The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.
Social engineering has long been a popular tactic among cybercriminals. Relying exclusively on information security tools does not guarantee the safety of an IT infrastructure these days. It is critically important to enhance the knowledge of employees regarding information security threats. Specifically, there is often a pressing need to educate employees about phishing. But how could phishing awareness training go wrong, and what can be done about it? Let's delve deeper and unravel the potential issues and solutions.
In recent years, we have seen an uptick in the delivery of malware via phishing attacks. Compounding the problem is the rising volume of email fatigue, which can lead to less vigilance and increased vulnerability. Regrettably, email protection software does not fully safeguard against phishing due to the inevitable human factor involved. Indeed, there is a reason why social engineering continues to be a preferred strategy for cybercriminals - its effectiveness is exceptional.
Many organizations are already conducting training sessions and rolling out specialized programs to enhance employee awareness about phishing. These programs are not just theoretical but also offer hands-on experience, allowing employees to interact with possible threats in real-world scenarios. For this, companies often use simulated phishing attacks, which are a vital part of their awareness programs. Some businesses manage these cyber exercises internally through their information security teams, while others enlist the help of service providers.
However, these training sessions and mock phishing exercises are not without their flaws. At times, technical issues can disrupt the process. In other instances, the problem lies with the employees who may exhibit apathy, failing to fully engage in the process. There are indeed numerous ways in which problems can arise during the implementation of these programs.
Email messages caught by technical means of protection
It is standard practice for most companies to operate various email security systems, like Secure Email Gateway, DMARC, SPF, DKIM tools, sandboxes, and various antivirus software. However, the goal of simulated phishing within security awareness training is to test people, not the effectiveness of technical protective tools. Consequently, when initiating any project, it is crucial to adjust the protection settings so your simulated phishing emails can get through. Do not forget to tweak all tools of email protection at all levels. It is important to establish appropriate rules across all areas.
By tweaking the settings, I am certainly not suggesting a total shutdown of the information security system - that would be unnecessary. When sending out simulated phishing emails, it is important to create exceptions for the IP addresses and domains that these messages come from, adding them to an allowlist.
After making these adjustments, conduct a test run to ensure the emails are not delayed in a sandbox, diverted to junk folders, or flagged as spam in the Inbox. For the training sessions to be effective and yield accurate statistics, there should be no issues with receiving these training emails, such as blocking, delays, or labeling them as spam.
Untrained employees often become victims of phishing, but those who are prepared, do more than just skip and delete suspicious messages; they report them to their company's information security service.
Tools like the "Report Phishing" plugin for Outlook can be extremely useful. This plugin lets employees quickly and easily notify the information security team about potential phishing attempts. If an attack is indeed taking place, vigilant employees can help detect it faster and prevent severe consequences by forwarding the phishing email to the information security team, who can then respond to the incident.
This plugin is also beneficial for simulated phishing campaigns for several reasons:
- It helps to evaluate the vigilance of users and the effectiveness of the company's awareness training program.
- It alleviates the burden on the information security service from having to process reports of simulated phishing. The fact is that all real phishing alerts are sent to a dedicated mailbox of the information security service. During a training campaign, this mailbox can quickly fill up. Simulated phishing messages will not end up in this mailbox if the plugin is used. Instead, the platform will simply count the employees who reported the attack, thus preventing cybersecurity specialists from being overwhelmed by unnecessary reports.
Apart from email client plugins, there are other ways to assist employees in taking the right actions when confronted with phishing attacks:
- Set up a short and easy-to-remember email address specifically for phishing reports and make sure all employees are aware of it.
- Regularly motivate employees to report any suspected attacks. For instance, you could circulate internal newsletters with statistics on reported incidents, discuss how such reporting aids in thwarting attacks, and give recognition to those who have successfully identified a cyber threat.
Sad test results
Companies can run special phishing tests using both clean emails and ones labeled "external sender" or "spam." These red flags are intended to caution employees to exercise more care when handling such emails, as they are more likely to contain malicious attachments or phishing links. Interestingly, research shows that presenting suspicious details in email headers does not improve phishing detection. Even when emails bear labels like "external sender" or "spam" in the subject line or body of the message, employees click on them nearly as frequently as they do on unlabeled ones.
Why does this happen, and what can be done about it? There could be a level of mistrust towards technology and software algorithms at play here. We often hear the advice, "If you did not receive an email from us, check your spam folder." And, of course, simple inattention on the part of employees is common.
Curiosity, interest, or fear triggered by the content of the email can lead employees to fall for the hackers' bait. Certain expertly designed templates, such as those warning of potential account breaches and prompting password changes, generate high click rates. Often the "sender" field in an email might show an address that perfectly matches the legitimate domain of the client. However, the "from" field only displays text, which can be altered by the sender's email server. To truly ascertain the domain from which the email originated, examining the headers in the email's properties is necessary. Therefore, again, relying entirely on software and hardware for email information security is unwise. The human factor is a crucial element to consider.
Even following training, phishing emails continue to be opened
Let's say right away that there are no magic pills against phishing for employees. Training courses are an important part of the process, but they will not work without regular practice. Upon contact with a new variant of phishing, an employee may become confused and eventually fall for the trick of scammers.
Cultivating robust phishing detection skills and enhancing awareness of threats should be continuous processes that involve direct exposure to these threats. Every training phishing email sent, irrespective of the unsafe action statistics, enhances an employee's awareness: they learn about a new threat, encounter it firsthand, experience the potential impact, and consequently, become less vulnerable. As the proverb says: "Fool me once, shame on you. Fool me twice, shame on me."
Practical experience affirms the need for ongoing engagement with employees. Mere theoretical training sessions will not protect you from phishing, and a single training session is not sufficient either. Interestingly, reports suggest that after one round of simulated phishing emails, there might be an increase in unsafe actions with mock phishing, even after employees have completed training courses.
Does this suggest that the training courses were entirely ineffective? Not necessarily. It simply indicates that the practical skills needed to recognize phishing are not yet fully developed, reinforcing the notion that understanding the information security theory without practical application is insufficient. It is through regular phishing training emails that employees become more adept at identifying phishing attempts and reporting them to the information security service.
Cycle-based phishing awareness program implementation
A phishing awareness program typically starts with an initial round of simulated phishing emails to evaluate employees' susceptibility to such attacks. Next, the employees undergo training to learn about phishing and how to spot it. Following the training, another round of simulated phishing is conducted to provide practical reinforcement of the training and to assess its impact on employees. This constitutes the initial cycle of the program. Depending on your resources and the size of your organization, this part may take anywhere from several weeks to a few months to complete.
The process does not stop there. You should conduct new rounds of simulated phishing emails approximately once a month, gradually making them more complex. Employees who consistently fall for phishing attempts should be given additional training.
Yes, this is a slow process. Building sustainable skills takes time, typically at least 12 months. And even after this period, regular phishing simulation exercises are still necessary to ensure employees maintain their alertness. By running regular phishing simulations, employees become more knowledgeable and vigilant, boosting the attack resilience of both the individual and the entire organization.
As you can see, relying solely on technological measures for protection against phishing is not enough. The human factor should not be underestimated. Engaging with employees and motivating them in matters of information security is essential. That is why simulated phishing exercises are so valuable. If you are in charge of cybersecurity for your organization and do not yet have a dedicated process for reporting phishing and other cyber threats, it is time to establish one. This is a straightforward and effective initial step to shield against cyber threats and kickstart a security awareness program. It is important to properly structure the learning process and run multiple cycles of theoretical and practical sessions on an ongoing basis.