Phishing

Anti-Phishing: The Importance of Phishing Awareness Training

Infosec
June 26, 2017 by
Infosec

Of all the precautions you need to take to keep your company afloat, planning for phishing attacks may be the most important by far.

Phishing has become a widespread problem across every industry because this type of scam is extremely easy to pull off. Just about anyone can do it as long as they have Internet access and a grasp of the language.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

Every year, countless companies find out the hard way that they should have invested more time and money into phishing protection training for their employees.

Below, we’re going to discuss what this entails and why it’s so important and provide you with other helpful information that will ensure that your workers aren’t easy targets for these con artists.

Why Is Phishing Awareness Training So Important?

The simple answer to this question is that if you don’t invest in phishing protection, you will become a victim. This is not a “maybe” situation anymore. Sure, not every company gets victimized by phishing scams, but they have become the exception.

Phishing statistics make this very clear.

Here are some examples worth thinking about:

  • Phishing and malware attacks have been the most prevalent form of cybercrime for eight years in a row.
  • In 2015, 30% of all phishing messages were opened.
  • 12% of receivers who opened them also clicked on a malicious link or attachment.
  • 48% of 2016’s phishing attacks were designed to steal money.
  • Using fraudulent banking credentials to obtain sensitive information was up by 8.31% in 2016.

Now, here’s the truly scary part: successful scams cost millions of dollars. Aside from how prevalent they’ve become, these attacks are becoming increasingly more expensive for businesses that are successfully targeted.

In fact, the average cost of a phishing scam for a 10,000+ person company is $3.7 million.

Obviously, the more money your company has access to, the more you could lose from one of these attacks.

Put another way, these attacks are inherently designed to scale, so even if you’re a small company, you may still be a very attractive target considering how little work it is to aim one of these malicious emails at your people.

Phishing Protection Is About More than Dollars and Cents

At the same time, it’s become abundantly clear that companies that don’t sufficiently invest in phishing protection stand to lose more than just their money.

For example, back in 2014, Target’s CEO resigned in the wake of a data breach that made headlines all over the world. More than 110 million customers were affected and the corporation also had to settle in court by paying out nearly $50 million.

This data breach may not have been the result of a phishing scam, but it very well could have been. Once a malicious party has access to your system, the extent of the damage they can do is limited only by their imagination.

Even if the attack you suffer doesn’t result in your CEO resigning, imagine how it will hurt your company’s reputation.

You can do all the positive PR pieces you want; if customers think you can’t be trusted with their sensitive data, you’re going to have a hard time turning a profit. In the digital age, not being trusted with this kind of information can quickly put a company out of business.

Finally, as you’re about to learn, phishing protection doesn’t have to be expensive, complicated, or even time-consuming. If you train your people to treat phishing protection as a priority and make it easy for them to understand what to look for, you’ll stand a much better chance against these attacks.

What Are the Critical Components of Phishing Awareness Training?

As we just touched on, phishing protection doesn’t need to become a huge burden on your business. However, it absolutely must be something you take seriously. Make a real effort and your staff will follow suit.

With that said, let’s now look at the critical components of phishing protection training.

First and foremost, you need to bring up the steps involved in proper phishing protection on a regular basis. This kind of consistency will keep it in the forefront of your employees’ heads. If you only bring it up every now and then, you can’t be too surprised when your people fall into a lull and become vulnerable to attack.

Along the same lines, you have to consider turnover. While proper phishing protection should be part of your new employee orientation programs, the different lengths of time people have been working for your company will automatically mean some people are exposed to the training more than others.

We’ll talk about how often you need to carry out some form of phishing protection in a moment, but for now, just recognize that this has to be a part of how you train your employees.

Second, your staff must understand what phishing attacks look like. The good news is that, unlike other forms of cyberattacks, phishing is 100% preventable. Your defenses don’t depend on high-tech anti-hacking coding, as much as they do on your people knowing what to look for and reporting attacks.

Again, covering this topic in detail during orientation will go a long way toward the results you want. Here are common traits of a phishing email:

  • Incorrect “From” Addresses: Many scam artists will use similar email addresses to those of official companies and/or trusted parties. Always take a second to double-check and make sure the address is correct.
  • Urgent Action Required: The vast majority of phishing attacks rely on pushing the recipient to act quickly, before they take the time to execute proper caution. Any email with this kind of urgency should be scrutinized. After all, if it was really an emergency situation, the sender probably would have called.
  • Generic Greetings: Pulling off a successful phishing scam often entails sending out a number of emails. The con artist knows many of their ploys will be ignored or otherwise avoided, so they play the numbers game. Unfortunately for them, this usually means using generic greetings and leaving out people’s names entirely.
  • Fraudulent Links: Your staff should always hover over a link in an email before clicking on it. By doing so, they’ll see what the actual web address is that they’ll be taken to. It’s a common misconception that the address displayed is also the site you’ll pull up if you click on it. Obviously, if a link is going to take you to a totally different site, it’s not to be trusted.

