Employee Phishing Test Evalian

Why include an employee phishing test in your security awareness programme

June 18th, 2021 Posted in Information Security

Phishing campaigns are one of the most successful ways for cyber attackers to infiltrate company systems and get access to confidential data. These attacks typically take the form of a fraudulent email, sent to unwitting employees. The hope being that they will download malicious software in an attached file or click through to a fraudulent site. Once they do this, they enter their username, password, or other sensitive information.

Phishing attacks continue to become more sophisticated and harder to differentiate from authentic communications. With the amount of personal information available online, cyber criminals can create eerily realistic emails and text messages. These can impersonate employees’ co-workers, managers, C-level executives or third parties. At some level, we are all susceptible to a phishing attack – particularly if the attack is well-thought-out. The challenge is even harder when phishing emails are highly targeted, known as spear-phishing.

Even digital-native organisations like Google and Facebook have fallen foul to phishing campaigns, losing $100 million in the process. This underscores the fact that, no matter the size of a company or how excellent its cyber security posture is, just one click on a malicious email can lead, ultimately, to a breach. This, in turn, can result in embarrassment and unwanted costs. Therefore, cyber security awareness training is crucial for companies of all sizes. 

However, this training, in itself, does not provide an effective measurement of how well employees understand and take in the information presented to them. Employees may treat training as a tick-box exercise, rattling through it as quickly as possible so that they can get back to work. Plus, employees may forget what they have learnt if training is infrequent.  

Ultimately, the aim is employee security awareness, behaviour modification and an improved security culture. This is sometimes known as the ‘ABC’ of security improvement. It is best achieved through formal training, informal awareness sessions, updates, guidance and assurance exercises, such as employee phishing tests.

What is an employee phishing test?

An employee phishing test is an independent assessment that checks whether your employees are vulnerable to phishing emails. The tests improve awareness and educate staff on what to look out for and do when they receive a phishing email.   

Tests take the form of a simulation, sometimes prepared and managed in-house but often by external penetration testing specialists, during which ‘fake’ phishing emails are sent to employees to see if they recognise them as being potentially fraudulent or not.  

The campaign typically starts with the creation of a phishing email and a fraudulent landing page. This can include a form for collecting data from the employee, much like real credential harvesting sites.  

The email and landing pages are usually designed to look like internal tools, or tools from a reputable supplier such as Microsoft or Dropbox. But there will be small giveaways that indicate the page is, in fact, a phishing scam. Depending on how obvious the client wants the phishing email to be, these differences might, for example, include poor formatting, spelling errors, not using an SSL certificate on the landing page, or using a random web address for the page.  

Only the people who organised the test will know that the email is fraudulent. Sometimes, this includes the IT team but, in some instances, you may wish to check your IT team’s cyber security awareness too. For example, you may want to know whether your service desk team recognises the likelihood of a potential security incident if they receive reports of phishing emails from multiple users. 

The penetration tester will monitor how your employees respond to the email once sent: whether they click the link, enter their details, or – as the best outcome would be – flag it as fraudulent to IT personnel.  

Employee phishing tests usually take a couple of days to set up and roll out. After that, the monitoring period can last anywhere from a week to several. This depends on how quickly employees interact with the email. Once the test is complete, you will receive results that show how your employees reacted to the campaign.  

Armed with these results, you can take immediate steps to improve your cyber security awareness culture. It may be that the results show your training programme is not effective and needs updating. Alternatively, it may show that most of your employees are aware of phishing emails, but a few need extra education. If you wish, you can also share the results with your employees, so that they become more aware of phishing scams in the future. 

Other forms of social engineering testing

As well as being used in the digital sphere (offsite testing), tests can be used to assess physical security (on-site testing). For example, a penetration tester could impersonate a phony third-party contractor and attempt to enter your office building. The tester will monitor your employees’ response to their attempted entrance, to test awareness of physical security policies. 

The test is usually conducted over a one to two-day period, similar to an offsite test. Once you receive the results, you can then provide employees with additional physical security training as needed.  

Incorporating phishing tests into your strategy

Phishing awareness tests are a useful tool for assessing the effectiveness of your cyber security awareness training. They act as a benchmark of success, providing valuable metrics about how successful your training efforts are.  

To get the most from these tests, we advocate conducting them on a yearly basis. There may be cases where your company has undergone a merger or you have introduced a new training programme. In this case, we recommend conducting the simulation quickly after these instances. 

For further information on the different types of penetration testing, read our guide here 

Free download

Click on the image below to download our free pdf on how to identify phishing.

Identifying phishing free download Evalian

Need help?

If you would like to conduct an employee phishing test, or need help to improve security awareness and reduce the risks of phishing emails, please get in touch with our friendly team today.

AH Headshot 250x250

Written by Alex Harper

Alex is a senior security consultant, specialising in security testing of IT infrastructure, web applications and mobile applications. He started his career as a software developer before moving into ethical hacking and security consulting. His qualifications include Cyber Scheme Team Leader (CSTL), Offensive Security Certified Professional (OSCP) and Qualified Security Team Member (QTSM).