The SMB’s Guide to Phishing Simulation Training for Employees

Phishing attacks continue to rise as organisations struggle to adapt to the new routines and security requirements of a remote workforce. According to the ACSC Annual Cyber Threat Report 2020-21, there have been more than 4,600 business email compromises (BEC) during the 2020/21 financial year reported which caused a total financial loss of AUD$81 million, an increase of 54% on the average financial losses per BEC report.

Phishing has emerged as a staple attack method for bad actors because of its high success rates. Unfortunately, most awareness training solutions still haven’t caught up with this trend. An ISACA survey found that although organisations invest heavily in awareness and training, they often overlook phishing simulation. While 71% of organisations surveyed provide employee training, only 57% reported that they perform phishing simulations. A mere 25% employed active knowledge-based assessment of employee phishing.

Organisations are conscious of the role employees play in preventing phishing attacks; however, based on data from ISACA’s survey, this understanding isn’t reflected in cybersecurity awareness training efforts.

What is a Phishing Simulation and Why It’s Important for Organisations?

A phishing simulation tests employees’ ability to distinguish between a genuine and fake email or attachment.

It works like this:

You send an email to a group of users with a convincing request to either click a link or download an attachment. If an employee falls for the fake email or provides their details via a social-engineering-based form, they’ve failed your test and could potentially become the cause of a malware attack or a data breach.

Phishing simulations are a great way to test your cybersecurity posture or resilience. As the COVID-19 pandemic placed restrictions on on-premises work, fraudsters embraced new phishing schemes that exploit workers’ reliance on virtual meetings, communication, and transactions to carry out malware and email account compromise (EAC) scams. Common fraudulent email methods include posing as a company’s senior leader, such as a CFO or CEO, and requesting employees to participate in virtual meetings via malicious links.

How to Run an Effective Phishing Simulation Training

A holistic approach to phishing simulation campaign focuses on blending awareness training content with phish testing. Let’s look at integrating phish testing into your cybersecurity awareness strategy.

Step 1: Choose Your Tool

Attackers use phishing to primarily target employees with malicious links, data collection via web forms, or infected attachments. Depending on the phishing use case you want to train your employees on, you can replicate real-world scenarios that an attacker would deploy to gain access to your network or data.

Step 2: Select Your Targets

The most effective way of running a phishing simulation test is by targeting a group of individuals who have recently completed a cybersecurity training course. By following theoretical phishing lessons with a practical component, new information becomes deeply embedded into long-term memory.

Step 3: Choose the Scenario

Here’s where you can get creative – the ACSC, along with other cybersecurity publications, regularly describes actual phishing incidents in great detail. Use this information to create your scenario. Here are a few things to keep in mind when devising a phishing scenario:

  • Use a legitimate or well-known organisation’s cover to establish credibility
  • Use a phishing template based on real-world scenarios
  • Try to customise the attack based on your target group’s job role – send spreadsheet attachments to marketing, sales, and finance. Use data or documents they’re likely to trust.

Remember that it takes multiple simulation tests to get employees up to speed on anti-phishing best practices. Aim to complete between 5-10 phishing simulations per user per year to keep phishing threats top of mind for employees without disrupting their work or overburdening them with training courses.

Phishing Simulation Training with PhishNet

At PhishNet, we believe that experience is the most powerful teacher. We always accompany our cybersecurity awareness training with realistic phishing simulations that can easily be tracked and monitored.

Contact us to discuss your cybersecurity awareness training requirements today!