According to the latest report from the Anti-Phishing Working Group, phishing campaigns are declining. Good news, right? Wrong! Research from RSA indicates that losses from phishing totaled $1.5 billion (PDF) in 2012, so this is clearly a big moneymaker for cyber-criminals. And while the volume of phishing activity may be declining, the level of sophistication of these attacks is on the rise. Instead of relying as heavily on mass phishing campaigns, attackers now favor spear phishing, which is much more effective because the content is tailored to appear trustworthy.
Make Users Aware of the Threat
Don’t assume your users are aware of phishing threats, especially as attackers continue to develop new techniques. Even if your team tends to stay updated on security hazards, reinforce the risk of attack by periodically sharing real-world examples, especially any from your own industry. Clearly connect the dots between a phishing email and the havoc it can wreak, such as a defaced website, a database breach that exposes customer information or a service interruption that halts operations for an extended period. Your users should get the picture that getting phished can quickly lead to a temporary business disruption, a public relations nightmare – or much worse.
Make sure your users know what to do if they have a concern about an email they’ve received. There should be an easy means of reporting it and a process by which the email is promptly investigated. If it is determined to be a threat, emails from the same sender should be quarantined and explored.
Take a Hands-On Approach
Even better than communicating the threat of a phishing attack, do what Tom Cochran, Atlantic Media’s CTO, did and confront your users with a hands-on phishing example. After all, learning by doing is more effective than just reading a corporate memo.
With an adequate phishing tool, you can set up and customize campaigns based on different levels of sophistication. For example, you might assume that particular groups are more security-conscious than others, and adjust the level of sophistication accordingly. Alternatively, you could randomly select the users who will receive each type of campaign and start testing that way. Don’t spend too much time deliberating over what method to use, though, as it’s more critical to get started.
Your phishing tool should allow your administrators to determine the percentage of users who click a potentially malicious link, as well as pinpoint individual users who need additional security awareness training. Alternatively, you could include an attachment in a familiar format, such as PDF, and educate users about the dangers associated with opening unsolicited files.
No matter how you do it, phishing your own users can provide valuable lessons to all and save your organization from significant financial and/or reputational loss.