Running Phishing Training

By Jay Pope


Our last article discussed Staff training so this time we’re going to focus a little more on ‘Phishing Training’, which involves phishing simulations, or tests, in which a typical phishing email is presented to employees. Afterwards, those who ignored it but didn’t report it, and those who fell for it and activated a link or opened a document are alerted to their behaviour and its possible consequences, were the link to have been a real phishing attempt. This seems to sink in far more so than a theoretical training session on cyber risks and results in changed behaviour in the longer term. Here, we discuss some considerations in planning for Phishing training campaigns.


Start the Campaign with Simple Examples

Clearly, you need to treat staff fairly, so before the phishing simulation gets off the ground, you need to make sure that all employees have been given the organisation’s policy and any conventional training they may need. The simulated attacks need to be part of a planned campaign in which they become progressively harder to spot. The IT department needs to run this regularly, perhaps once every 6 weeks. A regular campaign will engage new employees, allow a refresh of both basic and sophisticated phishing techniques, and allow any new threats that have been identified to be included in the simulation. Executives can be a weak link in cybersecurity because they may consider themselves too senior and too busy to attend training. “Whaling” involves compromising an executive’s login, at which point the attacker can exploit the executive’s ability to send high-level authorisation emails – such as payments to banks, for example. So, executives should be included in the phishing simulation training.


Decide What Types of Phishing You Will Simulate

There are, of course, several types of phishing email. These include the false web page, which is a mock-up that might look exactly like the home page of a bank to which an employee frequently sends money. The employee is asked to enter their username or password. The details are then harvested by the cyber attackers. More sophisticated versions of this use any real personal or corporate details that have been acquired to carry out a more targeted attack, usually requiring a payment to be made. For example, a false invoice may have a real accounts employee’s name on it. In many cases, “bait” is used, such as a corporate discount offer in retail outlets, a Valentine’s Day ‘eCard’, a “win” on a draw, a desperate message from a known friend, a tax rebate from HMRC and so forth.

More technical attacks include changing the destination IP address of certain websites, and directing traffic to an identical, but fraudulent site. The remedy for this is to ensure that staff understand the importance of the “https://” designation when it comes to data security. And of course, two stage verification for logins to highly sensitive systems can provide a far greater level of resilience.


The Evolution of Social Engineering Threats

Social engineering has become one of the most rewarding attack routes for those wishing to misrepresent themselves, carry out fraud, manipulate emotions, unbalance public discourse, or to build or damage reputations. Companies need to be particularly careful about the information that employees divulge on social media sites such as LinkedIn, because a small amount of identity information can be leveraged by fraudsters to mount more convincing phishing attacks. One problem for corporations has been the explosion of channels the attackers can use – social media, games, mobiles, internet TV and film, voice-activated technology and so on.


So How To Translate All This Into Training?

Phishing, whaling and the evolution of social engineering – it’s a challenge to train people to be constantly aware of all of these. That’s why the simulation tests, allied to training, are such a useful tool. The key steps in setting up phishing simulations might be:

  • Devise the scenarios you will use. Make them realistic – for example, an angry demand for immediate payment of an overdue invoice;
  • Decide on the types of attack – whaling, phishing, social engineering, bait-laying etc;
  • Decide on the “bait” to be used, if any;
  • Set up the false email address or web page and draft the mail;
  • Choose the best time to send it, when it is most likely to generate a response;
  • Collate results;
  • Follow up with training.


Phishing Tools

By far the easiest way to carry out the simulation is to use a tool designed to do this. There are different types of phishing awareness training tools, with various levels of sophistication. The most basic will simply allow you to compose an email and provide an address. More advanced tools allow you to run several different campaigns at the same time and will track follow-up actions, such as training sessions for individual users. They’ll also provide clear management reports. The high-end tools will allow the IT department to flag emails as “Important” – all with the objective of convincing the user to click on the baited mail. The goal, after training, is for the user to become far more aware of the threat and far less likely to subject the organisation to the risk of ransomware and other attacks.


Does Your Organisation Need Top Cyber Security Consultants?

We are a team of experts with extensive knowledge and experience of helping organisations improve business performance. Our highly qualified consultancy team can deliver cyber security capability at all levels of your organisation and are on hand to help ensure your projects deliver solutions that are appropriately aligned to your cyber security risk position, and meet technical, business and ethics due diligence requirements. Schedule a call above to learn more about how we can help.