In some employers´ minds, phishing awareness training consists of distributing a memo reeling off the top five tips for identifying a phishing email that have been copied and pasted from an 18-year-old´s blog page. This type of employer would be the first to tell you that phishing awareness training is a waste of time and it hasn´t prevented his business from being the victim of a phishing scam.
With all due respect to the 18-year-old blogger, who was only trying to attract visitors to his affiliate website, typical “five tips for” articles are not helping businesses combat phishing scams. Too many employers believe they are adequate defenses against their businesses becoming the next victim of a phishing scam, and some still incorporate them into their training programs.
Phishing has Become Much More Sophisticated
The reason why this type of phishing awareness training is ineffective is because phishing has become much more sophisticated than it used to be. Rather than sending badly punctuated emails invited recipients to click on a link to a yahoo account in order to benefit from a long-lost uncle´s inheritance, scammers are now using social engineering techniques to commit fraud and identity theft.
Social engineering has evolved from the typical “Dear Sir/Madam, act quickly” style of phishing emails to the point where scammers know their intended victim´s name, their social media contacts and their role within the business. The phishing emails still contain a sense of urgency provoked by a threat or a reward, but they are personally targeted to encourage the recipient to execute the requested act.
In some cases, scammers have taken control of genuine corporate email accounts in order to add credibility to their requests, and prevent their phishing emails being identified by advanced email filters. These are the hardest phishing emails to combat, as the tradition tell-tale signs of a scam are not apparent. This level of sophisticated phishing is becoming more common and, without effective phishing awareness training, more businesses will become victims of phishing attacks.
What is Effective Phishing Awareness Training?
Effective phishing awareness training conditions employees to be more resilient against phishing attempts. It does this through simulation training in which employees are sent simulated phishing emails in a safe environment. Their subsequent actions are monitored and additional training provided where required. Once employees are less susceptible to phishing attempts, the training should be repeated periodically and as new phishing techniques are identified.
The training does not stop with classroom-style exercises. Employee email accounts are embedded with a plug-in they can use to report suspicious emails and have them investigated. This has the dual benefit of always reminding employees to be on the look-out for phishing emails, and gives them a way of reporting a suspicious email with the click of a mouse – rather than having to make a decision about whether to open or delete the email.
With this level of interaction and engagement, employees – who scammers regard as the weakest link in a business´s online security – become one of the business´s strongest defenses. Furthermore, if a genuine corporate email account has been taken over by a scammer, employees who have undergone effective phishing awareness training are often more likely to identify the compromised account than security software – potentially saving the business a loss of credibility among its contacts.
Further Benefits of Effective Phishing Awareness Training
Whereas effective phishing awareness training has clear benefits for business, it is good for employees too. Courses typically contain information about social engineering and how scammers obtain personal information about their intended victims. This teaches employees to be more discrete about their online presence and can prevent them inadvertently infecting their own devices with malware or becoming the victim of identity theft.
If your business operates a BYOD network, the fewer infected devices that connect to it, the better for your online security. Furthermore, if your employees can avoid becoming the victim of identity theft, the less likely your business is to be targeted for spear phishing attacks and Business Email Compromise (BEC) attacks. You wouldn´t get this level of benefits from a copied and pasted memo.