“Make the most of your phishing simulations”

Friday 7th October, 2022

Cyber Security Awareness Month

“How to make the most of  Simulated Phishing Attacks”

By Jack Field, Cybersecurity Services Team Lead

“Do your Part. #BeCyberSmart” is the motto of this year’s Cyber Security Awareness Month.

You could not ask for a more appropriate message, as criminals continue to prey on users to kick-start cyber-attacks. Data from the FBI shows that reported phishing victims counted up to 323,972 in 2021, which is a 34% increase on the number reported in 2020.

Users must be protected from such attacks. Many institutions have invested in SEGs (secure email gateways) and firewalls but these aren’t silver bullets to the phishing dilemma; there will never be one. These technological solutions don’t, however, address security awareness. To significantly reduce the risk of users falling for phishing emails, users need to be made aware of and how simple it is to fall for phishing scams which have become more and more sophisticated over time. Running simulated phishing attacks, as part of a security awareness campaign, is a highly effective way to alert users to the vagaries of different tactics employed by malicious actors attempting to gain access to your data and/or credentials via phishing.

When recruiting for most job roles, ensuring that candidates have relevant experience is a necessity to ensure they would successfully adapt to the job. By this logic, to ensure users can deal with phishing emails correctly they should be given phishing experience, preferably in a safe and controlled environment. A simulated phishing experience is the safest way to help consolidate security training/education and provide trust that your colleagues are capable of raising alarm bells when a phish has reached user inboxes.

To make the most of simulated phishing attacks it’s vital that users have a positive perception of the process. There are a number of useful techniques that help ensure this:

Promote the tests as a way of identifying which users are first to correctly report the phish using the correct IR (incident response) processes.

  • Reward and thank these users in a public way, so that their colleagues see the value in reporting phishes.

If possible, ‘gamify’ the experience:

  • Create leader boards based on how many simulated phish people report, you might get more points for identifying more socially engineered, or harder, attacks.
  • Have your own users design the attacks (or submit ideas), encourage users to read up on successful techniques and again reward the most successful ‘criminal’ and the users that report attacks best.

Remember users that fail phishing assessments shouldn’t be punished, they just need educating. How users are informed they failed the assessment must be tonally light with relevant options to improve their awareness.

  • Explain what happened to set the tone, highlight the red flags and ask users to be vigilant.
  • This can often happen as soon as a user falls for a campaign, providing teachable moments and reducing the number of service desk requests.

The users’ perception of why simulated attacks are being sent their way, and if they feel respected whether they pass or fail an assessment, is key to a growing a culture where users enjoy being a part of the security awareness process.

Letting users see the value they and their colleagues bring by reporting phishing will only encourage more a widespread response when a genuine attack gets through. By starting off your phishing assessment projects with strategies that involve users, rather than just targeting them, organisations will find that phishing assessments can be enjoyable for all, not to mention a powerful risk-reduction measure.

Jack Field is KHIPU’s Cyber Security Services Team Lead. He has been providing simulated phishing and awareness training services to customers for over four years. He has extensive experience in helping institutions reduce their exposure to one of the most common cyber attack methods.

For further information on our cyber security services, please contact the KHIPU team.

UK: +44 (0)345 272 0900

SA: +27 (0)41 393 7608