When it comes to keeping your business safe from threats, your employees’ email inboxes are always your front line. Phishing attacks are a constant challenge for firms of all sizes, and it only takes one email to slip through your defences to cause you a major problem.
These can take many forms, from generic spam emails sent to thousands of recipients to highly targeted, personalised messages tailored to a specific individual. And no matter how effective your defences, some messages are likely to reach your employees’ inboxes, and this is often where the biggest risks lie. Indeed, employees are often the weakest part of any firms’ email defences.
All it can take is one individual failing to read an email properly or not spotting telltale signs of a fraudster for all a company’s good work to be undone. That’s why a strong training scheme to educate employees about this risk is so vital. However, this training alone will not be enough.
The benefits of running a phishing simulation
It’s all very well running an engaging, frequently-updated training programme, but how can you be certain your employees have actually taken in the advice?
Steps like end-of-training quizzes won’t tell you if they’re applying what they’ve learned into the real world, so this is where running a phishing simulation test comes in.
This involves sending out fake phishing emails to all your employees and recording how they react to it. These use the same tactics and language as genuine scammers and let you see how people respond as part of their day-to-day work, outside the controlled environment of a training session.
It also ensures people can recognise the subtle – and not-so-subtle – clues that can indicate a scam and lets businesses know where their user education efforts have been succeeding, and where there is more work to do.
For these simulations to be successful, you shouldn’t just send a single email. You’ll need to see if there are any specific types of email that are more likely to get a response. Therefore, consider using multiple tests with different formats to see where any particular weaknesses lie.
You also need to monitor the response rate effectively. This doesn’t just mean looking at who failed the test by handing often sensitive information such as login details. You also need to know who opened the email, who deleted it without taking any action and who took steps to report any suspicions. All this will help guide your training and incident response processes.
Ensuring you stand the best chance of success
However, there are also a couple of things not to do. For instance, it’s easy to get preoccupied with organising extra training for those that failed the test, but it’s also important to acknowledge those that did well. Even a simple ‘congratulations’ message gives great reinforcement and shows people the value of your training programmes.
Also, you need to ensure those who did fall for the email are dealt with in the right way. Certainly naming and shaming isn’t a good idea, while any training you provide has to be tailored and explained to ensure they understand why it’s taking palace.
Finally, also make sure the content of the test email itself isn’t likely to offend. This was the mistake made recently by US firm Tribune Publishing, which made headlines for the wrong reasons after sending a phishing test email that claimed to be offering bonuses to all its employees, encouraging them to login to a site to see how much they’d got.
Aside from the disappointment workers would have experienced, it was felt to be in particularly poor taste given the organisation had already been making pay cuts and redundancies.
While this type of message might be an effective way of mimicking a criminal’s tactics, it’s not going to engender trust among your employees.
Want to learn more about how you can tackle phishing attacks? Read our latest whitepaper to find out how to build a layered email protection solution.
Download the Essential Guide to Email Security
We have released an Essential Guide to Email Security where you can learn how to defend your firm from email threats.