Friendly phishing: Why you should consider phishing your team
Phishing is a common scam used by cyber criminals. That’s why it’s important to train your employees to recognise them before they’re hooked by the real thing.
What is phishing?
Phishing is a type of online scam where criminals pose as a legitimate business, or individual, in order to trick victims into providing either sensitive information or performing an action. For example, an attacker may send an email that appears to be from the victim’s bank, asking them to login to a seemingly genuine website to update information. If the victim does, the attacker has complete access to that information. However, when phishing takes place in the workplace, victims don’t just risk exposing themselves — they risk exposing the entire business.
What is a phishing simulation?
A ‘phishing simulation’ is when you replicate a phishing attack within your team, with the aim of assessing their response. This can be achieved by sending a simulated email and tracking not only ‘who’ responds but also, more importantly, ‘how’ they respond. These emails should have the appearance of a legitimate one. The goal is to simulate a phishing scam, as best you can, to find out how good your team is at identifying and dealing with them.
Why are phishing simulations useful?
Phishing simulations are a great way to inform employees about threats and how to be vigilant while working online. By running a phishing simulation, employees get the opportunity to experience how ‘convincing’ they can appear, and learn how to identify them. This helps to prevent actual attacks from happening and gives employees the skills they need to protect themselves and your business.
How can you implement your own phishing simulation?
Before you begin your phishing simulation, consider how much you want your team to know upfront. You might decide not to tell them anything, so you can get a realistic result. But if you think your team might be sensitive to being tested without prior knowledge, it might be best to let them know ahead of time.
By choosing to run an open phishing simulation, it also gives you the option to remind your team of the correct procedures for reporting and responding to suspicious emails. Make sure everyone knows the correct policies, knows who needs to be notified and that the relevant steps are in place.
What are some of the trademarks of a phishing email?
It’s important to make the emails believable by using the same techniques attackers use. There are a few things that many phishing emails have in common, even if they seem different. Here are some of the most common:
- Bad grammar and spelling
- Unusual and uncommon greetings
- An email address that’s slightly odd, like “googlemail” instead of “gmail”
- Attachments with unfamiliar extensions
- Links that have no relevance to the text
- Urgent requests for information
If you want to make your phishing simulation emails even more effective, you can pair some of the basic signals above with the tactics below. By making the recipient feel the need to act, you can increase the chances of a successful phishing attack:
- Request urgent action to be taken
- Include an emotional aspect
- Include the name of an authority figure
- Offer a desirable reward
Friendly phish your way to better security
The most cyber-resilient businesses are the ones that are aware of the latest cyber threats and use every tactic in their arsenal to respond to them. But no matter how many simulations you run, hackers will always find a way in. That’s why it’s critical to maintain a strong security culture with the invaluable safety net of comprehensive disaster recovery and online backup through a premium cloud partner.