technical protection, such as a Secure Email Gateway, with human intelligence, such as awareness training.
What Is Phishing Awareness Training?
Phishing attacks slip through gaps in legacy email gateway solutions to target end users directly. As the threat of these attacks grows, organizations are looking for new ways to protect their users. One way of doing this is by implementing awareness training.
Phishing awareness training teaches users how to identify suspicious emails, and how to apply best practices in response to receiving them. They usually involve users taking a virtual training course, usually made up of scenario-based videos and quizzes. Once they’ve completed the course, the user is tested with simulated phishing emails. If they don’t report the emails, administrators can assign them further training.
Why Does Phishing Awareness Training Work?
Phishing awareness training cultivates a security-first mindset that prioritizes data protection and network security. It does this by providing employees with the knowledge and tools they need to combat phishing attacks. Carefully designed programs teach users how to detect and react to threats so that they can help protect sensitive data, rather than being considered an easy way into an organization’s network.
It’s thanks to powerful training and simulation solutions that 2019 saw a decrease in phishing click rates and an increase in reporting rates, despite the volume of phishing attacks increasing year on year.
What Features Should You Look For In a Phishing Awareness Training Platform?
There are a number of different phishing awareness training solutions out there, and it can be difficult to know which one is best suited to your needs. The most effective solutions include the following features, so keeping an eye out for these is a good place to start:
- A multi-media content library that’s regularly updated. Note the emphasis on “multi-media”! Your employees will all have individual learning styles, so a variety of materials will make sure that the material is engaging for everyone. And when the library is regularly updated, you can be sure that it will contain information on the newest threats that organizations are facing.
- Customization. It’s important that you can build learning paths or tailor modules to target specific threats that your organization is facing. It’s also important that simulated phishing emails designed to test employees can be customized to mimic the types of emails your employees typically receive.
- Interactivity. Quizzes, tests and gamification are sure-fire ways to increase user engagement which, in turn, increases information retention. This means that your employees will remember what they’ve learned and be much more likely to put it into practice.
- Simulations. You need to be able to test what your employees have learned, and the best way to do this is through simulated phishing emails. Users should report these emails, either through the solution’s inbuilt reporting button (see below) or by contacting their IT desk, but if they don’t, they’ll be directed to a landing page that explains their mistake.
- A “Report Phishing” button. These inbox plugins allow users to report not only simulated phishing emails, but also genuine threats, to their IT department. They’re a quick and easy way to flag suspicious content. The best simulations go a step further, with automated analysis based on reported phishing attempts, and triaging of reported emails. Agari’s 2020 Phishing Incident Response Survey found that 67% of all reported incidents were false positives, i.e. not real threats at all. Automated analysis saves security teams valuable time by separating false positives from genuine threats, then prioritizing these threats.
- Admin reporting tools. The best simulation solutions include admin reporting so that you can see who is falling for simulated threats. This means that you can direct those employees towards specific training materials, and re-test them in future simulations.
You know how your organization works and which of the above features will be most useful for the way in which you operate but, generally, it’s a good idea to find a solution that incorporates all of them.
There isn’t a single “silver bullet” solution that will offer full protection against phishing threats. It’s important that we implement a multi-layered solution, combining technical and human protection. With phishing awareness training and simulations, you can transform your employees from potential victims into a solid line of defense against phishing threats.
If you’d like some advice on which solutions will work best for your organization, take a look at our guide to the Top 10 Phishing Awareness Training and Simulation Solutions.