With phishing being one of the most common types of cyberattacks, it’s not surprising that every company is asking how they can introduce or improve phishing training for their employees. Unfortunately, as with most security awareness training, it isn’t as simple as using a pre-built training program and unleashing it on your employees.
The biggest problem with phishing awareness training is that too many programs try to take a “one size fits all” approach.
Now, we’re not saying that there’s no point in investing in phishing awareness training. Quite the opposite, actually.
Let us explain.
Why Phishing Training is Tricky
Whenever you start researching how to run a phishing training program, most of the time, you’ll come across the same advice - teach your employees what to look out for, and then phish them yourself.
You’ll also find dozens of companies that offer phishing training for employees in a tidy software-as-a-service package. They’ll give you the tools you need to build phishing emails, provide point-of-infraction training, and report on how your employees are performing.
All of this sounds great on paper. And, it can be extremely useful.
However, there’s a vast difference between something looking good on paper and being useful in the real world.
Phishing Emails Aren’t Always Easy to Spot
In an ideal world, we’d be able to spot a phishing attempt from a mile away. Sometimes, we can. Seeing emails packed with spelling and grammatical errors from “email@example.com” is a pretty glaring sign that someone’s out to phish you.
Everyone who’s been on the Internet for a while knows to be suspicious of emails that you didn’t sign up for or are from people you don’t recognize.
The problem is that every day, phishing scams get more and more sophisticated. Sure, the classic Nigerian princes still do their rounds, but cybercriminals have an increasing amount of tools at their disposal.
Let’s say, for example, you used your work email address on a web form asking a potential supplier for a quote. You’ve done your due diligence and you know this supplier is legitimate, so when an email drops into your inbox from firstname.lastname@example.org, you probably don’t think anything of it.
The email is perfectly composed, well thought out, and even uses the name you put into the web form. They invite you to click a link to complete the quote, so you hover over the link to double-check it. It directs you to a fancysupplier.com page, so it looks legitimate.
Everything’s going well until a minute later, your computer’s locked with ransomware.
What happened here was that the cybercriminal harvested your details from the web form submission, and used a spoofed email address to gain your trust. The webpage they linked you to was spoofed, too, and downloaded malware to your company’s network.
You did everything “right”, and you still got caught out.
Not Everyone is Email-Savvy
We all still get phishing emails in our junk folder that make you wonder who would believe that a long-lost relative is sending you an e-Card for your birthday that passed six months ago.
But that’s exactly the point - people still fall for these phishing emails, even though they have every tell-tale phishing sign in the book.
Every company will have employees who don’t think twice when they get an email saying that Jeff Bezos wants to give them $100 to spend on Amazon. Of course, you’ll also have employees who don’t open emails unless the sender has explicitly told them to expect one.
You’re working with employees who have different levels of technical expertise, suspicion, and naivety. This is something that you need to prepare for, and it’s why phishing your employees with the same emails doesn’t work as well as you think it might.
Again, phishing is becoming more sophisticated, so even your most tech-savvy employees can easily fall for a modern attack if it’s done well enough. If they’ll fall victim to one of those, your less knowledgeable employees have no chance.
Spear Phishing and Whaling
While cybercriminals will attempt to use generic phishing tactics against companies because they know that someone will eventually fall for it, they will also use targeted campaigns against a company.
There are two highly specific types of phishing you need to know about:
- Spear phishing - highly targeted phishing attempts against high-value targets, such as system administrators or employees who handle sensitive information
- Whaling - a type of spear phishing that directly targets company executives.
As an example, let’s take a look at when Sony was hacked in 2015. In this attack, the top executives of Sony Pictures were phished with fake Apple ID verification emails. Once this information was captured, the hackers compared this with the executives’ LinkedIn profiles to figure out their internal network login information.
The spear phishing attempt didn’t download malware or ask for financial information, which would likely have raised suspicions. Instead, the hackers banked on three main things:
- The executives would be using the same (or similar) login details for the internal network
- These executives would use LinkedIn to network, thereby giving away information that could be used to decipher further login details
- These executives had almost full admin privileges on the network, so only one person would have to fall victim for the attack to work
When we talk about phishing attacks with employees, they often assume that these cybercriminals fire out as many emails at once in the hope that one person will fall for the scam. And, while that might be true for some emails, the truth is that 77% of phishing emails target fewer than 10 email inboxes.
The truth is that our perception of phishing emails isn’t just dated - it’s assuming that every phishing attempt will be the same.
So, how can we fix this?
Generic vs. Tailored Training
When you kickstart a phishing training program, there’s a tendency to simply grab a pre-made phishing template and launch send it out to all employees with no customization.
However, no two companies are the same, even within the same industry. And, as phishing attempts get increasingly sophisticated, many cybercriminals are spending time using social media, company websites, and social engineering attempts to learn how companies work before even sending a phishing email.
After all, attackers know that if they send a fake invoice request to the wrong person, their attack will fail straight away.
So, if they are going to send fake invoice requests, they’ll spend time learning who has the authority to release payments, who’s likely to be overworked enough that they won’t have time to check the invoice, and most importantly, how they can get in touch with that person directly. They might even spoof the email address of a legitimate supplier, too.
This means that always giving the same advice about spotting typos, hovering over links to check the URL, and checking the email address of the sender doesn’t always work.
If your training is only catching a small portion of the phishing attempts your employees receive, is it doing any good?
With modern phishing becoming far more sophisticated, the only way forward is to invest in unique, bespoke training programs that take into account how your business actually operates.
Bespoke Phishing Training
When it comes down to it, if you’ve trained Kevin in HR to recognize phishing attacks by emails from an unknown sender claiming to be from a legitimate source, there’s a good chance he won’t spot a sophisticated phishing attack from a spoofed email address.
Even the National Cyber Security Centre in the UK admits that generic training packages can’t help employees to spot all phishing signs. Some phishing attempts are extremely sophisticated and the actors behind them work hard to cover their tracks and make them appear as legitimate as possible.
Bespoke phishing training offers a powerful solution in that it takes your employees’ attributes into account, and teaches them as individuals how their strengths and weaknesses can be used to manipulate them. By meeting employees where they are, rather than where you assume they will be, you can build a more engaging and respectful discussion about building on their skillset.
Not only that, but you can deliver targeted training based on employees’ job roles, and the specific types of phishing attacks they may be targeted with. This is often more useful than a generic approach, as it encourages employees with more power and access to company systems to be more cautious with their trust.
Bespoke phishing training is a more advanced solution, but given the rise of more sophisticated cyber attacks, it’s worth it to give your employees all the tools they need to defend themselves and your company.
Phishing Training with Hook Security
With Hook Security, you can easily launch, track, and optimize a stellar phishing training program. Pick from 100s of phishing templates, customize them with employee data and company info, and send them to your employees. Then, track who is most vulnerable with advanced reporting.