You’re sitting calmly at your desk when you’re suddenly jolted by an incessant ear-piercing screech that echoes throughout the building. For a moment, your chest tightens, but you quickly realize what’s happening and calmly follow your peers to the door, on a path you have memorized.
We’re all familiar with the dreaded office fire drill. It’s been a constant in our lives since our school days, and it follows us into the workplace as adults. Some of us feel annoyed by the disruption to our daily routine, while others feel refreshed at the excuse to step outside for a brief moment. No matter how we feel about fire drills, they’ve done their job: In the event of an actual emergency, we know what to do.
Drills can play a similar role in cybersecurity. Cyberattacks and raging infernos have something in common: preventative measures can help us guard against both, but we can never fully eliminate the chance of these crises happening. Eighty-five percent of companies have experienced a cyberattack in the form of a phishing email. All it takes for your business to fall victim to a phishing attack is a handful of employees who don’t recognize a scam sitting right in their inbox.
What better way to teach your employees to spot cyberattacks than by staging an attack of your own? (In a safe and controlled environment, of course.) By sending simulated phishing attacks on a regular basis, you can train employees to identify real ones. Just as your company-wide fire drills keep all staff prepared for an emergency, simulated cyberattacks can prepare your employees to respond appropriately to a real crisis.
Let’s walk through the steps of setting up your own simulated phishing program.
What Makes Phishing Attacks So Dangerous?
Anyone Can Do It
There are two optimistic notions we’d all like to believe that simply aren’t true. First, we’d like to think that most companies and employees aren’t targets for phishing attacks. “It may happen to huge corporate enterprises, but it’s unlikely to happen to my company. Who would want our data, anyway?”
Second, we’d like to think that only a small percentage of highly advanced, expert hackers have the skills to pull off a cunning phishing attack.
The unfortunate truth is that any company — small, medium, or large — can quickly become a target for cyberattack, and phishing attacks aren’t all that difficult to plan or execute. Gregory Touhill, the United States’ first Federal Chief Information Security Officer (CISO), says that all it takes for someone to become a threat is an internet-connected device and some online training. When employees underestimate just how easy it is for anyone to conduct an attack of this nature, they let their guard down and leave their companies even more vulnerable.
Phishing attackers range from agents of foreign governments to kids looking to stir up trouble. While companies are more likely to be attacked by interested parties, the fact that anyone can learn how to conduct a phishing attack is a sobering thought.
Attacks Are Carefully Crafted
While company-wide phishing attacks still occur, the most effective phishing emails are ones that appear to be authentic communications from recognized third parties. This means the most dangerous emails will be highly targeted to the user. Senders may have official-sounding titles. Logos may look similar to their legitimate counterparts. Messages might create a sense of urgency for the recipient.
Employees who underestimate the cleverness of phishing attacks can be more likely to fall for them. A phishing email isn’t sloppily thrown together in a few minutes and sent to your inbox on a whim. Every word and image within the email has been carefully chosen to avoid arousing suspicion. Some attackers may spend months gathering information on their victims — including names, phone numbers, and other details to make their emails as relevant (and convincing) as possible.
The Trouble Lies with Human Error
It’s easy to assume the latest equipment and cybersecurity software will protect companies from the latest attacks. While cybersecurity software can help you identify, fight against, or respond to attacks, remember that it’s often humans who fall for them (in fact, data indicates that up to 30% of us will click on just about anything). Particularly in the face of phishing attacks, people — not software — are what determine whether an email looks legitimate, and people can make mistakes.
Given the widespread accessibility of phishing attacks and their reliance on human judgment, employee training is no doubt your best defense. Your cybersecurity training should already include a comprehensive explanation of what phishing attacks look like and how they work, but you can take it one step further by subjecting your employees to a cybersecurity drill. Simulating a phishing attack is an effective way of testing your employees’ readiness and preparing them for the real thing.
Just like a real attack, yours need to be convincing. Proper planning is essential.
