Hack a punch: Why intelligent phishing simulation is vital in the fight against scammers
Your friend Andy’s always been interested in kickboxing.
So he joins a beginner’s class where he rehearses all the moves and works on his fitness. Bit by bit, he perfects his form and technique in the mirror. He spends all his spare money on top-of-the-range gear.
Supremely confident in his abilities, Andy signs up for his first match.
The day arrives. The room is packed. He steps into the ring. The bell sounds.
He keeps his guard up like he practiced in the mirror.
But he’s got a problem: His opponent isn’t a mirror. His opponent is Derek the Destroyer. And Derek’s been doing this for years. He easily lands a killer punch without breaking a sweat. Then another. Then another.
Andy is stunned. He should have seen it coming. He knew what to look out for. He thought he knew how to defend himself.
Andy’s missing something and it’s caused him to get pummeled.
And . . . it’s 100 percent not his fault. He should have had better training.
Because Andy never had the opportunity to practice defending himself in a realistic (but safe) scenario.
In combat sports, this practice is called sparring. It’s essentially a simulated fight, and it’s all about preparing fighters for real-world situations. It’s important because it helps fighters learn how to anticipate and respond to their opponents’ next move and act against it.
But, of course, in your organization there are no mouthguards and sweaty gym mats. And yet, cybersecurity is all about putting up your best fight against the bad guys.
You need to give your people a fighting chance at fending off attacks.
Because phishing attacks remain one of the most common and damaging cyber threats facing organizations today.
With the rise of remote working and the increased use of technology, the threat of phishing attacks is greater than ever.
And in this arena, cybercriminals are highly skilled heavyweights. They’ve been in the game for years. And they don’t pull their punches.
So if you’re not equipping your people effectively, there’s only going to be one winner. And it’s not going to be you.
But you know that, right? That’s why you’ve invested in various security solutions, implemented policies and procedures. And maybe you’ve even got phishing simulations. They catch people off guard and then assign more training if people fail them. That’s bound to teach them. Right?
The truth is, phishing sims often fail to achieve their intended purpose. And that makes your defenses fall way short.
But that’s where intelligent phishing training comes in. It’s like spending time running supportive, friendly sparring matches for each person in your organization. And it greatly reduces the chances of your organization taking a pummeling from a cyber attack.
Why all the fuss about phishing?
Phishing attacks are the most common cause of data breaches, with 80% of reported incidents involving phishing or social engineering.
Moreover, the cost of a successful phishing attack can be significant, with an average cost of $1.6 million per incident. So it’s essential to train people to recognize and avoid phishing attacks.
What makes them such formidable foes though
1. They use human behavior as a weapon
Phishing attacks prey on human behavior. They’ll often pose as a communication from an authority figure. They might foster a sense of urgency. They may offer a reward to the recipient.
These elements play on the human psyche. Deference, anxiety, fear, and/or excitement will push people into knee-jerk responses like handing over sensitive data. That’s all it takes for the scam to work.
2. They take the . . . phish
The laziest way to shake down an organization if you’re a cybercriminal? Use times of crisis to your advantage.
Remember how calm and rational you felt during the early days of Covid-19? Yep. Exactly.
The UK’s HMRC detected a 73% increase in email phishing attacks in the first six months of the pandemic.
And plenty of us received a phishing attempt posing as a Covid-19 vaccination invitation.
3. They’re targeted
It’s a doddle for threat actors to use social engineering and personal information to make their scams seem legitimate. With targeted attacks, it’s even more dangerous because these scams are less likely to be caught by filters.
Business email compromise (BEC) scams are one type of targeted spear phishing attack criminals use. These scams involve impersonating people in an organization.
In 2019, Toyota lost $37 million in a BEC scam, and these scams have been on the rise since the pandemic began. In the second quarter of 2020, BEC wire transfer losses went up 48%.
4. Phishing filters are imperfect
Most organizations today use phishing filters to combat phishing attacks.
But studies show phishing filters are far from perfect.
Sure, they can detect and block dated and known phishing attacks. But when it comes to targeted spear-phishing attempts on senior executives, that filter’s about as effective as a screen door on a submarine. In fact, research suggests that these filters miss up to 25% of phishing emails.
We know more sophisticated and personalized phishing tactics are on the way. So, relying solely on software isn’t going to cut it.
So what can security teams do to better protect their organizations from phishing attacks?
Filters don’t save organizations—people do
Fortunately, security teams have something else to defend against phishing attacks: People.
Of course, once upon a time, people were framed as nothing but one huge cybersecurity liability.
But without question, alert and aware people detect and stop malicious phishing attacks from doing any damage on a daily basis.
The reason? People have a broader range of criteria they can use when assessing emails. And, as people aren’t bound by arbitrary rules, they can err on the side of caution.
People can prevent cyber attacks—when you empower them. Yes, even sophisticated forms of phishing.
So how do you get them there? Specifically, how do you empower people to spot and flag the phishing attacks phishing filters miss?
It’s not just about security awareness. It’s about security behaviors and security culture.
It’s about an intelligent approach to phishing training.
So how can you fix phishing simulations?
How can you create a culture that makes simulated phishing effective?
Goal setting and planning
Not planning and goal setting. This is important. You can’t start planning until you know what you want to achieve. Pick your destination, then map out the route.
Set goals
Be ambitious. Set the bar high. Really high. It’s better to do your best and fall a little short than to set the bar low and comfortably get there. So, take some time to think about what you want out of your campaign and make a list of your goals.
Set key metrics
Remember those pesky click rates? Well, you’ll need to measure those . . . and then some. Tracking click rates—in combination with other metrics—will help you prove the success of your campaign.
Decide how you support repeat clickers
Repeat clickers are people who perform several high-risk actions—like downloading attachments or entering data—within a set time period. For example, you could decide anyone that performs four or more high-risk actions within six months will be classified as a repeat clicker. That’s repeat clickers. Not repeat offenders. There’s a difference.
Get buy-in
So you’ve set your goals and thought about how you’ll classify and manage repeat clickers. But make no mistake, you can’t do this alone. You just can’t. You’ll need help. Lots of it.
And then there’s the ways to supercharge any cybersecurity training’s effectiveness:
Personalization:
It’s all about tailoring training to individual learning styles and preferences. That makes it more engaging, relevant, and memorable. And it’s more likely they’ll remember what they’ve learned and put it to use.
Gamification:
Don’t be afraid to use game-like elements in training. You’ll make it more engaging and competitive—dare we say maybe even . . . fun?. You’ll boost motivation and participation, as well as reinforce learning.
Continuous learning:
Cyber threats and technologies are constantly evolving. To stand a chance, people need ongoing training and education. Keep them up with the latest trends and best practices. Only then can they respond effectively.
How do I implement an intelligent approach to phishing simulation?
Just like a fighter, an intelligent approach to phishing simulations will keep you quick on your feet, sharp-eyed, and able to dodge incoming attacks.
But let’s face it, you’re not fighting some lightweight contender here. You need a robust plan of attack to go up against the heavyweights in the cyber world.
That’s where our free ebook comes in. It’s like having a championship trainer in your corner. A New Approach to Simulated Phishing is your ticket to intelligent simulated phishing training that’ll take your phishing resilience to the next level.
Remember, it doesn’t matter how many punches the bad guys throw if you’re always one step ahead.