Here’s how to run a simulated phishing campaign to test and train your employees before they receive an actual phishing email.
To be clear, when we say “phishing campaign,” we’re not referring to malicious, black-hat phishing campaigns.
A simulated phishing campaign is part of an internal training program to raise employee awareness about real-world phishing attacks and how to recognize them.
According to TechRepublic, a simulated phishing campaign conducted in October across companies in 98 countries found that more than 25% of US-based employees are prone to fall for such attacks.
Part of this has to do with the unique circumstances of this past year, of course. Amid the shift toward remote working and abrupt changes in business processes brought on by the coronavirus pandemic, there was a substantial year-over-year increase in phishing email clickthrough rates.
In fact, more than twice as many employees clicked links in test phishing emails compared to a similar test in 2019. Even worse: Nearly 70% (67%) of those who clicked on the emails in the 2020 phishing campaign test used their login credentials on the phishing pages the emails pointed to, compared to just 2% in 2019.
Phishing awareness training can reduce security risks caused by social engineering-based email attacks designed to manipulate recipients into forfeiting login credentials or making wire transfers under the mistaken belief they’re acting on requests from known individuals or brands.
In light of 2020 test results and the effectiveness of COVID-19 as a phishing pretext, the need for these simulations may be greater than ever.
A phishing campaign is a great resource to teach your employees how to identify, respond and report a phishing email.
Create a Schedule. To begin, you’ll want to create a schedule of when you’re going to send out each phishing email, how you’re going to educate your employees, when to let your employees know about the campaign and how to track overall progress.
Phishing awareness training company KnowBe4 recommends weekly, bi-weekly, or monthly distribution of simulated phishing emails over at least three business days.
Communicate About Campaign. Next, you’ll want to let key stakeholders know employees know that the company will be running a simulated phishing campaign. It’s possible key stakeholders aren’t as knowledgeable about phishing as they think they are. According to Ponemon Institute, it’s not uncommon for as much as 35% of employees to be unaware of what “phishing” actually means. You’ll also want to emphasize that this is training and not meant to trick any employees, but rather to help them learn how to better spot malicious emails. You’ll also want to prep your engineering teams ahead of time, so they aren’t caught off guard.
Recruit Potential “Phishers.” Phishing attacks involve impersonating a high-level executive or other trusted individual within the company, whether that be a CEO, manager, or IT. You’ll want to recruit an executive who is willing to be impersonated in the phishing campaign ahead of time, and prep them to be ready to respond to employees who may ask about the best way to report the simulated attack.
Send First Phishing Email. You’ll want the timing of your first phishing email to be a secret to your employees. This way, you can quickly establish a baseline for how many employees are already able to recognize and report a phishing email. You can also use this information to adjust your educational information accordingly.
Educate Your Employees. In order for your employees to learn what phishing emails are and how to identify them, you’ll need to educate them. You can create graphics, give presentations, or create videos. This education should happen concurrently as you send the fake phishing emails. To be most effective, educational content should be a part of the company’s overall security training to better integrate the information to the employees.
Begin Campaign. You can now launch your campaign. You will want to figure out how many emails you plan to send before you begin. Then, if you have a good read on how many of your employees bit on the lure, you may find you need to release more educational content and slow down on how many emails you send.
Review Progress and Trouble Spots. Once the phishing campaign has begun, you’ll want to start looking at the data.
Generally speaking, it’s a good idea to take note of whether there are specific departments, locations, or teams that need more training in order to raise their reporting rate. You may also want to dial up the difficulty level of campaigns as your workforce becomes better at recognizing phishing emails.
Track Report Rate. A common metric used in phishing campaigns is the clickthrough rate and how many people input their login credentials or other personal information. But this often has more to do with the degree of difficulty employed in a specific phishing email or campaign.
Instead, a more important metric is the report rate; how many of your employees reported receiving a phishing email versus those who did not recognize the email. You should be able to see the reporting rate go up as your campaign progresses. If not, you may want to evaluate the education your employees are receiving about phishing emails.
Agari and KnowBe4, for instance, have partnered together to develop a unified strategy that encompasses people, process, and technology so information security leaders have access to the best phishing training content and science-based phishing defense capabilities in the industry.
With full integration between our solutions, we’re able to ensure organizations have an accurate picture of the phishing threat landscape so they can better combat socially engineered email attacks.
Adapt Training Content and Cadence. If employees are having trouble identifying simulated phishing emails, modulate training accordingly.
Providing more information or videos can be helpful. Most important of all, it’s critical that employees understand why they should care about security. What does a malicious email matter to them? What’s their motivation for being mindful to scrutinize email messages? By building elements into the simulations, reporting back to them can help them to understand: Did they save the company money, or something far more catastrophic, by stopping this potential attack?
You may also want to look into what is making your employees click the email, versus report it, in order to understand the dynamics in play and educate them on the specific emotional levers or identity deception techniques leveraged within phishing email.
As your employees grow more adept at scrutinizing emails for signs of fraud, your company could potentially avoid significant costs from phishing scams and data breaches.
As it stands, phishing attacks are complicit in as many as 7 in 10 data breaches, according to Verizon’s 2020 Data Breach Investigations Report.
Sometimes it’s through credentials harvesting. Other times, it’s through an attachment or link that downloads ransomware that can hold your data hostage until you pay up, crippling your business operations. In others, it’s malware that can infiltrate your supply chain or your entire customer base and become a national security threat.
According to Ponemon Institute, the total cost of a data breach that can result from phishing emails now averages $8.6 million per incident for US-based organizations–but can go astronomically higher. But according to a 2020 study of more than 1,000 firms by Edelman, KnowBe4, Verizon and others, training contributes to an average 46% decline in the probability of suffering a breach.
If you rather a program set up your campaign for you, there are a number of options out there. While there are some free programs, the paid versions are more reliable. They may also include email templates, pre-made web pages for phishing links to go to and specific data about your company’s phishing rates.
Offerings range from basic tools for crafting and sending a mock phishing email to several recipients using a specified email server, all the way to SaaS-based phishing simulation platforms for managing multiple, enterprise-scale phishing campaigns.
Phishing awareness training for your employees is critically important, but it should be viewed as your last line of defense, not your first.
The best strategy is to implement a layered approach to security that includes multiple solutions, such as antivirus defenses for ransomware/crimeware; secure email gateways for incoming malware attacks, network forensics capabilities for advanced persistent threats and more.
They should also include identity-based defenses that work to keep some of today’s most sophisticated, impersonation-based phishing attacks from ever reaching employee inboxes in the first place.
For instance, our own solution, Agari Phishing Defense™ not only protects against highly-targeted Business Email Compromise (BEC) attacks–including those launched from hijacked email accounts belonging to senior executives or trusted outside venders. Phishing simulation solutions that are integrated with systems like this provide the best of both worlds by enabling organizations to use actual, real-world phishing campaigns in their simulations—giving employees, and their companies, a leg up against threat actors.
To learn more about how science-based phishing defenses combined with best-in-class phishing campaign simulations and training can protect your organization, click here.