As the number of cyber-attacks continue to grow, organizations are battling to keep their defenses up. Naturally, the technology is evolving to be stronger and harder to breach and as a result, people become the weakest vulnerability point.That moment when an innocent employee opens a personal email on their lunch break and clicks on a link to a phishing site or the moment when someone in HR opens an email labelled ‘contract’ only to find out the Word document is actually a hidden script that brings in ransomware – whatever individual circumstance led to the attack happening in the first place, for the most part, they have innocent beginnings.You don’t have to worry, it’s not just you. An article in Dark Reading suggests that around. That’s a lot!In the hopes of bringing that number down to 0%, I wanted to write this guide on phishing simulation tests based on the ones we do here at GlobalSign. Our IT Security Manager, Jeremy Swee has been keeping our teams vigilant and well-trained in the art of phishing tactics for over a year now. As we are a cybersecurity company, we take these things seriously, which is exactly why we make a great case study for you to emulate. Before Getting StartedBefore a phishing simulation test should begin in your organization, you need to start by planning an introductory training scheme.
The initial training will be given to all current employees and then given to all new employees on arrival (preferably before they get access to their email accounts).Make sure you set-up an email such as: report-phishing@yourorganization.com which can be used by employees when they suspect they have received a phishing email. Explain what steps they should take in order to report the email and arm them with the necessary equipment to report phishing email ScenariosThe first step to any good phishing simulation test is the planning. You don’t want to send a phishing test too frequently or people will come to expect them and you don’t want to have them to infrequently either because then you will have too few statistics to report on.You also don’t want to send phishing emails to the entire company at once as this might spark suspicion. That’s why we normally send around one phishing test a month to a test group of employees.The next step is to devise the scenarios in which you will send these phishing emails and plan them out over the course of 12 months. You don’t have to have them all planned perfectly, some will come out of topical news stories and therefore be more ad-hoc, others will be based on real phishing emails you have seen or been reported to.This is where you need to start thinking like a phishing attacker. What emails would really get your employees clicking? Can you dupe your employees into clicking?Here’s a few examples from the past year at GlobalSign.
The ‘We Won’t Pay This’ TestTry sending a phishing email to departments who deal with invoicing. Give the email an angry tone to spark a sense of emergency in your staff and get them to act with haste. Phishing emails will often use this technique to get people to click or download attachments.The lesson for staff is to look at the sent address, if they don’t recognize the name or company, they shouldn’t be forced to work at haste because of the tone. The ‘Get Something Free’ TestAnother psychological ploy used by phishing attackers is the ‘get something free’ approach.
Nothing beats the idea of getting something for free – who wouldn’t be tempted to click!Employees should learn that ‘free’ always comes with a catch and all emails like this should be seen as suspicious. Hovering over the links in the email should cause some suspicion but emails like this should never be clicked on as they are often expected to be malicious in nature. The ‘Topical News’ TestAn email about topical news is enough to stir conversation in every inch of a business. Not long ago, in the GlobalSign UK office there was not much else we could talk about but Brexit. So it made good sense to use the opportunity to make a simulated phishing email.Employees would be expected to see the from address was not recognizable and when they hovered over the link in the email they would see something suspicious there too.
Send Malware Mail Test Error
It is also not typical for us to communicate issues like this internally as an email so that might arouse suspicion in staff who have been with the organization long enough to have seen another event of this kind pass us. The ‘Popular Trend’ TestWhen Pokemon Go came out, everyone was playing it. I’m sure you can think of at least one person in your organization who would spend their lunch breaks out on the hunt. When a popular trend arrives in an organization, phishing attackers can use it as a way to get into your defence system.Employees will be expected to see the from address is not internal and that the link is suspicious. Reporting and TrainingIf you employ a good phishing simulation tool, reporting will be part of the package.
Important stats to track would be the individual email open rates, click through rates and how many people reported the incident using the steps you provided them before you began testing.The expectation is that the trend click through rate will decline while the trend report rate will increase. You should use these results to determine the weakest link in your organization. In particular look at which departments or global offices are clicking on links the most.You should also take a more granular look into which individuals are clicking on the links the most. If there is a specific person who seems to be clicking on phishing links regularly, perhaps this person should be taken in for a more personalised training session with someone in IT.The great thing about sending phishing simulation tests is that you can adjust and mould the training based on the results. This in turn provides a greater overall efficiency within your company as you are not providing training to employees who don’t need it. Follow Up With an EmailA few days to a week after a phishing simulation is sent, you should aim to send a follow up email.
Explain why this scenario was devised and what employees should have been expected to notice from it.Here’s an example follow up email from our ‘we won’t pay this’ test.Hi All,The recent simulated phishing email sent out on 20 December 2016 was based on an actual phishing email reported to us by one of our colleagues. It was an unusual phishing email that was crafted in a format we have not seen before.The phishing email appears as if you wrote the first email and this was just a reply, all to reduce the recipient’s suspicion.There are some Indicators-of-Phishing worth noting:.
Use of vulgarities to “shock” the recipient into a sense of urgency. Link appears suspiciousMany employees informed us they checked their email sent box and confirmed they had never communicated with this sender. GlobalSign Privacy Policy Version 3.1Updated June 5, 2018GlobalSign respects your right to privacy. This privacy policy has been developed to inform you about the privacy practices followed by GlobalSign in connection with its websites, products and services. This privacy policy does not apply to GlobalSign services offered by or through our partners, resellers or other third parties, or other third party services or websites, and we encourage you to read the privacy policies of those parties.This privacy policy will inform you about what data is collected, how we use such data, where data is processed, how you may opt out of your data being used, the security provisions around storing your data and how to correct, update or delete your data.1. Data ControllerThe data controller for personal data collected within the EU is GMO GlobalSign, Ltd., having its registered offices at Springfield House, Sandling Road, Maidstone, Kent, ME14 2LP, United Kingdom. All questions or requests regarding the processing of data may be addressed to:.2.
GlobalSign is the leading provider of trusted identity and security solutions enabling businesses, large enterprises, cloud service providers and IoT innovators around the world to secure online communications, manage millions of verified digital identities and automate authentication and encryption. Its high-scale Public Key Infrastructure (PKI) and identity solutions support the billions of services, devices, people and things comprising the Internet of Everything (IoE).© 2019 GlobalSign. All Rights Reserved.
Attackers can get past antivirus and other detection methods measures by hiding malware inside compressed files. Most network security solutions are regularly fooled because they can’t analyze a file compressed in any format other than ZIP.Are you protected?
Find out right now!This simple, safe test checks to see if your network security will catch malware hiding in a compressed file.