Phishing is by far one of the most dangerous forms of cybercrime. And if you have ever fallen victim to a phishing attack, you know it can have a devastating impact. These attacks can cause companies to have their sensitive information stolen, lose millions of dollars, and in the worst case, shut down. This is why having a security awareness training program in place is so vital. Running simulated phishing simulations for employees helps ensure employees today are educated and taught how to spot and avoid phishing attacks. Keeping your employee’s and company data safe.
Phishing testing can be a great asset to your company’s security awareness training program. Sending employees popular phishing tests, used by cybercriminals, can teach employees what tactics and tricks hackers are using today, and how to spot the red flags. However, there is a wrong way to phish your employees. One type of simulated phishing email that must be avoided when running phishing tests within your organization, are those sent internally with promises of bonuses and promotions. These types of simulated phishing emails can leave a terrible taste in employees' mouths and even cause employees to question your company's values. All it takes is one lousy phishing test to destroy trust and create a company culture of doubt.
In this blog, we’ll walk you through some real-world examples of companies who sent these types of phishing emails to their employees and how to not follow in their footsteps.
What Is Phishing?
Phishing is a type of cyber attack in which a cybercriminal tries to get sensitive information from you by pretending to be someone else. These types of cyber-attack are constructed with various purposes in mind, including:
- An attempt to get personal login details to a bank account, PayPal, or similar
- To cause the victim distress by stealing their social media login details. Or making their electronic devices unusable
- Targeting specific companies or individuals to steal data, money, or blackmail them
- Creating false websites to lure unsuspecting visitors
- Creating malware to steal information
- Session hijacking
- Content injection
When done successfully, hackers gain access to your information and data; causing severe disruption within your organization. Running a simulated phishing test provides employees a chance to learn how to spot suspicious emails and identify scams.
Here are two examples of how companies (not cybercriminals) have used phishing to ruin their company culture. These methods create mistrust and are good examples of how not to create phishing awareness.
Security Awareness Training is crucial to maintaining the safety of businesses. It is also vital to ensure sensitive data is secure so it doesn't fall into the wrong hands. However, there is a wrong way to train employees on these pressing security issues.
The problem with testing your cybersecurity protection is that it works both ways. Employees and customers can fall foul of misleading phishing tests, leading to a complete breakdown in trust. This can lead employees and customers to question company leadership.
GoDaddy is one example of what to do if you want to lose the trust of your workforce. Their strategy was to send out an email to their employees to see how they would respond to an internal phishing test. This email promised employees a holiday bonus of $650. Unfortunately, employees who responded to the test got more than they expected. Instead of a bonus, the company punished them with additional work. This caused major concerns within the company's security-aware culture.
Phishing testing should be a learning experience. Not a punishable offense. Instead, respond by training your staff members on how to recognize a phishing attack. In addition, leadership should develop phishing training for their staff members to safeguard sensitive systems and information.
#2 Tribune Publishing
Like GoDaddy, Tribune Publishing also sent internal phishing tests to their employees to test their security awareness.
Internal phishing simulations can be a great way to train employees on the tactics hackers are using today. However, this email also promised massive bonuses.
Employees were disgusted by this phishing test from a supposedly trusted source, which followed shortly after massive layoffs, creating even more trust issues.
How To Create A Culture of Suspicion
As pointed out by security experts, this method of tricking employees and breaking their trust, is not an effective method.
Employees become excited about receiving increases or bonuses. When the employer calls them out on their mistake, they punish them. This approach creates a culture of suspicion. Employees learn to fear their employers, which can also lead to a lack of motivation and decreased productivity. There are far better ways to protect sensitive company information. There are also more effective phishing tests to send in order to make employees aware of cybersecurity risks.
We recommend avoiding these types of phishing emails in your training:
- Promises of salary increases or bonuses
- Using questionable methods that cause harm rather than educating them
Instead of creating a suspicious culture where employees live in fear of making mistakes, take a different approach and make phishing training a learning experience rather than a punishable offense.
How To Create A Culture Of Trust
Creating a culture of trust requires appropriate training and education. Embedding this type of culture must come from the top down. The CEO must show active support of the initiative and back security training with direction.
CEOs and IT departments should develop policies to safeguard the company's data. Then, these specialist areas should distribute the guidelines to all departments within the company. From there, managers must ensure that employees receive the necessary training to prepare them to prevent risks.
Management should also demonstrate that cybersecurity threats are real. They should also make it clear that all employees are responsible for protecting the company. Part of creating a culture of trust is to involve employees in policies that affect them. Direct involvement develops a culture of responsibility, accountability, and empowerment.
When employees understand how critical their actions are in maintaining data, information, and systems, they appreciate their roles. They also know that they can limit risks.
How do you accomplish these goals?
- By creating awareness of how cyber-attacks typically take place.
- Educating staff members about system vulnerabilities and how cybercriminals exploit them.
- Providing them with the knowledge to protect business interests by taking responsibility for their actions.
Use Effective Phishing Training Methods
Educating employees on the best methods to protect themselves and company data is vital. Since anyone can fall prey to cyberattacks, even CEOs, it’s important to train employees about what to look out for and how to avoid these risks. In order to properly train employees and create a culture of trust, we recommend:
- Providing ongoing, practical training that keeps up with the latest tricks and trends.
- Use phishing simulations to test employees and warn them to expect this type of testing.
- Avoid punishing those who click on the phishing simulation. Instead, enroll them in additional training so they can learn from their mistakes.
Cybersecurity attacks are on the rise. As criminals become more creative in their efforts, business owners must also take responsibility to prevent these attacks. The best way to protect your business is to educate your employees. Rather than leaving the responsibility in uninformed hands, it is your responsibility to provide phishing training to equip employees with the tools needed to mitigate or stop attacks.
Check out our phishing examples library to learn more about what types of phishing emails hackers are sending and tips on how to spot and avoid these types of attacks!