Phishing your own employees
We’ve written on these pages previously about how susceptible employees can be to social engineering attacks such as the case when 90% of office workers gave up their passwords in exchange for a cheap pen. And we’ve shared predictions for 2021 on the expected surge in spear-phishing campaigns powered by automation and better social data collection. But how should businesses respond to the continued increase in social engineering and phishing attacks?
One large company, GoDaddy, recently ran a phishing simulation email campaign on their own employees promising a $650 holiday bonus in order to test employee responses across their organization. The internal campaign conducted by GoDaddy was likely in preparation for the increase in attacks and in response to a recent data breach affecting 28,000 of their customers, The email was sent from the GoDaddy domain and included the GoDaddy logo. Employees who were tricked into clicking the link and provided information in exchange for the bonus received additional Social Awareness and Social Engineering Training instead of the bonus. Roughly 500 GoDaddy employees failed the test and were re-enlisted in the training.
GoDaddy has received some flak for baiting employees with a bonus during questionable economic times but protecting your clients and corporate data might be worth a little bad press. As phishing attacks are streamlined to target more people with more believable campaigns, building awareness around internal tests similar to the one GoDaddy completed can be an effective countermeasure. Technology can offer some protection against phishing campaigns but technology plus employee awareness establishes a much stronger defense. Our human capital can be our greatest ally or our greatest weakness in defending against such attacks. As phishing attacks become more complex and more realistic through deep fakes, and phone-call spear-phishing (called Vishing), cybersecurity systems are limited in the protections they can provide. Our final line of defense is often our own behaviors. Along with educating employees on using strong unique passwords and multi-factor authentication, running a spear-phishing simulation within your workplace can be a very effective educational tool while also maintaining an elevated level of awareness.
How to run a phishing simulation
- First, you should provide your employees with some level of education on how to identify a potential phishing campaign and how to report it to your IT staff. You can start by running your first test prior to any education but we’ve found it to be more effective to lay the groundwork first.
- Create a regular schedule of test campaigns. You can run company-wide tests, but it is often more effective to break your tests up to target different departments at different times. This allows for more targeted campaigns as an angry email regarding an unpaid invoice from a customer to your accounts receivable will have a much higher success rate in getting clicked than a similar email sent to marketing. The goal should be to create campaigns that are as believable as possible since that is exactly what the attackers are also doing.
- Follow-up on campaigns. After sending a campaign, follow-up with all users explaining the campaign, the warning signs the users should have noticed, the expected behavior from the users, and the ultimate success/failure results from the campaign.
Remember the goals of the internal phishing simulations are to create awareness and collect data on weak links but also to create a security force multiplier by opening up the discussion internally. You want to create a culture of awareness, so all employees know their responsibilities and accountability for security in your organization. Establishing a program to regularly run internal tests and start the dialog with employees might just be what keeps your company ahead of the herd and safe from attack.