Email Phishing, Part 2: Tests and Readiness

Phishing—the practice of collecting sensitive and private data with false emails—is all too common, even with advanced server protection and filter systems in place. Companies are prone to a practice known as “whaling,” where one or several individuals within an organization are targeted in the hopes of accessing the entire system.

If employees fall for these emails and hand over their credentials, a company’s server can be hacked, its accounts depleted, and its customers’ private information leaked in a matter of hours. What’s more, this breach can go undetected for weeks…or even months.

Too many companies, both large and small, feel they aren’t at significant risk for phishing attacks. CEOs and management might assume their employees—or themselves—can spot a phony email from miles away, but recent statistics and high-profile scams show this simply isn’t the case.

The Importance of Phishing Protection

Your company is more vulnerable the larger it gets and the more employees it acquires. Without proper precautions and security measures in place, you could lose massive amounts of money to hackers—as well as lawsuits from customers, whose personal information could be stolen with just a single successful attack.

Below, we’ll cover one element of phishing protection for offices and corporations: conducting readiness tests, to determine how knowledgeable your team is when it comes to identifying—and avoiding—fraudulent emails. For tips on recognizing and preventing phishing attacks, check out our email phishing overview from last week.

What is a Phishing Test?

A phishing test allows you to find out if your team is vulnerable to attacks before they happen, and take the proper measures to decrease that susceptibility.

Think your team isn’t at risk? One study found that 31% of the 11,542 employees tested (across 400 organizations) clicked the links in the test email, and 17% entered the requested information. It takes only one employee’s credentials to access sensitive parts of the system; even if no users enter their information, clicking the links alone can breach security in some cases, and open the door for undetected spy- and malware downloads on your server.

There are countless other studies demonstrating this disturbing trend, as well. KnowBe4, a phishing awareness and security company, found that between 26% and 45% of employees at three companies in their case study were prone to phishing.

What’s even more shocking than these numbers? The fact that 94% of users believe they can recognize phishing attempts…yet nearly half of them still click on false links at some point.

This isn’t limited to tech companies, either: it can happen to any size organization in any field, from government to real estate—which saw a 100% increase in wire fraud between 2016 and this year.

‍

Common Techniques that Anyone Can Fall For

So how are these scammers crafting such believable emails? It starts with appearances: legitimate-looking company logos, letterheads, and formatting. They often learn the proper chain of command within a company, so they can customize emails to certain employees and make them appear as though they’re coming from their boss or department head.

The biggest component, however, is something even more surreptitious…a technique known as social engineering: using fear or excitement to provoke a desired response, and in a very quick manner. This can include threats, such as requiring a username and password to prevent account suspension, or the promise of rewards, like praise from a superior. We take an in-depth look at actual phishing attacks and why they were successful in a future article.

Scammers have differing motives behind their attacks, as well. While most are looking for information—credentials, files, credit card information, etc.—some hope to secretly install spyware, which might not be discovered for months. In either case, attackers ultimately aim to steal thousands or millions of dollars from your company. The end goal is always the same, but the means of getting it are varied and ever-changing. This is why vigilance and education are key, and why tests should be conducted regularly to assess your employees’ risk.

Phish Testing: What are My Options?

Fortunately, choices for assessment abound. It’s best to look for testing companies with reputable reviews and evidence of their tests’ validity. Below are two options to consider:

• Personal phish testing: https://www.sonicwall.com/en-us/phishing-iq-test.
• Employee testing: https://www.knowbe4.com/phishing-security-test-offer

Both of the options above are free, with the latter being free up to 100 employees. Even if you have to pay to test your entire company, consider it an investment of protection: the cost of falling victim to even one attack is guaranteed to be exponentially more expensive. Not only could scammers steal enormous amounts of money, but you could also be faced with lawsuits from consumers and employees, as well as system repair fees in the event of hacking. And, of course, you’ll have to invest a great deal of time and money into rehabilitating your company’s image after a security breach.

When you receive the results of your employees’ phish tests, you can use their proneness percentages to advocate for training courses. KnowBe4 offers a training program with an average improvement rating of 75%. Some companies have seen 100% success against subsequent test emails as the 12-month training progressed.

Don’t Let Your Company Become a Statistic

No one is immune to phishing attacks, and assuming so is a dangerous practice for companies to follow. Hackers rely heavily on the fact most people will fall for their scams not because the emails are flawless, but because the targets are overly confident and under-vigilant. Testing your employees’ readiness in the event of fraud is a crucial first step in protecting yourselves, your company, and your customers.

‍

Continued reading: Email Phishing, Part 3: Examples, Real-life Scams, and Caveats
‍