Third, it’s vital for your phishing protection efforts that you encourage your employees to come forward and report possible attacks when they think they’ve received one. You never want someone to feel sheepish about doing so. If they do, you may miss out on a really good educational opportunity. Worse, they may also decide not to worry about it and end up following through on the con artist’s deceptive instructions.

We already talked about consistently reminding your staff of proper phishing protection best practices. We would also recommend that you make them aware of successful phishing attacks that have happened in your industry.

For one thing, doing so will give them a very good idea of what they’re up against. They’ll get to learn about the ways phishing scams work in your particular field.

It also serves as a good reminder that these aren’t idle concerns on the part of your company. You’re not worrying too much. Phishing is very real and the consequences are extremely damaging.

Fifth, it’s not a bad idea to try phishing your own people. Create a third-party email address and send out emails from time to time to see if you can catch anyone slipping.

There are also companies you can hire for this service. They’ll test your people’s phishing protection knowledge and report back to you on the results.

This is probably the best way to make sure your company is ready. Word will quickly spread that your people should actually expect these kinds of attacks, which will make them much more vigilant.

Finally, don’t leave out upper management. They need to be just as ready as the rest of your company.

In fact, some scam artists will carry out in-depth research just to target your executives. Instead of a generic greeting, they’ll use the target’s full name. They’ll find out personal details about their target so they can include them in their message in an attempt to get the recipient to drop their guard.

Phishing protection needs to be something everyone in the company sees as their own personal responsibility. This includes everyone from temps to the CEO.

Phishing Protection Is a Team Sport

Speaking of which, don’t forget about any company you do business with by sharing sensitive information. You need to make sure that they’re not making themselves vulnerable to these attacks.

Recall the example of Target we used earlier. It turns out the hackers went through an HVAC company that Target was doing business with.

This is why your contracts with these companies must spell out the precautions they have to take to keep themselves from being victimized in a phishing attack. Otherwise, your best efforts may be compromised because of a totally different organization.

How Often Should Phishing Awareness Training Take Place?

Earlier, we promised that we’d talk about how often you should carry out phishing protection training.

The answer is as often as possible. Obviously, you need to make sure you’re not slowing down the operation of your business to a detrimental extent.

As we mentioned before, you should definitely make phishing protection training a part of your new employee orientation process.

We also suggest printing out the above list of things to look for and having your employees keep this at their desks somewhere that will be easy to see. This won’t just show them what to look for but will also remind them of the looming threat.

Any time a threat is successful in your industry, the news should be sent out immediately in an all-staff email. Hopefully, this won’t happen too often, but the more it does, the more you need to prepare your staff for the inevitability of an attack.

After that, most experts recommend you administer phishing protection training every two months. This should give you plenty of time to come up with new and engaging ways to cover the topic.

The last thing you want is for your phishing protection training to become the type of thing that your employees take for granted. They should understand its importance and you should ensure that they find it interesting.

Of course, if you can afford more time for this priority, then consider every month or every two weeks. When you consider the stakes involved, there is no “too much” when it comes to this type of training.

How Long Does It Typically Take to See a Change in User Behavior?

Everyone is different, which is why you need to make sure you’re administering the type of training we’ve described here as often as possible.

You may also need to consider generational differences. Your younger employees grew up knowing all about phishing whereas your older workers may have never heard of it before.

This is why testing your people with actual phishing attempts can be so useful. If you track your results, you’ll develop a real understanding of what types of employees tend to be easiest to trick. You’ll also see trends in terms of which kinds of training help prepare your people and how often they need to receive it before you see a difference from your staff.

By now, it should be clear that you need to make phishing protection training a priority for your company.

Hopefully, you can also see that this doesn’t have to mean breaking your budget or spending days at a time making sure your people know what to do.

Instead, begin by making sure that everyone in your company (including executives) knows what phishing is, how often it happens, and what the cost is when these attacks are successful. Then, educate your people on a regular basis by reminding them what to look for and showing them real-world examples of these attacks in your industry.

In no time, you’ll be able to rest easy knowing your employees are providing a veritable line of defense.

Sources:

https://safety.yahoo.com/Security/PHISHING-SITE.html

http://www.river-run.com/techblog/phishing-awareness-training

https://blog.vadesecure.com/en/phishing-awareness-training-8-things-employees-understand/

https://www.infosecurity-magazine.com/blogs/effective-phishing-assessment/

https://trushieldinc.com/top-3-reasons-you-need-cyber-security-awareness-training/

https://blog.vadesecure.com/en/phishing-awareness-training-8-things-employees-understand/

https://securelist.com/analysis/kaspersky-security-bulletin/77483/kaspersky-security-bulletin-spam-and-phishing-in-2016/

https://betanews.com/2017/02/23/phishing-attacks-steal-money/

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

http://www.informationsecuritybuzz.com/study-research/financial-threats-2016-every-second-phishing-attack-aims-steal-money/

Infosec
Infosec