These can take many forms, from generic spam emails sent to thousands of recipients to highly targeted, personalised messages tailored to a specific individual. And no matter how effective your defences, some messages are likely to reach your employees’ inboxes, and this is often where the biggest risks lie. Indeed, employees are often the weakest part of any firms’ email defences.
All it can take is one individual failing to read an email properly or not spotting telltale signs of a fraudster for all a company’s good work to be undone. That’s why a strong training scheme to educate employees about this risk is so vital. However, this training alone will not be enough.
The benefits of running a phishing simulation
It’s all very well running an engaging, frequently-updated training programme, but how can you be certain your employees have actually taken in the advice?
Steps like end-of-training quizzes won’t tell you if they’re applying what they’ve learned into the real world, so this is where running a phishing simulation test comes in.
This involves sending out fake phishing emails to all your employees and recording how they react to it. These use the same tactics and language as genuine scammers and let you see how people respond as part of their day-to-day work, outside the controlled environment of a training session.
It also ensures people can recognise the subtle – and not-so-subtle – clues that can indicate a scam and lets businesses know where their user education efforts have been succeeding, and where there is more work to do.
For these simulations to be successful, you shouldn’t just send a single email. You’ll need to see if there are any specific types of email that are more likely to get a response. Therefore, consider using multiple tests with different formats to see where any particular weaknesses lie.
You also need to monitor the response rate effectively. This doesn’t just mean looking at who failed the test by handing often sensitive information such as login details. You also need to know who opened the email, who deleted it without taking any action and who took steps to report any suspicions. All this will help guide your training and incident response processes.
Ensuring you stand the best chance of success
However, there are also a couple of things not to do. For instance, it’s easy to get preoccupied with organising extra training for those that failed the test, but it’s also important to acknowledge those that did well. Even a simple ‘congratulations’ message gives great reinforcement and shows people the value of your training programmes.
Also, you need to ensure those who did fall for the email are dealt with in the right way. Certainly naming and shaming isn’t a good idea, while any training you provide has to be tailored and explained to ensure they understand why it’s taking palace.
Finally, also make sure the content of the test email itself isn’t likely to offend. This was the mistake made recently by US firm Tribune Publishing, which made headlines for the wrong reasons after sending a phishing test email that claimed to be offering bonuses to all its employees, encouraging them to login to a site to see how much they’d got.
Aside from the disappointment workers would have experienced, it was felt to be in particularly poor taste given the organisation had already been making pay cuts and redundancies.
While this type of message might be an effective way of mimicking a criminal’s tactics, it’s not going to engender trust among your employees.
Want to learn more about how you can tackle phishing attacks? Read our latest whitepaper to find out how to build a layered email protection solution.
Download the Essential Guide to Email Security
We have released an Essential Guide to Email Security where you can learn how to defend your firm from email threats.
With over 25 years in the business telecoms industry and an unrivalled reputation of delivering excellent, personal customer service, Arrow is one of very few companies in the UK able to provide a full telecoms, IT and energy consultancy and service proposition.
Savings through automation, scale, improved service. We’ve got that covered. But the true value comes with empathy, through empowerment, collaboration. It’s connecting people that drives us forward. It’s people that make tomorrow happen.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.