If you’ve ever researched web safety for business, you’ve no doubt come across the term “phishing.” Indeed, phishing poses one of the greatest modern security risks: a whopping 65% of US organizations were the victim of a successful phishing attack in 2019.
Despite the increased educational efforts surrounding the practice, about one-third of phishing targets will fall for it to some extent. Needless to say, phishing is an issue that needs to be taken seriously by businesses of all shapes and sizes. If you’re connected to the internet, you’re a target.
The best way to protect your company against an inevitable phishing attack is to prepare ahead. Educate your employees and run drills so they can be trained to spot a suspicious email from a mile away.
In this guide, we’ll cover how to run a phishing test in the work environment so that your employees will be ready to hit delete on dangerous emails and save your business from serious damage.
What Is Phishing?
Phishing is a type of cyber attack in which the phisher attempts to obtain sensitive information by pretending to be a trusted party.
The most famous example of a phishing scheme is the Nigerian prince who wants you to provide your bank information so he can send you his inheritance for safekeeping. But not all phishing attempts are so obvious.
For example, let’s say you open your inbox and notice an email from Chase concerning an update to your bank account. The email seems important, and the template looks just like the emails you normally receive from Chase, so you follow the link and log into your account.
Then it hits you: the link you followed was actually to chase.co, not chase.com, and you just gave all your banking information to an unknown third-party. Unfortunately, you’ve just fallen victim to a phishing scheme.
In the workplace, a phishing email might come in the form of an email from your boss, with one slight misspelling, or from a coworker from a slightly different domain than usual. Typically, the email will ask you to provide sensitive information that the phisher will then use to steal from or hurt your business in some way.
Preparing Your Staff and the Company at Large
The first thing you’ll need to do is find a phishing tool that you can use to run the test. There are many available, including free open source ones like Gophish. Alternatively, you can look into commercial products like LUCY and Infosec IQ.
Once you’ve decided on a tool, it’s time to notify and train your employees — after all, the goal is to educate them on the dangers of phishing and then test their performance.
If you run your test before alerting your employees, you risk losing their trust and making them feel like they’re being looked down on by the IT department. However, if you alert and train your employees beforehand, you increase the odds that they’ll view it as a valuable learning experience as opposed to an embarrassing and surprising failure on their end.
Next, you’ll need to rally your managers and department leaders to set parameters for the test. Many phishers use social engineering tactics, such as pretending to be a coworker or manager, to increase their chances of tricking their targets. So, it’s generally a good idea to work with department leaders to figure out how to target specific employees just like a real phisher would.
Finally, it’s important to make it clear how employees can report phishing attempts. For example, should they forward the email to IT? Report it to their manager? Employees are more likely to report emails when it’s not disruptive to their workflow, so your reporting process should be as painless as possible.
Try Keeper Enterprise free for 14 days & see firsthand how it can help protect your organization from password-related data breaches & cyberthreats.
Designing the Test
When all the groundwork is laid, you can move on to ironing out some of the specifics of your test, like how long it will last, what types of phishing schemes will be tested, the metrics you’ll be looking at, and who will be tested.
The most insightful phishing tests last several months or quarters and get progressively more difficult. For example, you might send out one phony phishing email per month, starting with a clear phishing template and escalating to a socially engineered email that looks like it’s from a coworker. Building up slowly helps your employees slowly gain confidence instead of becoming discouraged after failing too quickly.
Before you begin the test, it’s important to decide with your team what methods you’ll use. For example, will you use spear fishing to target specific individuals? Whale fishing to go after the CEO and other executives? Will you include clone fishing as well? Typically, you’ll want to use several different methods to test your team members’ ability to recognize each of them.
To accurately measure and interpret what happens during the test, you’ll also need to select which metrics you’ll be monitoring. Generally, you’ll want to keep track of these three metrics:
- The number of employees who fall victim to a phishing attempt and leak data
- The number of employees who successfully recognize and report a phishing attempt
- Link click rates
When you run your test, don’t forget to include senior managers, executives, and even board members. These high-level team members are often some of the biggest phishing targets, so they need to be prepared as well.
Deploying the Test
When all the details of your test’s design are settled, it’s time to launch it for real. The most important thing to keep in mind here is that the exact deployment schedule should stay under wraps. If employees know the schedule too well, they’ll be expecting phishing emails, which will throw off your results.
After the Test
Even though the test may be over, the work isn’t. After you’ve run the test, it’s time to pore through the data and see how your company performed.
To start, you’ll want to see whether you hit the objectives that you were hoping to: did fewer employees fall for the phishing emails over time? Did link click rates increase? Did the number of employees who reported suspicious emails increase?
When you’ve looked through all the data, it’s time to make a decision regarding how to move forward. Generally, it’s a good idea to present the results to your company so that everyone can see where improvement is needed. However, it’s important not to single out specific departments or employees publicly.
It’s inevitable that some employees will turn out to be low-performers, so it’s important to approach them with tact and understanding. The test is meant to be a learning experience, so there’s no reason to be rude or condescending to low performers. That said, you will want to provide additional training to them so that they can improve — your company’s cybersecurity is only as strong as its weakest link.
Running a phishing test is only one piece of a larger cybersecurity puzzle. To keep your company secure over the long haul, it’s vital to keep cybersecurity in the front of everyone’s mind with periodic training and continual testing initiatives.
Additionally, it can be useful to upgrade other areas of your company’s security by implementing VPN protocols or requiring employees to use password managers. Password managers help employees maintain safe and secure passwords with ease, guarding your company from common password hacking attempts. Plus, they can directly protect against phishing attempts because they will only autofill passwords on direct URL matches, not the phony URL from the phishing attempt.