Savvy organizations know they can no longer ignore today’s phishing epidemic. Just when they think they have a handle on the situation, the phish evolves, becoming even more sophisticated to gain the trust of unsuspecting employees. So what can organizations do to fight back? Many turn to the tried-and-true method of the awareness training program. But is that enough?
Email Phishing Awareness Training
Employee knowledge of phishing tactics can be all over the map; some may be well-versed in phishing schemes, while others may never have even heard of phishing with a “ph.” So, awareness training—explaining the various types of phishing emails, what to look for, and what to do if a phish is suspected—is a logical and smart first step.
Unfortunately, too many organizations don’t think of awareness training as a step, but as the be-all, end-all of email phishing protection. Worse, far too many treat awareness training as a lunch and learn, “one and done” event. That’s a mistake. After perhaps a few weeks of remaining alert, people have a tendency to fall back into their old ways, and before you know it they’re clicking links and opening attachments with abandon.
On the other hand, regular reminders hammering home the importance of remaining vigilant when it comes to phishing scams will keep it top of mind for employees. Regular training sessions will also help to capture new hires and absentee employees who may have missed previous meetings, and it provides the opportunity to highlight the latest phishing schemes. This is important because, like any cyber threat, phishing scams are continuously evolving.
Email Phishing Simulations
You wouldn’t want to phish your own staff, would you? You might! Phishing simulations involve sending phony phishing emails containing attachments, embedded links, and requests for personal information to your own employees. This can be done through the organization’s own internal IT team, or through phishing simulation software or services. However you go about it, the phishing simulations need to look like they’re coming from a stranger or from someone the employee knows. If an employee takes the bait, they will be notified that they fallen into a phishing trap.
When run regularly, say once per quarter much like a fire drill, simulated phishing scams enable the organization to gauge staff compliance with policies and measure progress in user behavior (they fell for it the first time; will they fall for it again?). Following a simulation, however, employees who were duped should not be shamed, and they should be notified right away that it was a simulation as not to cause undue stress or anxiety.
Of course, employee phishing needs to be carried out professionally and very carefully. If the tactic is used recklessly, the organization employing it may breach laws and attract lawsuits. That’s just what happened to Schletter, Inc., manufacturers of commercial and residential solar mounting systems. The company phished its employees, pretending to be the CEO and asking for employee social security numbers. Those being phished obliged, resulting not in a data breach, but data disclosure: the employees were coerced under false pretense into providing sensitive information to internal staff that should not have had access to it. In the wake of the lawsuit, Schletter North America has filed bankruptcy.
Email Phishing Education Through Teachable Moments
Parents and educators alike are very familiar with the concept of a “teachable moment.” In the corporate world, however, the concept may be a bit foreign. So, we took the definition as supplied by ThoughtCo, a teacher’s resource website, and substituted a few words here and there to make it apply to anti-phishing in your world.
A teachable moment is an unplanned opportunity that arises in the workplace where there is a chance to offer phishing email insight to employees. A teachable moment is not something that you can plan for; rather, it is a fleeting opportunity that must be seized at the moment when the employee is interacting with an email.
What’s great about these teachable moments is that they happen in real-time. Sure, awareness training is useful, but because trainees are not actively engaged with a phishing scam at the time, the lesson is less likely to stay with them in the long term. Anti-phishing services that provide an active defense offer teachable moments that stick with employees long after the email is deleted.
As you can see in the visual below, the anti-phishing service performs the following:
- Red-flags malicious or suspicious emails with a PHISHING-ALERT.
- When the employee opens the email, they remain protected while the service explains why the email was flagged (in this case, the displayed link text is different from the real URL).
- Disarms and locks the phishing email so the employee cannot reply or forward it to others.
By letting employees know why an email is flagged rather than just locking them out, they’re more likely to feel actively engaged and want to protect themselves and the organization.
According to computer security company McAfee, 97% of people around the world are unable to identify sophisticated email phishing—now that’s scary. While awareness training and careful deployment of phishing simulations can be beneficial, active defense provided by anti-phishing services offer teachable moments that stick with employees long after they’ve gone home for the day.