Phishing attacks—and social engineering attacks, such as spear phishing and CEO fraud—are one of the most prevalent and potentially dangerous cyberthreats that organizations are currently facing. Successful attacks can grant attackers undetected access to internal systems, sensitive information and corporate data.
Unfortunately, the methods used by attackers to trick victims into handing over that data are sophisticated, manipulative, and often successful. Almost one in five employees are likely to click on a link in a phishing email and, of those who do, an alarming 67.5% go on to enter their credentials on a phishing website, which then feeds those credentials directly into the hands of a cybercriminal.
Many organizations implement technical solutions such as email gateways to help prevent phishing attacks from landing in their users’ inboxes, but attackers are constantly finding new ways to evade these solutions.
That means that your users are your last line of defense against data loss at the hands of a phishing email.
The best way to strengthen that defense is by implementing a strong security awareness training (SAT) program that teaches your users how to identify threats. Many SAT solutions offer a combination of content-based training and phishing simulations—a highly contentious means of testing your employees’ responses to phishing attacks.
But why are phishing simulations so controversial, and should your organization add simulated phishing campaigns to its security awareness training program?
What Is Security Awareness Training?
A security awareness training program is a type of eLearning software designed to help users to identify and correctly respond to security risks in the workplace. SAT often covers a wide range of topics, including data protection and cybersecurity, but most place a large focus on email threats such as phishing.
To help users understand these threats, a security awareness program offers training content in a variety of mediums, such as videos, articles, and graphic posters. This ensures that all users can connect with the training content, no matter their preferred learning style. Some programs also include quizzes, introducing an element of gamification to help boost learner engagement. This training teaches users how to identify phishing emails, and how they should respond should they receive one.
But when it comes to changing user behavior, learning theory can only get you so far; it’s also important that users are able to practice their newly-learned skills in a safe environment. Combining theory with practice encourages learners to engage both sides of their brain, which allows it to build stronger connections between pieces of information, making it easier to retain.
To address this, the strongest phishing training solutions offer phishing simulations alongside training content. These simulations involve security teams sending fake “phishing” emails to their users, to see how they respond to them.
According to Theo Zafirakos, CISO at Terranova Security, the combination of content-based training and simulations “gives the users the knowledge they need, but also the opportunity to practice their skills.”
How Do Simulations Help Stop Phishing Attacks?
Phishing simulations (sometimes called “phishing tests”) are campaigns in which security teams send imitation “phishing” emails to their users to monitor how they respond to phishing attacks in a real-world environment. Not only do phishing campaigns enable employees to test the knowledge and skills they’ve learned during their security awareness training program, but they also enable security teams to monitor which users or user groups need further training in certain areas and assign that training as needed.
In an interview with Expert Insights, Tyler Schultz, Product Marketing Manager at Infosec, describes phishing simulations as “the perfect test.”
“Reporting suspicious emails proves employees are recognizing both simulated phishing emails and real phishing attacks,” he explains, “but it also goes one step further by supplying the security team with threat intelligence that can help them mitigate active attacks.”
The most effective simulated phishing campaigns enable security teams to create their own phishing or spear phishing emails based on phishing templates provided by their SAT provider, or on real phishing emails that their organization has received. This allows them to tailor the attacks to the specific threats that their users are likely to face. Some programs also allow security teams to send SMiShing text messages, to monitor how their users are likely to respond to malicious texts.
When a user receives a simulated phishing email, they should respond by reporting it to their security team, either by contacting them directly or via a “Report Phishing” plugin that sits within their email client. If, however, they interact with the email—by clicking on a malicious link or downloading an attachment—they’re directed to a landing page that explains why they failed the simulation, and what signs they can look out for to identify the threat next time.
But using phishing simulations to train your users to identify phishing attempts doesn’t just test their learning; it also encourages them to report real phishing emails that land in their inboxes. After all, a user won’t know if a threat is simulated or genuine—they’ll have been trained to report it either way.
The Pros Of Phishing Simulations
Prevent Data Breaches
Delivered as part of an overarching security awareness training program, simulated phishing campaigns teach employees to identify suspicious messages, raising their awareness of phishing threats so they’re far less likely to click on a malicious attachment or URL should a real threat find its way into their inbox.
But they also encourage users to report genuine phishing emails, which enables security teams to quickly alert other users of the threat so nobody else falls victim to the same attack.
