Phishing: Today's most dangerous cybersecurity threat
Your UPS delivery was missed… The IRS says you owe them thousands of dollars… You’ve reached your computer disk storage limit… Your Apple account information has been updated… You've been phished!
Phishing messages are email scams initiated by criminals who want to:
obtain sensitive information
get unauthorized access to a company's computer systems.
There are hundreds of common scenarios used by attackers to get people to click on links and attachments in email messages.
These attacks are one of today's most dangerous threats to businesses because they target unsuspecting employees who have little knowledge of cybersecurity. And, these attackers have many ways to trick people into helping them get what they want. They use topics that are are sensitive and will cause people to react emotionally, without thinking. Whether it’s greediness, laziness, fear, curiosity or a desire to be helpful, scammers will always find an emotional angle that works for someone.
Because phishing messages are dangerous and the attackers are creative and persistent, it's important for employers to make sure their teams are trained. They should also be tested on how to handle such deceptions. Cybersecurity trained employees are less likely to be tricked into clicking on dangerous links.
Workforce testing includes using "simulated phishing messages" or "phishing assessments". Employers can:
learn how vulnerable the organization is to phishing attacks;
help employees who have trouble spotting suspicious email messages; and
provide a "teachable moment" when someone clicks on something bad, giving tips on when to flag messages as suspicious.
How often should employers send phishing tests?
Many organizations create phishing campaigns once a year, but quarterly phishing campaigns are more common. Even quarterly may not be often enough, however. Think about how many dangerous email messages a person receives in a three-month period. Receiving only one employer test message may not provide adequate information or show how vulnerable the organization might be.
Cyber Security Training Tips
Design assessment messages to resemble dangerous phishing messages, but consider other risks. For example, using illicit or indecent content may cause embarrassment and a backlash among employees. (You never know what people will click on!)
Employees need to learn the difference between messages that are suspicious and those that are normal spam to avoid overloading the Service Desk. “If you aren't sure what you should do when you see a suspicious message, you should ask your Service Desk.”
Use scenarios based on past real life phishing incidents in your organization or at other organizations.
Learn how your organization would benefit from well-designed cybersecurity training (including Click Armor’s next generation gamified phishing training). Click here set up a call.