Phishing Testing: Building Your Human Firewall
Phishing is becoming a major threat vector for organizations all around the world.
Phishing is the exercise of sending illegitimate emails designed to elicit a response from the end user, whether that’s clicking on a link that infects them with malware or tricking the user into volunteering information that they normally would not provide like a password or some other information that is useful to the attacker.
Frighteningly, all signs are pointing to the fact that phishing attacks are becoming more prevalent by the day. According to Webroot, nearly 1.5 million new phishing landing pages are being created monthly.
So, why is phishing so popular? I can think of a few reasons.
First, it’s relatively inexpensive. Sending an email is practically free, aside from the time it takes to set it up. Not just that, but email accounts are ubiquitous. If you think about it, people often have, at least, two or three email accounts. I have a personal email account, a corporate account, social media accounts, etc. And these accounts are accessed on multiple devices, like smartphones, tablets, and other personal and corporate devices.
So, if you are the bad guy trying to start a phishing attack, one specific email could go to several devices, and then if you happen to send the same person the phishing attempt to multiple email accounts they control, you are expanding your reach of the attack even further. All it takes to have a significant cybersecurity incident is one wrong click.
WHAT IS A PHISHING TEST?
Phishing testing is perhaps one of the most effective measures a company can take to protect their business.
A phishing test is an exercise where a fake phishing email is created and sent to a defined group of users. When the user receives the email, they can interact with it similar to how they would interact with a normal email. But when they click through the email and engage with it, they are brought to some kind of landing page.
Depending on the goals of the test, this page can be a regular “404 error” style page (if you don’t want the users to know they are being tested) or it can be an educational page where the user is educated on the nature of phishing and other security threats to create greater awareness in the long term. Data on the emails sent, such as who got the emails, who clicked through, and so on is then logged for analysis.
Typically, management will then review the results with their IT advisor and talk about how to improve awareness and/or develop a more robust security posture if needed.
To get the most value from phishing testing, I recommend performing multiple tests per year, where different types of emails are sent to users on a regular basis. The content of these emails should be varied and personalized to the audience.
For example, an organization who works in the healthcare space should probably get at least one phishing test that appears to be related to health care industry concerns. In general, you want to make these tests tricky in order to create a hardened level of awareness. In other words, if you can teach users to identify less easily recognized fake phishing emails, the more likely they will avoid the real attacks.
I would also recommend sorting users who are having a difficult time with recognizing phishing emails into their own group to receive additional, custom training. Some users who get these phishing tests are quick learners, and we see these users have a major drop off in click rates after the initial tests, but other users will inevitably have a harder time.
This kind of managed approach to dealing with users who are having difficulty will result in lower risks and better awareness in the future.
DO I NEED TO DO A PHISHING TEST?
Most likely, yes – your organization needs to do this. Not only do certain compliance standards require security awareness training and sometimes even specifically prescribe a phishing test, but it is immediately obvious that this is an external threat that most employees are not prepared to deal with and recognize.
Phishing scams target the ignorance of the end user, and due to the volume of attacks, it is really just a numbers game before someone with little awareness falls for a trap resulting in a major impact. If you are expecting your staff to use email regularly for business, you can see how this growing threat represents a significant challenge to managing risk for your organization.
One significant cybersecurity incident, like a ransomware attack, will cost the organization far more than a managed phishing testing and cybersecurity awareness program.