How do phishing simulations contribute to enterprise security? They enable organizations to identify weak points and educate their teams, boosting the resilience of the primary target of a phishing attack – your people.
Having celebrated its 40th birthday last year, the internet has grown up. However, from its inception to the present day, there has always been something slightly dangerous about it.
Back in the 1990s, we feared the dialer – a particularly nasty Trojan often disguised as an innocent MP3 file that added zeros to your monthly telephone bill if you didn’t catch it in time.
Around the same time, another sneaky type of attack emerged – phishing. But unlike the dialer, which eventually went the way of the dodo, phishing never went out of style. In fact, with the emergence of technologies like artificial intelligence, it became even more widespread and sophisticated.
Phishing targets individuals at large, but it can be particularly dangerous in corporate settings. In this case, a weak link can become a gateway to hurting an entire organization.
How do phishing simulations contribute to enterprise security? They strengthen those weak links, making them more vigilant and less susceptible to attackers’ deceits.
Phishing 101
Phishing is a form of cyber attack in which malicious actors send fraudulent messages impersonating legitimate entities to deceive individuals into revealing sensitive information.
The scam could have just been called fishing, but the early hacking communities seem to have had a penchant for idiosyncratic spelling (phreaking is another example).
Phishing took off in the early 2000s with the meteoric rise of email and social networks. It remains one of the most widespread social engineering tactics to this day.
The problem with phishing is that it cannot be prevented with a technical solution – it primarily relies on the human factor.
Any person or company would like nothing more than to delegate their cybersecurity concerns to a newly installed tool so they can go on their merry way enjoying music streaming, cat videos, and instantaneous stock transactions. Unfortunately for both parties, but fortunately for cybercriminals, there is no ready-made patch.
PEBCAK is another 90s synonym that tells the whole story – Problem Exists Between Computer and Keyboard. In other words, humans are the Achilles’ heel of cybersecurity, and perfect phishing material.
Why phishing works
Have you ever wondered why phishing emails are often full of typos and bad grammar? Because it is a cheap and effective method of finding the weakest links. Don’t worry; an average hacker knows how to use a spell checker, and to make matters worse, in 2024, the Nigerian prince can harness the power of generative AI to do its bidding.
It is no wonder that the European Council lists social engineering among the biggest threats in the digital landscape, noting that 82% of data breaches involve a human element.
Phishing relies on our emotional response. You download that attachment or fill in your credentials, trusting the sender is a benevolent actor instead of a criminal using your curiosity, greed, or obedience for monetary gain.
You could be an average Alice responding to your bank’s supposed request to update your data so that you don’t lose access to your account or an average Bob wanting to check out the photos from last week’s party.
You might even be a sales manager on the receiving end of an enticing business proposal that is just one click away. Maybe you really wanted to please your deepfake bosses. No firewall in the world could stop that particular adrenaline rush.
Simulated attacks help combat enterprise-level phishing
The risk of phishing attacks is very real. The FBI’s Internet Crime Complaint Center (IC3) reported almost 300,000 instances of phishing attacks in 2023 alone, making it far and away the most used fraudulent tactic. Business Email Compromise (BEC), closely tied to phishing, translated into almost 3 billion dollars of business losses.
There are numerous other examples besides the ones mentioned above. One of the most famous ones is how Google and Meta (still Facebook at the time) were duped out of $100 million via fake invoices to their accounting department. Some well-meaning employees likely weren’t properly trained in recognizing these sorts of scams.
This is exactly the type of situation where a phishing simulation can be the perfect tool.
A simulated phishing attack is an undisclosed drill that tests your employees’ vigilance and susceptibility to malicious emails, messages, and other requests to measure your overall security posture.
An effective cybersecurity strategy should always strive to be proactive and one step ahead of the plentiful threats on the horizon. How do phishing simulations contribute to enterprise security? They aim to proactively catch vulnerabilities through real-world scenarios, bolstering the defenses before actual phishing attacks occur.
If you want to ensure any level of resilience to social engineering attacks that interweave technological and psychological trickery, educating your employees is crucial. But, as we all know, merely sitting in phishing training is the epitome of an ineffective snoozefest that satisfies only the passing auditor.
