Phishing attacks are only successful if they are not detected. So it makes sense to strengthen the recognition ability of employees. A tried and tested means are phishing simulations. […]
The number of successful phishing attacks has risen sharply in recent years. According to Bitkom, in 2021, 18 percent of all German companies suffered damage due to corresponding attacks (source). Worrying facts are also provided by a study by BeyondTrust (source), according to which the number of phishing attacks increased by 200 percent from 2020 to 2021. Often, the attackers used the topic of corona to encourage users to disclose secret information.
Purely technical protective measures are not sufficient to contain this worsening problem. For example, around a quarter of all phishing emails manage to bypass Microsoft’s powerful filter. The last line of defense in such cases is the employees. It must therefore be the goal of the IT security strategy to strengthen their awareness. Purely theoretical trainings prove to be too ineffective in this context. As with any topic, a good transfer of knowledge only occurs when what has been learned can be consolidated in practice. This is where phishing simulations come into play.
Fake e-mails as a training component
Similar to real attacks, phishing simulations send e-mails to employees to retrieve important data. For this purpose, the fake messages are equipped with links to fake websites or specially prepared attachments. Of course, there is no real danger from the training emails. They serve purely to strengthen the security awareness of employees and thus protect companies from the fatal consequences of real phishing attacks.
How phishing simulations achieve maximum effect
In order to derive the greatest possible benefit from phishing simulations, the measure should be prepared in a structured manner and carried out professionally. The focus should always be on raising awareness among employees, but not on denouncing wrong behaviors. In practice, the following procedure has proven itself:
Step 1: Technical preparation by means of whitelist
Whether it is a learning-oriented measure or a test of employee know-how: without the appropriate technical preparation, the phishing simulation cannot work. It is recommended to create a whitelist to perform the desired setup. This ensures that the simulated phishing emails appear in the mailboxes of the employees. Those responsible should ideally clarify further technical details with their provider.
Step 2: Preparation, but no warning
Once the technical setup has been completed, the measure can be planned and scheduled in terms of content. However, in order to achieve a maximum learning effect and long-term awareness with the simulation, employees should not be warned in advance.
Step 3: Carry out the measure anonymously
As already mentioned at the beginning, a phishing simulation primarily serves to improve internal IT security awareness. However, it should not be considered as a tool for testing knowledge or even for denouncing individual people. That is why it is important to carry out the measure with an anonymized approach. This ensures that the workforce does not feel controlled or even fears of warnings arise.
Step 4: Optimally camouflage phishing emails
The days when phishing emails were immediately recognizable are largely over. Rather, cyber criminals are increasingly relying on sophisticated messages that have been carefully personalized in advance of the attack. In this case, we are also talking about so-called spear phishing emails. They appear to be particularly confidence-inspiring and thus increase the success rate from the attacker’s point of view. In phishing simulations, companies should take care to replicate this methodology as realistically as possible. This applies to the content of the e-mails as well as the address and the design.
Step 5: Ensure knowledge transfer
Phishing simulations should help employees to be vigilant at all times. It is therefore not enough to send fake e-mails and evaluate the results of the measure. Rather, employees should be provided with additional explanatory content so that they understand what is important in phishing emails and in what areas they can still improve.
Step 6: Create a regulation for the emergency
Every company should have a policy in case of phishing attacks. This is ideally created before the simulation and communicated to the employees. It contains concrete instructions on how the staff should react when phishing emails occur. It also shows what the reporting chain looks like in this scenario. Compliance with the directive is relevant both for phishing simulation and for real attacks.
Step 7: Continuous improvement
In order to ensure the lasting effect of awareness training, the fake e-mail messages should be sent to the employees at random and, above all, continuously. This enables companies to continuously raise awareness of IT security risks. At the same time, the learning content is getting deeper and deeper.
Step 8: Provide feedback
After each phishing simulation, participants should be provided with detailed feedback in order to be able to improve. The results can also be discussed in a workshop. Because this format offers the opportunity to clarify questions directly. In addition, the participants can exchange their experiences.
Recommended open source technology available
From a technical point of view, there are several ways to implement phishing simulations. For example, the open source framework GoPhish is recommended. It does not incur any license costs and is very quickly ready for use thanks to a one-click installation. The solution has a REST API, an intuitive user interface and can be used across platforms (on Windows, macOS and Linux). The web platform provides the results of the simulations in real time.
Furthermore, GoPhish offers the possibility to define your own goals and to create individual templates. In this way, the simulations can be easily adapted to specific needs. Campaigns can be created and launched in just a few steps. If required, the results can be exported in the form of different reports.
Conclusion: Simple measure with great effect
All in all, it is clear that phishing simulations are an important building block when it comes to continuous awareness building in the company. In particular, if the measure is well prepared in terms of content and organization, it achieves an enormous effect. Companies can either carry out the technical implementation on their own or use a service provider who carries out the simulation as a service.
*The author Jan Kahmen is CEO of turingpoint.