How to Set Up Your Simulated Phishing Test
1. Provide Initial Training
Before launching a fake attack, make sure your employees know what to look for. Hold an initial training session where you discuss the realities of phishing attacks — how frequently they occur, how easy they are to execute, and what goes into planning one of these shady emails. Training should also touch upon what type of information phishers might be after, and how they would go about trying to steal it.
Employees should also be instructed on what to do when they spot an attack. Set up a dedicated email address for cyberattack reporting and instruct employees to send a message to that address when they notice something phishy in their email. By making this step part of your training, you will be able to quickly identify which employees can spot your scams and which ones need more training.
2. Determine Your Strategy
Choose which employees to test and how frequently. You might try one test email a month to a chosen group. This gives you enough data to see how effectively employees are spotting attacks, while not being too frequent to the point where your employees start to expect them. A fire drill once or twice a year keeps employees on their toes; a fire drill once a week becomes so routine that a sense of urgency is lost, which is problematic in the event of a real fire.
When choosing your employee group, proper segmentation is important and will allow you to deliver a more convincing phishing attack. Here’s how segmentation allows you to meet different goals with your phishing drills:
- Spear-phishing: The most threatening attacks target groups or individuals with highly-specific messaging (“spear-phishing”). By focusing on one group, such as a particular department, you’re better able to mimic the level of detail used in a real attack.
- Randomizing Victims: If you’re worried about word-of-mouth spreading about your fake phishing attacks, phishing simulators can allow you to randomize employees and the messages they receive. This reduces the chances of your staff catching on to your pattern and warning each other in advance.
- Company Roles: Segmentation allows you to target messaging according to an employee’s position within your company. You may want to simulate an attack on all new hires, for example, or one that targets all senior management members.
- Company-specific Criteria: No company is the same, which is why it’s important to think about the ways your employees interact with other people and businesses. If your company deals with national or international clients, for example, try simulating an attack that looks like the sender is from one of those locations.
3. Choose the Right Phishing Test
Once you’ve selected the employees for your target group, it’s time to tackle the most important step: designing your phishing email. Choose the content of the emails wisely, catering to the interests, job responsibilities, or authority level of the recipients. Make requests, information, and links look as convincing as possible, just as they would in a real phishing attack.
Examples of phishing email types include:
- Refusal to Pay: These emails include an urgent (and sometimes angry) message stating that the sender will not pay for something. Attached is a file which may look like an invoice or bill, but could potentially be a virus. Some may prompt you to enter your email and password before opening. This type of attack is a good test for employees who deal with billing tasks or information.
- Free Gift: Emails with an offer for a free gift can be very tempting, especially when they come with a legitimate next step (e.g., as part of a company initiative). This type of email can be used across your entire company; everyone likes free stuff!
- Popular or Trending Content: Given today’s social media landscape and 24-hour news cycle, getting the latest updates is enticing for almost all employees. Use this to your advantage by crafting emails with links to news information or false “breaking stories.”
Next Steps — What Happens After the Drill?
For employees who fall for your phishing attack (generally by clicking a link or attachment in the email), redirect them to a landing page with additional information on how to identify phishing attacks. For those who continuously fall for the ruse, consider setting up a special group session for extra training. If the issue persists, you may have to restrict access to sensitive information for particularly vulnerable individuals, like the Department of Homeland Security does with its employees. Remember, these consequences are not intended to punish, shame, or ridicule; the overall goal is to build up all staff to a high level of awareness regarding potentially dangerous or deceitful emails. When extra training doesn’t improve an individual’s ability to spot these attacks, restricting access is a practical and professional outcome, as the security of the company must come first.
For all employees who received the fake phishing attack (whether they fell for it or not), follow up with an email a few days later to let them know what you did. The email should include a list of characteristics of the message that should have signaled a phishing attack. If you modeled your message after an real one sent to your company, you might point out subtle differences between the two to illustrate how closely a phishing email can mimic the real thing.
When you enact this type of drill over a period of time, you should see the click-through rates of your fake phishing emails drop. No one loves a fire drill, but the moment we smell smoke, we’re all glad to know the escape route. Cybersecurity drills are no different.