Phishing continues to dominate the cybersecurity world, making phishing awareness training an essential aspect of every information security program for all businesses. Although phishing has become a very common term, there are still large segments of the population that have several questions on the topic.
What is Phishing?
Phishing is a form of social engineering where a cybercriminal sends a fraudulent message that mimics a reputable company designed with two goals in mind:
- to trick individuals into revealing personal information; or
- deploy malicious software through a link or attachment (i.e., ransomware).
Most phishing attacks are delivered via email, but hackers have broadened this form of attack. Other common forms of phishing attacks are:
- Smishing – this is where the social engineer uses a text message, instead of an email, to deliver the attack.
- Vishing – this is a voice solicitation attack. Most social engineers will utilize vishing as a way to gather sensitive information.
- Spear Phishing – similar to phishing, this attack is usually done through an email. Whereas many phishing attacks are generic in nature and sent to a broad audience, with spear phishing, the attacker has additional information that helps in crafting an email that targets specific individuals.
- Quishing – this style of phishing attack is accomplished through QR codes.
Phishing has been the top utilized attack by cybercriminals for many years. Roughly 90% of all data breaches begin with some form of phishing attack.
Who are phishing emails aimed at?
Essentially anyone can be the target of a phishing attack. A large number of attacks are generic emails appearing from reputable companies that get sent out to the masses. The attacker in these instances hope to find low hanging fruit, someone who may not be as educated on phishing attacks making them easy targets. Many times, these types of attacks have the goal of gathering personal information.
Other phishing attacks have a more purposeful approach, like installing ransomware. Ransomware is a type of software that the attacker uses to lock down a company’s system, blocking access to files in a way that makes them unreachable without a special key. These criminals then hold the information hostage until the company pays the ransom. With these types of attacks, the social engineer usually targets specific employees within a company. Many times, these emails will be designed to look like another employee within that company or a customer.
What is Phishing Awareness Training?
Understanding what phishing is, that’s just the start. Defending yourself and your company from these attacks is the next important step. Phishing awareness training is a specialized type of training that focuses on just phishing attacks. Most programs will replicate real-life examples, utilizing those examples as a way to train staff on what to keep an eye out for. The goal of these programs is to educate staff on spotting and reporting suspected phishing attempts. With the entire organization educated on these tactics, a company can build a human firewall, creating a last line of defense driven by the entire staff.
The best designed phishing awareness training programs utilize one of two methods – Phishing simulations or Phishing Scenario-Based Training.
What are Phishing Simulations?
A Phishing simulation, or phishing attack simulations, is where an organization sends deceptive emails to their own staff. These are designed to duplicate real-life examples, but if a staff falls for the attack, there is no harm to the system. These types of programs have two great benefits.
The first benefit is developing the employees phish-finding muscles. Just like any muscle in your body, your brain can learn to instinctively detect suspicious emails through repetition. If the company sends out monthly phishing simulations, over time, the entire staff will become familiar with the common attacks that exist. Which in turn, makes them a more reliable firewall from these attacks.
The second benefit is detecting liabilities. There is a benefit in knowing which employees have frequent failures. Finding the frequent phish-failures will give you the opportunity to provide additional education, turning that potential liability into an asset.
Many companies utilize third-party software from organizations like KnowBe4, or through MSPs (Managed Service Provider) like LMS, to help with phishing simulations.
What is Phishing Scenario-Based Training?
The goal of these programs is to strengthen the staff, not humiliate them if they open an attachment or click a link. So many organizations shy away from phishing simulations to avoid the potential staff frustration. That is where the Phishing Scenario-Based Training comes into play. This type of training is built around real-life examples, where the user is given an email and has to make decisions based on the information provided in that example. They first will have to decide if it is a phishing attempt or legitimate email, and then determine the best course of action for that email. Phishbuster Academy has a designed a great program around this type of training, providing an alternative to phishing simulations.
If you are ever in a position where you are needing some additional guidance on how to design a phishing awareness training program for your business, please contact us HERE or call 937-912-9045. We are always available to provide assistance and answer questions.