Finally, they enable security teams to identify areas of vulnerability where they can assign further training, helping them to continuously bolster their human line of defense.
Create A Culture Of Security
In today’s hybrid-remote world of work, there can be a lot of distractions; from navigating the trials and tribulations of remote productivity, to resisting the temptations to get household chores out of the way before the weekend. Because of this, security is often pushed to the back of users’ minds.
But continuous awareness training and testing through phishing simulations ensures that users are actively engaging with the concept of security on a daily basis. This helps to cultivate a company culture where security is engrained into every employee’s regular routine.
Building security into their routines helps users to develop a security-first mindset, where they’re more likely to respond to a threat than react to it—they’ll stop and think about what to do, rather than automatically responding to an urgent invoice request, sending over a password to a shared account, or downloading a file that they weren’t expecting to receive.
Prove Return On Investment
Most phishing simulation solutions offer reporting and analytics features that show security teams how their users are responding to simulation campaigns. Admins can view data such as which users opened a phishing test, who clicked on a URL within the email body or downloaded an unknown attachment, and which users reported the simulation.
Security teams can use this information to assign targeted training to employees that need it, but they can also use it to monitor how their organization’s threat detection skills improve over time—at an individual, user group and company-wide level. This data can be incredibly useful when demonstrating to C-level executives how prevalent phishing is and how effective security awareness training is at preventing successful phishing attacks. It can also be used to encourage investment in further email security products.
Ensure Compliance And Reassure Insurers
Many federal and industry compliance standards, including PCI-DSS and GDPR, require organizations to implement security awareness training in order to become compliant. While testing isn’t always required, it’s often recommended as part of this training in order to be able to track improvement over time.
But compliance bodies aren’t the only organizations that may require your business to implement security awareness training; cybersecurity insurers are increasingly requiring businesses to prove that they’re taking proactive steps to reduce their own risk levels, before they’ll agree to offering them insurance cover. Other insurers won’t offer support in the case of a repeat attack, unless the victim organization can prove that they took steps to improve their security posture after the first one; this is something that a strong training program with robust reporting functionality can help you prove.
The Cons Of Phishing Simulations
Training Alone Won’t Prevent Attacks
While regular phishing simulations and continuous security awareness training can greatly reduce the likelihood of your users falling victim to a phishing attack, it’s important to remember that attackers are increasingly finding more sophisticated, manipulative ways to trick your employees into engaging with them. Because of this, we recommend taking a layered approach to email security by implementing technological protection as well as human protection.
There are two main types of technical email security you can implement to help prevent phishing attacks:
- Secure email gateways (SEGs) scan all inbound and outbound email for malicious content such as spam, malware and viruses. When a threat is detected, the SEG automatically blocks it at the gateway, preventing it from ever reaching its target’s inbox.
- Cloud email security solutions use behavioral-based machine learning to analyze inbound, outbound and internal emails for anomalous and potentially malicious activity. This enables them to identify sophisticated spear phishing attacks, CEO impersonation attacks, and signs of account impersonation.
Simulation Templates Are A Step Behind Real Attacks
Phishing templates are designed to replicate real-world attacks that organizations have experienced, to make users aware of genuine risks they might find themselves facing. However, this means that they’re often based on an attack that’s already happened elsewhere.
In 2020, when many organizations had provisioned their employees to work from home in line with national guidelines during the peak of the COVID-19 pandemic, the most common subject lines in real phishing emails were:
- IT: Annual Asset Inventory
- Changes to your health benefits
- Twitter: Security alert: new or unusual Twitter login
- Amazon: Action Required | Your Amazon Prime Membership has been declined
- Zoom: Scheduled Meeting Error
- Google Pay: Payment sent
- Stimulus Cancellation Request Approved
- Microsoft 365: Action needed: update the address for your Xbox Game Pass for Console subscription
- RingCentral is coming!
- Workday: Reminder: Important Security Upgrade Required
Attackers were quick to capitalize on users’ uncertainty as they began using unfamiliar technologies to work remotely, as well as their health concerns in the midst of the pandemic, and the fact people were turning to virtual entertainment and communication platforms to keep in touch with friends and colleagues.
Nobody could have predicted the COVID-19 pandemic, so nobody would have trained their employees to watch out for these types of messages until after attackers had already started sending them.
