In a world where cyber crime is a daily threat, but concerns are often set aside for things like convenience or cost – how do you stay safe?
Your IT professional likely has security features like firewalls, antivirus, and other protections on your network and devices to help keep you safe. Yet, a simple click can unravel that safety in a split second.
Scams known as “phishing” ask for permission to run on your computer, and if that permission is granted, no amount of firewalls or antivirus can save you.
As cyber criminals up the ante, what is your game plan?
We suggest becoming a scam artist yourself.
Bait & Phish Your Employees Through Real-Time Security Awareness Training
With 85% of organizations noting that they have suffered from a phishing attack, you can never be too careful.
Education is undoubtedly your best bet against a phishing scam infecting your system, and unorthodox teaching methods might be the wake-up call your employees need. People are fallible, and awareness training is always helpful, but it might be time to put your training to the test.
One of the best real-world exercises is deploying a controlled phishing scam to all your employees – to see who clicks.
Steps to Setting Up Your Controlled Phishing Scam
First and foremost, make sure everyone who needs to sign off on the training is involved with the process. This could include C-levels and other management, but your internal or outsourced IT department should not only know what’s going on but be involved as well.
Once everyone is on board, the real planning begins.
1. Choose Your Scam
Pick the most efficient way to get your employees to click by concentrating on how your business sends and receives communications.
2. Identify What You Want to Track
Set alerts for when someone clicks on your fake scam. Also, make sure you follow individual user behaviors to get to the bottom of who is clicking and why they did it.
3. Send Your Scam
Send out your email – ideally with a link that leads to a fake login page. The end results will show your employees how easy it is to steal their credentials.
4. Bring Everyone in on the Scam
Once it’s completed, let your employees know about the phishing teaching moment.
5. Educate Everyone
Everyone should be part of the company-wide training course to ensure that they’re adequately trained on spotting phishing attempts. When the results come in, those who pass should get a pat on the back, and those who fail will need some extra training.
Types of Phishing Email Tests and Cost of Security Awareness Tools
I’m sure you’re thinking, “Who has time to set up, run, and manage these phishing simulations?!”
Here comes the best part, there are some truly free phishing simulators out there. So if you need to wave the “free flag” to get your C-levels on board, you have options. The only downside of free simulators is that they come with limited features.
For paid services, the prices vary dramatically based on how many users you want to send it to, what kind of reporting you’d like, and what types of tests it will run. Some even have gamification built-in, so your employees will actually enjoy participating.
How cool would it be if the conversation around phishing wasn’t “Who took down the company?” but transformed to “Look who avoided the most scams this month!”
Some good phishing simulators to check out are KnowBe4, PhishLabs, and Cofense.
Prices may appear steep, but keep in mind the financial loss that could come from a successful phishing attempt. According to Forbes, simulated phishing attack training has yielded a 37% return on investment as opposed to training that only includes reading.
Case Study: How One Company Went From “Down for Days” to Stopping Phishing Through Employee Training
Still on the fence about doing a phishing security test at your own company? Lets’ dive into how this training works.
We recently ran a phishing simulation to train employees at a company that had been hit with operations-halting ransomware multiple times.
The Situation:
Employees at Company X had fallen for two separate “click viruses” back-to-back.
Viruses were delivered through an email scam and were deployed when the users clicked on malicious links. These acts resulted in significant downtime for their company’s operations.
To combat this growing “user error” problem, Company X trained their employees in multiple ways to avoid phishing scams, but they needed a way to check if employees would apply what they’d learned. So, they decided to send simulated email scams.
The Results:
The first round of simulated phishing scams went out company-wide. Of the 65 employees it was sent to, 6 people clicked on the infected links. The second round of testing was more specialized. To keep everyone on their toes, only 15 people from various departments received the scam, followed by a third round of scams sent to simply one person.
To keep it interesting, each set of emails had different variables:
- Each email came from a different unknown sender.
- Each email asked for different permissions to be granted.
- Each email had its own look, theme, and language.
- Each email had a different set of recipients.
And while Company X continues to send random phishing simulations, their first three speaks to their success.
Round one: sent to 65 people - 6 clicked
Round two: send to 15 people - 1 clicked
Round three: sent to one person - 0 clicked
In just three phishing simulations, they were able to maximize training efforts and avoid scams.
Education is the key to protecting your company from phishing scams. But why not go one step beyond traditional training and perform a phishing scam simulation?
They’re a reliable, risk-free way to test what your employees have learned. Investing in your company’s safety today will save you money and time in the future.
Related Resource
Top 5 Types of Email Scams Employees Keep Falling ForWant to Help Your Team Recognize and Avoid Email Phishing Scams?
If you think your organization would benefit from email security awareness training, reach out to us today to start a conversation. We'll walk through the ins and outs, as well as how security awareness training relates to the whole IT security picture.