How to Run a Phishing Simulation
Phishing attacks have increased dramatically over the last few years, with the global pandemic escalating the situation further. Cybercriminals take advantage of insecurities and fear and play on human nature to trick and deceive. In fact, according to the OAIC, phishing attacks that involved compromised credentials accounted for 30% of all cyber incidents in the first half of 2021. And human error formed a major source of these breaches. Unfortunately, due to the clever social engineering tactics used by cybercriminals, technical filters alone aren’t sufficient to protect against phishing. Phishing emails can easily evade defences such as secure email gateways and expose your business to significant risk. It’s not without hope, though; one of the principal ways to test, evaluate, and reduce the risk of phishing attacks is to use a phishing simulation.
What is a Phishing Simulation?
According to TechRepublic, a global simulated phishing campaign showed that 20% of people quickly click on phishing links, and over two-thirds use their login credentials. Phishing simulation campaigns act as part of internal training programs to raise employee awareness about real-world attacks.
Specifically an email phishing simulation, emails are sent to try to intercept personal data. The emails will use the same tactics as real phishing emails, including attachments or links, fake login forms or requests for sensitive information. However, the difference is that it is just a simulation, and there is certainly no malicious intent. Instead, users are notified that they have encountered a simulated phishing email. The simulation gives your employees a better chance of recognising real-world attacks and reduces the business risk.
Top Tips for Running an Effective Phishing Campaign
For email phishing simulations to be effective and have the desired impact, you need to run the campaign in a certain way. This means not criticising wrong behaviour and setting people up for failure. Instead, the campaign should be used as a positive tool to raise awareness, change behaviours and work towards building a security culture within the workplace.
To help ensure your phishing campaign is a success, the simulation should be a learning tool that is used to measure and adjust from the very beginning. Here are some top tips to help you get it right:
- Establish a Baseline - you can’t get to where you need to go if you don’t know where you’ve come from. Kickstarting your awareness campaign with an initial unnotified phishing email gives you a chance to see how able your employees are to recognise and report it. By knowing your baseline, you're much more able to track progress and gauge the effectiveness of your efforts.
- Campaign Launch – There are two paths you can take after you begin to establish the baseline.
- Path 1 – Feel free to communicate the campaign's intentions short and sharp to your employees, stakeholders, and leadership teams. This is the equivalent of giving them a “heads up”, that the organisation will be running a phishing simulation.
- Path 2 – Don't. Since the overall outcome for an email phishing campaign is to create moments of learning or teachable moments, you will want to see and adapt to each person's learning style for effectiveness. Run it in secret, prepare material and run leadership debriefing for constant testing and measuring.
- Educate Your Employees - It is no good sending out phishing emails if you don’t try to educate employees on how to identify them. Graphics, live walkthroughs, presentations, scoring systems, phishing champion awards and videos should be used alongside the phishing simulation campaign to keep security front of mind. Everybody has a different learning style. Understanding the best way to position the education platform in alignment with the end-user and overall objectives. You can also educate by providing immediate feedback to those who do click on the simulated emails And, if they get it right, be sure to reward success too and encourage positive behaviours.
- Monitor the Results - It is vital to keep a firm eye on the data from your phishing tests. This will help you to identify trends, vulnerable employees, and training needs. Over time, as you analyse the results from your phishing simulations, you should see fewer people clicking and submitting sensitive information and hopefully more people reporting the simulated email as suspicious.
- Adapt Your Tactics - once you’ve reported on your first phishing test, it’s time to do it all over again. Use the results to adapt your campaign. This might mean providing training on specific elements or to particular teams or departments. Or, if your employees have done well, you can try sending more difficult-to-detect phishing emails to test them further.
You’ll find these tips and tricks can make all the difference to your phishing simulation campaign. And, for another bonus tip, remember you don’t have to make up phishing emails from scratch. Why not use an actual phishing email that has come through to your business? That way, your simulations will be even more realistic.
The Importance of Security Awareness
To protect your business against today’s advanced threats, you need a layered approach to security. That will include multiple technical solutions, but security awareness is a vital piece of the puzzle too. If phishing emails evade your security systems, your employees are often your last line of defence.
Phishing simulations offer a reliable way to increase security awareness. If you approach it in the right way, you can build confidence and trust amongst your employees and protect your business from serious damage. At InfoTrust, our suite of security awareness services includes a phishing simulation as-a-service where you can run tailored campaigns. Empower your employees and reach out to the InfoTrust team today.
see our
Related resources
In today’s digital age, we all use a vast amount of information to conduct our business activities, sharing, and interacting with data across multiple devices and networks. As such confidentiality, integrity and availability are key. You only have to look at recent news headlines to realise that even organisations with comprehensive security strategies are still vulnerable to cybersecurity breaches. Vulnerabilities can lie within the technology being used, the cyber-awareness of its employees, and the sophistication of attacks.
During the great cloud rush, many organisations moved to various cloud environments, for the productivity advantages, improved reliability and security compared with running on premise environments. But the naysayers conveyed the risks associated of security concerns and outages, having the potential to bring down a company or even an economy if a there was a massive outage.
Based on InfoTrust analysis at the start of 2019 of over 9000 Australian company domain MX and SPF records, over a third of these organisations rely on Microsoft O365 Productivity suite.
This includes some of Australia’s largest organisations that would undoubtedly disrupt an economy if they were without email for a sustained period of time.
As you may be aware, from July 1 2019, all APRA regulated entities will be required to adhere to a new prudential standard, CPS 234. According to APRA, “this Prudential Standard aims to ensure that an APRA-regulated entity takes measures to be resilient against information security incidents (including cyber-attacks) by maintaining an information security capability commensurate with information security vulnerabilities and threats.”
Mimecast recently released its State of Email Security Report for 2021. The fifth edition of its annual report used interviews with over twelve hundred of information technology and cybersecurity professionals across the globe to gather vital cybersecurity insights. The report offers an insight into the latest email threats along with advice on how to build cyber resilience and mitigate the risks of email-borne attacks.
Last month CrowdStrike released its 2020 Global Threat Report, reflecting on the past year’s cybercrime and the types of attacks and techniques criminals have been utilising. In this blog post, we take a look at the key trends from the report and what they mean to Australian businesses.
Earlier this month the CrowdStrike® Falcon® Overwatch™ team released their 2018 mid-year review, “Observations from the Front-Lines of Threat Hunting”. InfoTrust discusses the front-line and why security is everyone’s business. A brief precis, some thought provocation, and insight (hopefully) are below.
We're Here To Help