There’s no denying that phishing attacks are on the rise. With upward of 2.9 billion email users worldwide and the sophistication of phishing attacks always improving, hackers will stop at nothing to lure in their prey. From elaborately cloned sites to perfectly worded emails encouraging recipients to dole out cash for gift cards, hackers have a number of useful tricks up their sleeve, much to the chagrin of IT professionals.
Fortunately, by using real-world phishing simulations and providing consistent opportunities for training, IT pros can prepare their employees for the appearance of nefarious senders in their email inbox.
But not all IT pros agree that raising awareness for phishing is worth launching fake real attacks against unsuspecting employees.
What is phishing?
Phishing is a type of fraud in which a hacker attempts to gather personal information or credentials by impersonating a trusted brand or service. Phishing typically takes place over email, and there’s always a variety of popular phishing scams in circulation.
“Phishing attacks continue to grow in popularity because, unfortunately, they work,” said George Anderson, product marketing director at Webroot. “Hackers weaponize the simple act of clicking and employ basic psychological tricks to inspire urgent action. It is vital that consumers educate themselves on how to protect both their personal and financial data and what steps to take if their information is compromised or stolen.”
For businesses, this means combining the latest detection, protection, prevention and response technology with consistent attack training and education so IT professionals can successfully mitigate phishing attacks among employees.
Should IT pros leverage real-world phishing simulations?
While real-world phishing simulations can serve as an effective means of training for unsuspecting employees, not all IT pros agree this type of training is beneficial.
Lisa Plaggemier, Chief Strategy Officer at security and privacy training company MediaPRO, shared that while educating employees on cybersecurity awareness is always a priority, testing employees’ ability to identify scams in high-stress environments can risk agitation and anger among employees, rather than increased awareness.
Reuben Yonatan, founder, and CEO of GetVoIP agreed with Plaggemier to an extent, sharing that sending phishing emails to employees can be a double-edged sword for a multitude of reasons.
“If the company sends them sparingly, then they are useful in ensuring employees stay on guard. On the flip side,” he continued, “If the company overdoes it, then employees will be angry, and they will stop being on guard. When there is a genuine threat, employees will be caught unaware. Therefore, as a company, do not do away with phishing emails completely. Instead, walk that fine line between doing it just right and overdoing it.”
Rather than opting for real-world phishing simulations, Christopher Gerg, CISO and VP of Cyber Risk Management at Tetra Defense, believes that awareness campaigns are far more effective than “gotcha” style phishing simulations.
“Awareness campaigns are becoming more effective simply because of better “buy-in” from employees. It takes regular and varied awareness education mechanisms to keep it top-of-mind, however. A regular email reminder gets ignored eventually, and negative messaging reduces compliance and morale,” he shared.
For Gerg, the best thing IT pros can do is to provide employees with continuous opportunities for education and training. He also encourages IT departments to keep lines of communication open and set clear expectations when it comes to email requests.
“It is also important to continuously educate employees that C-level executives will not make requests of them to buy gift cards, transfer money, or pay a bill through email or social media channels.”
Set clear expectations among employees
For IT pros who want to steer clear of real-world phishing simulations, Brian Wilson, CISO at the SAS Institute, suggests setting clear expectations when it comes to raising awareness among employees.
“Set expectations on how your company will and won’t initiate contact with employees,” Wilson explained. “Fraudsters are known to call individuals, claiming to be from IT and offering assistance. If an employee doesn’t know how to validate a call, they could unwittingly become the weakest link. Just like we encourage consumers to call the 800 number on the back of the card should someone claiming to be from the bank contact them, it’s wise to make similar recommendations for engagements with IT.”
While phishing attacks of the past were often sent in bulk, resulting in impersonal and truly nonsensical greetings, today’s phishers are far savvier than ever before, making it important for IT pros to set expectations when explaining phishing risks to employees.
The better informed your employees and teammates are, the less likely they are to fall for a phishing attack. Employees and team members should have a thorough understanding of how IT interacts with individual employees and the organization as a whole. They should receive regular communications regarding current phishing tactics and understand what to look out for if a hacker decides to go phishing in their inbox.
Teach employees to expect the unexpected
While the most common phishing attacks might include mimicking an organization’s brand identity or sending a malicious URL, a true IT pro would tell you that not all phishing attacks are the same. In a Webroot study, 81% of participants were aware phishing attempts could occur through email but failed to recognize the many other ways hackers conduct phishing attacks.
“Email is not the only way that phishers will attempt to gain access to your accounts,” shared Tom DeSot, EVP and CIO at Digital Defense, Inc. “They may also do so by vishing smishing.”
When speaking with employees about potential phishing schemes, be sure to include even the most creative, the most outlandish scenarios in which a hacker might try to obtain personal or confidential company information. Employees should realize that when it comes to tech-savvy phishers, they should expect the unexpected.
Remember to be flexible
While it’s important for your employees not to let their guard down when refreshing their inbox or clicking that questionable link, it’s also important to be flexible. You want employees to feel comfortable engaging with IT about their cybersecurity struggles. Employees should feel comfortable sharing that they’ve received a phishing email, rather than navigating next steps on their own.
“Give employees avenues to openly communicate with your security and IT staff beyond submitting a trouble ticket,” encouraged Wilson. “Your employees want to do the right thing, so be available via many mediums to meet employees where they are and keep lines of communication open.”
With trust, respect and consistent education, employees should have the knowledge and know-how to recognize a phishing attack. Whether it’s the company CEO or the newly minted receptionist, there’s no better way to put an end to phishing attacks than keeping your employees and teammates educated and well-informed.