But while simulations can’t enable your users to stay one step ahead of attackers at all times, they can train them how to identify typical red flags that might indicate an email is malicious.
Tests Can Cause Distrust
When not carefully implemented, phishing campaigns can seem too much like punishment to be truly effective, as they train users at the point of failure. If users are made to feel like they’ve failed or done something wrong, they may become de-motivated and feel a sense of distrust towards their security team—which could prevent them from engaging actively with simulations or reporting genuine threats in the future.
But security experts agree that it’s possible to change this, when phishing simulations are viewed as practice rather than a test, and training is positioned as being supportive and educational rather than a form of punishment.
“When a user falls for a simulated attack, the training program should highlight to them what they should’ve spotted in an encouraging and educational way,” says Nick Deacon Elliott, VP of Sales and Operations at Boxphish. “If an end-user clicks on a phishing simulation and they’re put on a naughty list in the staff room or met with a kind of punishment, that is completely the wrong way to go about it […] The training should provide them with the extra support that they need to avoid making the same mistake in future—through education and encouragement, rather than punishment.”
And it’s important to make this purpose clear with users from the very beginning, says Theo Zafirakos of Terranova Security:
“We consider phishing simulation as a practice tool; it gives the participant opportunity to exercise their phish detection skills in a safe environment. It’s better to click within a simulation than to experience it in the real world.
“But it’s important to communicate the purpose and how we’re going to use simulations from the very start of the program, to make clear what the expectations and potential consequences are. We may ask you to follow some additional training, but the goal is education, not punishment!”
Employees Think Training Is Boring
Security awareness training—amongst other types of corporate eLearning—often has a bad reputation as being a boring, mandatory task that takes up a lot of time out of users’ workdays to complete. This stigma automatically makes employees less likely to engage with a training program, so it’s important that you choose training that dispels these preconceptions from the start.
There are a few features you should look out for to achieve this:
- A multi-media content library that enables users to learn in whichever style best suits them
- Synchronised desktop and mobile access that enables users to complete training wherever they are at a time that suits them; some solutions even allow users to complete training offline, then sync their progress data once they connect to a WiFi network
- Bite-sized micro-learning modules that don’t take too much time or effort to complete and make it much easier for users to retain information
- Continuous training that’s delivered in small modules, regularly, rather than as a single annual course
Finding a solution that hits the above points will encourage your employees to choose to learn; generally, if we as humans feel like we’ve chosen to do something of our own free will, we’re much more likely to engage with it and see it through.
As Zach Eikenberry, Co-Founder and CEO at Hook Security says, “If your goal is to actually train somebody then you need to get them into the material and help them develop a passion over time.
“Respect their agency, respect their person, invite them into the process, and stop telling them that they’re the weakest link.”
When employees choose to engage with training content regularly, they’re much more likely to retain the information delivered, adds Tim Ward, Co-Founder and CEO at ThinkCyber.
“When we choose to learn something, we are much more likely to engage with the content and retain the information presented to us; it’s something we’re interested in. When we have to learn something, on the other hand, we often approach it with a mindset of being forced into something we don’t want to do, which reduces engagement and, subsequently, retention. This is an issue psychologists call ‘reactance’.
“Reducing the amount of content delivered at once and ‘drip feeding’ it regularly, rather than delivering it in blocks, can help maximize long-term retention and change behaviors over time.”
Our Recommendation
There isn’t a single solution that will protect your organization against phishing attacks. But when all is said and done, your users are your last line of defence between a crafty cybercriminal and your organization’s data—and if they aren’t taught how to identify those attacks, that line of defense is going to be pretty holey.
As an IT manager, a member of the security team, or an executive at your company, it’s up to you to ensure that your users are given that training.
There are a range of different cybersecurity awareness and phishing awareness training solutions out there, all designed to teach your users how to spot and respond to phishing emails. But the solution you choose will depend on the types of attack your company is currently facing, how many users you need to support, what topics you want to cover, and whether you want to create your phishing simulations in-house or outsource your campaigns to the provider.
We get it—that’s a lot to think about.
To help you make the right decision, we’ve put together guides to the top phishing simulation and testing solutions—platforms mainly focussed on deploying simulation campaigns—and the top phishing awareness training solutions—platforms that offer comprehensive content-based learning, as well as simulations. You can find these guides below:
