Can you tell the difference between a real and a phishing email?
Phishing simulation testing, also known as a phishing test, is where we send our colleagues phishing emails that a similar or identical to the real threats they will face every day. The only difference is that if they fail the test, nothing massively bad happens (unless you fire them).
Why Run Phishing Simulation Tests?
Phishing attacks are a reality that we live with. We can’t avoid the problem and no matter how many technical controls we put in place to block them, people will always receive malicious emails. We run phishing tests for the same reason we run fire drills. Should the real thing happen, we want our people to know how to respond in order to stay safe online.
What Does A Phishing Test Look Like?
To the recipient, it’s just another email, like the hundreds they receive every day. The difference is that we’ve included one or more links or attachments that tell us both when they’ve read the email, from which device, whether or not they click on the links or open the attachments, and how many times.
A basic drive-by phishing test stops when the user clicks on the link. This simulates them opening a link to a compromised website which may attempt to install malware onto their device. After clicking on the link they are presented with an ‘Oops you’ve been phished!’ web page. This page will either give an error message or provide real-time phishing training that offers the testee the chance to reflect on what just happened.
A more complex test will often present the victim with a login form or a series of input forms in order to capture data from them. This may be one or several pages long before the test comes to a close. The more data they leak, the bigger the detected threat. Once again, when the test concludes they will either be given an error message or some just-in-time phishing training.
What Is The Benefit of a Phishing Simulation Test?
Unless you can measure the size of the problem, your assumption of the risk phishing poses to you and your organisation is likely incorrect. All it takes is one person to give away their user credentials for a hacker to gain entry level access to your systems then escalate from there. While most companies look pretty solid from the internet, once you get onto a corporate network things get a lot more open.
By testing your people regularly you can achieve two things:
- Measure how many people fail, how often, and for what kind of content
- Track changes in phishing susceptibility over time, both improvements and degradations
- Provide just-in-time training for people who need it, exactly when they need it – just after they fail a phishing test.
What Should I Do With The Results of Phishing Testing?
It’s easy to get caught up on the numbers. How many people failed. How many people passed. The danger with this is that you’re testing and tracking your ability to write phishing emails rather than whether or not people are learning from the training you are providing.
Training is Key
Use the results of phishing tests to tailor your cybersecurity training program if you have one, or to help you create one if you don’t. We have two opportunities to provide feedback:
- Immediately after people fall for a phishing simulation attack
- After the fact through planned training sessions
There’s little value in looking for trends until you’ve done at least 5 or 6 tests with appropriate spacing between them. We need the tests to be unexpected in order to get accurate results. Examine the results of each test as they happen and use it to tailor your approach and start planning the delivery of your targeted training, but don’t penalise repeat offenders until you’ve given them plenty of training and opportunities to improve.
When people fail a phishing test and you provide training, it’s quite a shocking experience. They were expecting one thing and were presented with another. For some people they shock may be exactly what they need for their guard to raise and behaviour to change. For others, the shock may wipe out the value of the training completely and they close your carefully worded phishing awareness training page without reading or understanding most of it.
What Type of Training Content Should You Use?
I prefer text and image-based just-in-time training for those who fail a phishing test. While video and interactive web pages can be really engaging, I think they’re best saved for scheduled training sessions. After someone has just been phished they may not be in a position to watch a video or use a complex web application. In my experience, %60 of people who fail phishing tests are on mobile devices! For that reason, we need something clear and concise. Something to inform quickly then allows them to go back to doing whatever it was they were doing – checking emails while commuting, going for a coffee, or killing time between meetings.