With new ransomware strains popping up daily, businesses are on high alert for any online security risks and with good reason.
The PhishMe Malware Review revealed that the amount of phishing emails containing a form of ransomware grew to 97.25% during the second half of 2016.
This is particularly troubling considering that Friedrich-Alexander University reported 78% of people who claim to be aware of the risks of unknown links in emails click anyway.
Knowing how susceptible your employees are to phishing scams is the first step in a layered security approach.
In this edition of Newsflash we will discuss ways in which you can test your employees through simulated phishing, how to leverage the results for learning opportunities and training techniques that can ensure your staff are always on the lookout for attempted breaches in your security.
What is a phishing scam?
Before we look at simulated phishing, perhaps it is best to first consider what a phishing scam actually is. A phishing scam is a social engineering attempt to gain access to your business’ files and sensitive data usually through the use of malicious links or attachments in emails.
The term ‘phishing,’ first coined in 1996 by hackers stealing AOL accounts and passwords, employs the analogy of angling. Scammers use email ‘lures,’ lay out ‘hooks’ to ‘fish’ for passwords and financial data.
The letter ‘f’ is interchanged with ‘ph’ as a nod to the original form of hacking known as phone phreaking: the reverse engineering of sequences of tones used to re-route long distance calls.
While ‘phreakers’ manipulated tone sequences to obtain free calls, phishers attempt to trick, steal or socially engineer an email recipient into revealing private information. Your advanced security systems may protect your system from direct hacking attempts, they are of very little use when it comes to your business’ most vulnerable point of access: your employees.
How phishing harms your business
The ways in which businesses are harmed by phishing attempts has transformed in recent years. What was once a way for scammers to use a trusted brand in fake emails to extract victims’ personal data has become an effective way for hackers to plant ransomware that can cost you thousands of dollars.
Employees are a business’ first line of defense to prevent these kind of attacks but it is growing increasingly difficult for people to separate legitimate emails from scams. This is worsened when you consider the speed at which we need to process information just to keep up with the volume of emails we are expected to manage on a daily basis.
According to a recent report by the Radicati Group, the average office worker now sends and receives an average of 121 emails per day. Our phones beep all day with notifications and in the meantime your employee may be juggling meetings across teams or via group chat.
With all of this going on, could your employee recognise a scam email at first glance before opening it?
This is where simulated phishing proves a vital tool for vulnerability identification and staff education.
Simulated phishing testing is the first step in layered security
If the old adage ‘once bitten twice shy’ is true, it is best that the first to scam your employees should be you.
Simulated phishing allows you manage the mailout of uniquely engineered “scam emails” to test your employees. Once an employee opens one of these emails and either clicks on what would have been a malicious link or downloads a suspicious attachment, they will reach a landing page that explains exactly what has happened.
While phishing your own users may seem extreme, this method of vulnerability testing is just as important as having a quality antivirus and a solid firewall. It is a fun and an effective cybersecurity best practice to patch your first and last line of defense: your users.
Who can I trust to facilitate the testing?
Like any business investment, finding a reputable tester will take time. Finding the necessary skills and expertise is generally one of the most difficult tasks of any security testing. This is where an IT security firm comes in.
Here’s what you should be looking for in an IT security firm and simulated phishing provider.
- Customise the phishing test template based on what your business offers.
- Show users which red flags they missed, or a 404 error page that indicates something has gone wrong.
- Provide full reports on how many false infections occurred and who was caught out so that training opportunities can be maximised.
- Offer customisable landing pages with direct links to online training for employees.
- Ensure your employees are aware who to report any attempted phishing attempts to.
- Continue testing employees on weak areas to ensure they become more aware of social engineering techniques that have caught them out in the past.
Ultimately, the test of a quality simulated phishing campaign lies in training to help employees recognise where they went wrong to prevent a real infection in the future.
CLICK HERE to view a sample video from one of our phishing simulation partners.
Back to Newsflash!