Phishing attacks are quite possibly the most common form of commercial cyber-attack and one which can entirely bypass all the electronic defences you have set up. In 2016, it is estimated that nearly 100,000 phishing attacks targeting companies happened each month, and further, it's an attack type which can be launched at any company regardless of size or prominence.
Phishing is the preferred delivery method for Ransomware and CEO fraud (Business eMail Compromise) attacks and the importance of protecting against these are easily seen from the consequences of the very public WannaCry ransomware attack earlier this year.
The problem with phishing attacks is that they prey entirely on the potential gullibility of your human workforce. They involve no hidden files or programs; they are simply a form of social engineering designed to try to trick workers into giving up critical pieces of information. If an employee gave up the access numbers for your bank account, or the passwords for your central server, even the most expensive hardware firewall on Earth would be useless.
Fortunately, there is still a tool for defending against phishing attacks: Training. A phishing simulation campaign, either live or software-based, can be the best possible way to increase phishing awareness among your staff and reduce the chances of being harmed by such an attack.
Why Businesses of All Sizes Need a Phishing Simulation Solution
Phishing emails can come in a variety of types, each seeking to exploit different weaknesses in human psychology. As a few examples, they might:
- - Pose as a security consultant or other outsourced worker who needs access to password/passcodes to complete their business.
- - Claim that sending a small amount of money someplace will result in more money later. (i.e. the infamous "Nigerian Prince" email)
- - Specifically, target certain workers and attempt to build confidence by including information relevant to them. This is sometimes also called "spear phishing."
- - Compromise or otherwise imitate the CEO or other C-level executives, issuing fake orders to give up crucial information or issue payments. This is also called "Whaling," or "CEO Fraud."
Cyber criminals have effectively commercialised their operations making these phishing eMails more professional in appearance and the scams harder to spot. If the employee falls for it, your security is compromised. Worse, due to the nature of email, phishing attempts can be blasted in mass, potentially to your entire company at once. All it takes is one employee falling for the trick.
To prevent this, a phishing simulation campaign can be used for building awareness of phishing attack types. One can test your workforce's ability to recognize phishing attempts, while also verifying they know the proper procedure for reporting such emails. When coupled with assessments and reporting then companies can track and report on how they have reduced the level of human cyber risk in their business.
It is possible to hire outside security consultants to conduct such tests. However, such groups also tend to be extremely expensive - particularly for smaller organizations. Fortunately, SaaS based security awareness training platforms are now available and can deliver continuous improvements for a fraction of the cost.
These platforms include a security training capability as well as simulators and are used by IT and/or your own security department. They make it simple to customize fake emails that look like phishing and send them out to employees. Then you learn which workers know how to spot a fraud... and which workers need a new round of training.