From email attachments claiming to be an invoice to “password expired” messages directing towards a strange login page, businesses are targeted with various types of phishing attacks on a daily basis and can be surprisingly authentic. With studies concluding that employees are 40% more likely to encounter a phishing scam since 2021, now is the time to assess and strengthen staff awareness. The way to do this is through internal attack simulations.
What is a phishing simulation?
A phishing simulation — or a phishing test — is where a fake malicious email is sent by an organisation to their own staff in order to assess their response to a real-world phishing attack.
Why are phishing simulations important?
More than 80% of reported cyber incidents are tied to phishing attacks, most of which are delivered through email. To combat these threats, the staff needs to understand the signs of an attack, the common techniques used and how to tackle and defend against them. Phishing simulations help employees be alert and confident to recognise avoid and report potential threats.
How do phishing simulations work?
Phishing simulations are often administered periodically using different techniques and messaging. In most cases, the simulation is run by the business’s IT team, and run as follows:
- Planning — To decide which staff will be targeted, how often and which techniques and templates will be used.
- Delivery — Employees are then sent their first simulated phishing email.
- Results — The simulation tracks if the employees engage with the email, by tracking whether the user clicked the ‘dangerous’ link or downloaded the ‘harmful’ attachment, as well as who reported the email.
- Follow-up — If the employee clicks the link or downloads the attachment, they’re directed to a landing page that explains which signs they missed, often through a follow-up training session.
Best practices for running a phishing campaign
A phishing campaign accurately emulates the techniques used by real attackers. Real phishers use a bunch of different tricks to dupe people, but most attacks revolve around:
- Fear — e.g. Deactivation your account unless you reset your password
- Anxiety — e.g. being asked to make an urgent wire transfer by the CEO
- Reward — e.g. entering a prize draw to win additional annual leave
- Hope — e.g. downloading an attachment to see who won that quarterly incentive
Phishing simulations teach the core best practices to follow to defend yourself against each of these tactics used by attackers.