Someday, maybe on a day just like today, your employees will get a phishing email.
The sheer number of such emails zipping around cyberspace guarantees this. Analysts from the Anti-Phishing Working Group recorded more than 1.2 million phishing attacks in all of 2016. That’s an increase of 56% from the year before, and the most the Working Group has ever recorded.
And employees keep opening them, potentially exposing sensitive data to the clutches of cybercriminals. Verizon’s 2016 Data Breach Report tells us that users opened 30% of phishing emails in 2015; up from 23% the year before.
Clearly, phishing attempts as a way into organizations’ sensitive data show no signs of slowing down. Enter the phishing simulation campaign, an increasingly popular way for employers to see how vulnerable their people are to this social engineering attack.
But what makes a good simulated phishing campaign? Though MediaPro offers its own phishing tool and associated training, we’ve developed some tips and tricks that can apply to any phishing initiative you may launch. An important point to remember, though, is this: in our experience, phishing does not equal training.
Simulated phishing campaigns are not a panacea and will not by themselves fix your employees’ risky behaviors. Industry analysts at Gartner say as much, in their report Innovative Insight for Anti-Phishing Behavior Management:
“Anti-phishing behavior management solutions are not a tool for initiating cultural change. Assess your organizational culture first, and deploy anti-phishing as part of a comprehensive program of security behavior management and education.”
The best results come from using simulated phishing campaigns as ways to find members of your organization who need training the most. Then, follow up with these employees with real remediation, like trackable training modules tied to a learning management system (LMS) and reinforcement content, such as videos and games.
With that said, phishing your own employees has benefits. Here are some best practices for getting the most out of your phishing campaigns.
Before You Phish
Before you begin your campaign, there are a few things you should consider. First, we recommend telling your employees to expect simulated phishing emails. Why tip them off to what is essentially a pop quiz? To make them feel like part of the team.
The goal of your phishing campaign is to provide employees with a safe, simulated environment where they can learn about what real phishing attempts look like in the wild. It shouldn’t feel like a “gotcha” moment, or an attempt to make your employees feel stupid. Alerting your employees beforehand is a good way to make them feel like you’re all working together toward keeping your organization’s digital infrastructure and sensitive data safe.
This announcement is also a good time to remind your employees why it’s so important to recognize suspicious emails. Real malicious emails can come with a wide and terrifying variety of malware, including the infamous ransomware. These attacks can lead to data loss and breaches, which result in damaged reputation, loss of customer trust, loss of revenue, and even fines. It’s up to everyone to keep your organization safe! Try getting your CEO involved and position the announcement as a letter from him or her to drive home the top-down importance your organization gives to cybersecurity awareness.
Second, (that was a long “first,” wasn’t it?) make sure you inform other departments within your organization if you’re planning to spoof emails from them (we’ll talk more about using a variety of spoofed emails later).
Hackers are going to send your employees emails that appear to come from individuals, like a CEO looking for an urgent wire transfer, or departments, like HR, asking for a quick turnaround on personal information. Get the participation of those individuals before the campaign, so you can make sure that you’re not interrupting their normal work with a flood of worried emails from your employee population.
Ready, Set, Phish!
Now let’s turn to the phishing campaign strategy itself. What sort of emails should you send, and how often? What should the emails say? Hackers show no lack of creativity when it comes to phishing, so your campaigns should reflect that.
Variety in the email content itself is key. First, consider varying the type of attacks you spoof. Bad actors will send malicious emails asking your employees to open attachments, or simply click on a link. Try campaigns using one, or both, of these attack vectors. Also, consider mixing up the source of your spoofed emails. Is that an actual package notification from a major shipping company? Is that request for tax information actually from your own HR department? Both are common real phishing attempts, which means both are fodder for your campaign.
Make Them Believe It
Variety in email content blends into another point: believability. If you’re spoofing an email that’s meant to look like it’s coming from your HR department, use appropriate company language, terms, and names. A request for personal employee information makes no sense coming from your IT staff, but a password reset notification does. We should reiterate here: tell your internal departments you’re going to be spoofing emails from them before you send any emails!
You should follow the same strategy for spoofed external emails. Fake shipping notifications are best used around the holidays when your employees are more likely to expect packages. Fake emails concerning income taxes are best sent around tax season for, well, we hope pretty obvious reasons.
