Why include an employee phishing test in your security awareness programme
Phishing campaigns are one of the most successful ways for cyber attackers to infiltrate company systems and get access to confidential data. A phishing attack is a form of fraudulent attack that takes place over email but can also occur over text (known as SMS-ishing or Smishing) or phone (Vishing). In a phishing, smishing or vishing attack, a threat actor will impersonate a legitimate contact, such as a trusted brand, colleague or government body.
The email will either contain an attachment with malicious software or a link to a fraudulent website where the victim is encouraged to share sensitive, personal information such as their username, password, or other sensitive information.
In last year’s Cyber Security Breaches survey, phishing attacks were the most common form of attack mounted against UK organisations, identified by 83% of companies.
Not all phishing attacks are created equal. They can range from untargeted mass campaigns to highly-targeted attacks launched specifically at your company (known as spear-phishing). One such mass campaign that has been noted recently is the rise of phishing attacks that leverage LinkedIn.
The security research firm, Check Point, analysed thousands of phishing emails sent in the first three months of 2022, and found that over half of these scams utilised LinkedIn. In these emails, scammers impersonate LinkedIn email notifications. When the recipient clicked the link in the email, they were taken to a fake LinkedIn login page. If they shared their login details, the attacker then harvested these to log in to their LinkedIn account and commit further fraud.
Phishing attacks continue to become more sophisticated and harder to differentiate from authentic communications. With the amount of personal information available online, cybercriminals can create eerily realistic emails and text messages. These can impersonate employees’ co-workers, managers, C-level executives or third parties. At some level, we are all susceptible to a phishing attack – particularly if the attack is well-thought-out. The challenge is of course, even harder when phishing emails are of the highly targeted kind, known as spear-phishing.
In spear-phishing attacks, a threat actor will studiously research your company and their target victim in great detail before launching the attack. These scams are much harder to detect than mass campaigns, as they tend to be eerily realistic and persuasive. These attacks typically take the form of a fraudulent email, sent to unwitting employees. The hope is that they will download malicious software in an attached file or click through to a fraudulent site and enter their username, password, or other sensitive information.
Even digital-native organisations like Google and Facebook have fallen foul of phishing campaigns, losing $100 million in the process. This underscores the fact that, no matter the size of a company or how excellent its cyber security posture is, just one click on a malicious email can lead, ultimately, to a breach. This, in turn, can result in embarrassment and unwanted costs. Therefore, cyber security awareness training is crucial for companies of all sizes.
However, this training, in itself, does not provide an effective measurement of how well employees understand and take in the information presented to them. Employees may treat training as a tick-box exercise, rattling through it as quickly as possible so that they can get back to work. Plus, employees may forget what they have learnt if training is infrequent.
Ultimately, the aim is employee security awareness, behaviour modification and improved security culture. This is sometimes known as the ‘ABC’ of security improvement. It is best achieved through formal training, informal awareness sessions, updates, guidance and assurance exercises, such as employee phishing tests.
What is an employee phishing test?
An employee phishing test is an independent assessment that checks whether your employees are vulnerable to phishing emails. The tests improve awareness and educate staff on what to look out for and do when they receive a phishing email.
Tests take the form of a simulation, sometimes prepared and managed in-house but often by external penetration testing specialists, during which ‘fake’ phishing emails are sent to employees to see if they recognise them as being potentially fraudulent or not.
The campaign typically starts with the creation of a phishing email and a fraudulent landing page. This can include a form for collecting data from the employee, much like real credential harvesting sites.
The email and landing pages are usually designed to look like internal tools, or tools from a reputable supplier such as Microsoft or Dropbox. But there will be small giveaways that indicate the page is, in fact, a phishing scam. Depending on how obvious the client wants the phishing email to be, these differences might, for example, include poor formatting, spelling errors, not using an SSL certificate on the landing page, or using a random web address for the page.
Only the people who organised the test will know that the email is fraudulent. Sometimes, this includes the IT team but, in some instances, you may wish to check your IT team’s cyber security awareness too. For example, you may want to know whether your service desk team recognises the likelihood of a potential security incident if they receive reports of phishing emails from multiple users.
The penetration tester will monitor how your employees respond to the email once sent: whether they click the link, enter their details, or – as the best outcome would be – flag it as fraudulent to IT personnel.
Employee phishing tests usually take a couple of days to set up and roll out. After that, the monitoring period can last anywhere from a week to several. This depends on how quickly employees interact with the email. Once the test is complete, you will receive results that show how your employees reacted to the campaign.
Armed with these results, you can take immediate steps to improve your cyber security awareness culture. It may be that the results show your training programme is not effective and needs updating. Alternatively, it may show that most of your employees are aware of phishing emails, but a few need extra education. If you wish, you can also share the results with your employees, so that they become more aware of phishing scams in the future.
Other forms of social engineering testing
As well as being used in the digital sphere (offsite testing), tests can be used to assess physical security (on-site testing). For example, a penetration tester could impersonate a phoney third-party contractor and attempt to enter your office building. The tester will monitor your employees’ response to their attempted entrance, to test awareness of physical security policies.
The test is usually conducted over a one to two-day period, similar to an offsite test. Once you receive the results, you can then provide employees with additional physical security training as needed.
Incorporating phishing tests into your strategy
Phishing awareness tests are a useful tool for assessing the effectiveness of your cyber security awareness training. They act as a benchmark of success, providing valuable metrics about how successful your training efforts are.
To get the most from these tests, we advocate conducting them on a yearly basis. There may be cases where your company has undergone a merger or you have introduced a new training programme. In this case, we recommend conducting the simulation quickly after these instances.
For further information on the different types of penetration testing, read our guide here.
Free downloads
Click on the image below to download our free pdf on how to identify phishing. We also have a free download to share with employees on the different types of Phishing to be aware of.
Phishing: The act of sending emails that aim to trick unsuspecting victims into disclosing personal information.
Smishing: Phishing that involves a text message (sms) to entice users to share their personal data, passwords or bank account details.
Vishing: A form of social engineering that tricks victims into giving up sensitive, personal information over the phone.
Spear Phishing: A more targeted form of phishing, aimed at specific individuals, organisations or businesses.
Whaling: A cybercriminal impersonates CEOs and directors, to steal sensitive information from other employees within the company.
Pharming: The redirection of web traffic from legitimate sites to fake sites in order to steal financial data, and other personal information.
Need help?
If you would like to conduct an employee phishing test, or need help to improve security awareness and reduce the risks of phishing emails, please get in touch with our friendly team today.