To tease out those subconscious decisions into awareness and prevent your employees from falling victim to phishing attacks, you want them to learn from experience. Even one phishing simulation carried out within an organization will decrease the likelihood of compromises among employees.
How do phishing simulations contribute to enterprise security? We decided to check in practice
They say to sweep before your own door first, so we decided to organize an internal simulated phishing campaign. As we grew and became a multinational company with hundreds of employees, our attack surface grew as well, yet we had no idea how susceptible we might be.
Seeing as a large percentage of Infinum employees are well-versed in cybersecurity and technology in general, we were confident that the results would reflect this. In other words, we felt we were safe against potential risks and wanted to confirm this.
This is what we did.
1
We defined the objective and timeline of our campaign. In this case, the goal was to determine our employees’ ability to identify phishing.
2
We kept very few people in the loop. That included most C-level executives since they are the most probable targets for spear phishing and whaling, given their influence and access rights.
3
We whitelisted our attack email server.
4
We segmented our employees into random groups so that people next to each other don’t get suspicious emails or messages at the same time.
5
We prepared a whole variety of plausible attack scenarios consisting of various convincing phishing emails and landing pages. For example, we shared a folder supposedly containing photos from the company party and a typical warning email that someone was trying to break into the person’s account.
6
We let the campaign run slowly, for months on end, collecting data on our employees’ interactions.
7
We analyzed the data and prepared feedback. Among other metrics, the statistics consisted of open rates, click rates, and compromise rates.
After a couple of weeks, we started observing people running in circles on Slack warning each other of spoofing and suspicious emails. At one point, our IT operations specialist disclosed that an attack was underway. You would think that would severely decrease the number of compromises. It didn’t.
In a particularly ironic plot twist, I almost got hoisted on my own petard. Being the host of one of our company events, I was expecting my colleague to share a folder with various materials. To cut a long story short, I clicked on it but got to my senses before I entered my password. Haste almost got the better of me, and I’m betting the pace is similar at your company too.
It only takes one email, text, or phone call to put your business at risk. It’s not 1998 anymore – encryption, attachment scanning, spam filtering, DKIM, SPF, and DMARC are defaults. We know this, and the attackers know it, too.
Thousands of emails later, much to our chagrin, the results were in line with the benchmarks for IT companies. Not terrible, but not 0% either, in any of the relevant metrics.
In the end, we held an all-hands meeting, exchanged a few good laughs, and enrolled everyone into a new and improved security awareness training program. Yes, everyone. The phishing incident has now become a common discussion point, a “did they get you too” icebreaker, at least for the time being.
Of course, the careful reader will notice that we took some of our defenses down and exclaim that the setup was not realistic. Well, to that I say that it merely expedites the process.
Protecting your company from real phishing attacks
The fact that we are now entering the age of AI might prompt some nostalgia for the good old days when just one simulation or a course was more than enough to stay on top of the game.
New threats and exploits, remote work, and the barrage of data and communication channels are merely expanding the cybercrime playing field. As we wrote recently, we’re talking about a multi-trillion-dollar industry.
Offense might be the best defense, but in this case, to reinforce best practices in identifying and reporting suspicious activities, we have to consider both. Saying that security awareness training should not be an afterthought is an understatement, to say the least.
Nothing can prepare your employees for every scenario, and breaches are always a possibility. This is where a combined strategy of phishing simulations, cyber hygiene, up-to-date tools, security policies, and awareness training shows its ROI.
To improve and maintain your posture, the following topics should be visited and revisited continuously on a company level:
- Identifying threats
- Security protocols
- Password management and password security
- Device security
- Data encryption
- Multi-factor authentication
- Software updates
- Backups
- Incident reporting
By regularly educating your employees on these, you’re already doing a lot to boost your collective’s resilience. To err is human, but humans who know better, err less.
Phishing simulations turn employees into security ambassadors
To protect your company from real phishing attempts and improve your security posture in general, it’s crucial to develop a culture of cybersecurity awareness within your organization.
Proactive measures like phishing simulation campaigns and continuous security awareness training should be a key component of your broader security strategy. By incorporating these, you empower your employees to become active participants in safeguarding sensitive information instead of just passive recipients of policy and education. In reality, the threats are here to stay, and security is everyone’s responsibility.
If you need help getting there, check out our cybersecurity services. It’s a real link, trust us.