No matter the strategy, making your phishing attempts look real is important to finding out your employees’ true knowledge of the real phishing threats out there in the wild. A very important caveat to keep in mind here: be sure not to infringe upon the copyrights of any private companies or government agencies. Logos are trademarked for a reason, and most organizations would not respond kindly to their logos being included in any phishing emails, even if they’re fake.
Timing is Everything
When we speak of variety, we also mean how often you send out emails. It’s vital to phish employees more than once with different types of emails over the life of your campaign. This way, you’ll get a truer gauge of what attack vectors your people are most susceptible to.
Depending on the results of your very first send, you’ll want to space phishing campaigns out over several weeks to once per quarter to hone in on what types of emails trip your employees up the most. This will help inform what sort of training content to deploy later.
Turning the Dial
Another place for variety is in the complexity of your phishing campaigns. Fake shipping notifications, too-good-to-be-true sweepstakes announcements—these are great ways to get started with your phishing campaign. But as you progress, you’ll likely start to notice click rates go down and reporting rates go up as your employees begin to expect getting phished. This is where measured increases in campaign complexity come in. Spoofed internal emails, for example, often prove harder to spot because there’s a certain level of trust inherent in an email that appears to be from a colleague.
You can also achieve increasing complexity through department-specific campaigns. For example, clients often tell us that HR staff members are particularly susceptible to spoofed emails with attachments. This is likely because HR personnel are the first point of contact for job applications, which often come with attached resumes, work samples, etc. Whatever the method, you’ll want to gradually “turn the dial” on your campaigns’ complexity to make sure your employees are continually challenged.
After the Phish
So your campaign, or set of campaigns, has run its course. Now what? It’s time to look at the data. First of all, congratulate the people who passed! Use the results to send those individuals an email and thank them for being diligent and protecting the company from threats. Also consider providing rewards for those who consistently avoid phishing attempts, such as gift cards, or a lunch on the company. Everyone loves free food!
For the people who consistently fell for your spoofed emails, follow up with training courses in a real LMS, so their progress can be tracked. In MediaPro’s own Phishing Simulator, targets who click on phishing lures see a teachable moment on the landing page that’s displayed to them. But you can also configure the campaign to automatically enroll them in real training inside of MediaPro’s LMS. In the LMS, administrators can track each employees progress to make sure they complete their training. Admins can also set due dates for training and automate the sending of reminder emails that are sent to employees until the training is finished.
In addition to separating the easily phished from the rest, note what departments are most susceptible and measure whether they’re getting better or worse. Seeing total clicks go down is the most common indicator of improvement, but user reporting is another very powerful tool. Seeing your click rate steadily drop is always the primary goal, but a steady rise in the in people reporting phishing messages is another key way to measure improvement.
Phish, and Phish Again!
Most importantly, re-phish your employees! We see re-phishing following deployed training content as mandatory for a truly successful awareness initiative. Determine who has already fallen prey to previous phishing attacks, follow-up with them, and see if they’ve improved.
One-off phishing campaigns don’t teach. Phishing simulation is testing, and you need regular testing to measure your employee population and make sure that their defenses remain strong.
Put simply: Practice makes perfect. Your employees, like a professional football team, need to practice regularly to stay sharp. It takes a regular stream of varied approaches to ensure employees keep their skills honed and perform their best when it really counts.
More than Phishing
At MediaPro, we believe a simulated phishing campaign is a great way to stress-test employee awareness about phishing … but it should not stand on its own.
Since any phishing weakness among your employees is likely a symptom of a larger lack of understanding about cybersecurity best practices, anti-phishing training alone won’t provide the cure. It’s likely that the same employees who click on phishing emails also have a poor grasp on things like password security, safe mobile computing practices, and more.
A comprehensive security awareness program identifies all of your behavioral risks and includes regular training and reinforcement that seeks to change employee behavior and build a risk-aware culture.
Such a culture will help inoculate an organization against myriad cybersecurity threats for years to come.
This article is based on our on-demand webinar “Phishing Best Practices,” featuring two MediaPro experts discussing the ins and outs of successful phishing campaigns. Watch it here for free.