Inside the Briefcase
Maximizing the Benefits of Your Company’s Phishing Simulations
February 19, 2025 No CommentsLast spring, Google’s Security Incident Manager, Matt Linton, published a blog post sharing his insights on phishing tests. He expressed concern that employees are growing weary of fake phishing emails, noting that poorly-designed phishing simulations are making these employees resent the cybersecurity team without palpable benefits.
Linton cited an academic study involving 14,000 participants, which showed that traditional phishing tests on employees tend to be counterproductive. However, to be clear, Linton was not dismissing the value of phishing tests altogether. Instead, he was critical of simplistic phishing tests that are only conducted for the sake of compliance, rather than as part of a meaningful security strategy.
The article stressed the need for enhanced phishing tests akin to conducting a fire drill. It is not enough to simply send out phishing test emails – the simulation needs to be thoughtfully designed and implemented to be effective. Also, it is important to complement the simulation with relevant augmentative strategies, such as the following.
Strive for Simulation Authenticity and Variety
An effective phishing simulation must always reflect real-world scenarios to produce authentic and meaningful results. This entails the use of diverse attack vectors and realistic scenarios.
Some of the common types of attacks typically simulated are credential theft, business email compromise, and malware delivery. To realistically imitate these attacks, it is important to use realistic sender addresses and content, mimicking closely the messages sent by colleagues, vendors, and executives – just like malicious actors do. Also, it helps to employ different emotional manipulation tactics to solicit a response based on urgency, curiosity, fear, and authority.
Phishing simulations should cover all common attacks and new phishing trends. Focusing on one or a few attacks and tactics makes the simulation less likely to properly test the detection proficiency of the people in an organization. It is also advisable to include subtle cues in the phishing messages, such as subtle grammar errors, to challenge employees’ critical thinking.
Use Combinations of Different Messaging and Attack Types
Remember that email is not the only channel exploited for phishing. Cybercriminals also target SMS and social media. They can also launch “vishing” campaigns, which use voice to trick users, such as through spoofed phone calls and audio deepfakes.
Simulations that combine attack vectors help everyone familiarize with the creative ways by which phishing happens. For example, an initial phishing email may have a follow-up communication via social media or a phone call.
Getting to know these attack variants in theory is significantly different from actually experiencing them. It is important to expose employees to possible attack combinations to build their resilience and hone their ability to recognize and properly respond to multi-channel threats.
Run Simulations at Varying Intervals and Frequencies
Phishing simulations should not be predictable. It is crucial to conduct simulations at irregular intervals to ensure that employees respond to the simulation in the same way they would on a daily basis.
Employees who anticipate the phishing simulation are likely to be more cautious than usual, which does not reflect their typical behavior or readiness in handling real-world threats.
Randomness, or the element of surprise, results in a better assessment of vulnerabilities. Also, simulations with unpredictable intervals and frequencies help train employees to be consistently vigilant. Ultimately, this bolsters an organization’s overall defense against phishing.
Implement Targeted Training
Cyber threats, especially social engineering attacks like phishing, demand a tailored approach – there is no one-size-fits-all training program. To effectively combat these risks, phishing simulations must be customized to align with the specific roles and responsibilities of employees.
The phishing content used for employees in finance, for example, has to be different from the content used for those in sales or other departments.
This is especially critical when addressing the threat of whaling, a highly targeted form of phishing aimed at high-level executives. Organizations need role-based simulations that specifically target employees in high-risk positions especially finance, IT, and HR.
Provide Personalized Feedback
In addition to providing personalized training, it is advisable to immediately present personalized feedback during or after a phishing simulation. Doing this enhances the learning process and memory retention. Employees who fail a phishing test become more motivated when they can quickly and easily understand what they, as individuals, need to do differently next time.
It also helps establish awareness against specific role-based vulnerabilities. This helps to encourage behavioral change, as employees feel valued and actively engaged in the process of defending their organization against phishing.
Personalized feedback supports the establishment of a positive learning culture. It helps transition organizations from a punishment-based learning system into something more empowering. It is an effective way to gain employees’ trust and engagement.
Promote a Culture of Transparency and Self-Reporting
Cases of phishing often go under-reported. One study shows that only 7.4% of those who receive suspicious emails report the phishing incidents they encounter.
To maximize anti-phishing education efforts, it is vital to encourage employees to report the phishing attacks they come across. The details they report provide valuable data that helps in the identification of emerging threats and the improvement of training programs.
Organizations should avoid implementing punitive measures against employees who fall victim to phishing attacks, as it discourages the open reporting of phishing incidents. It hinders an organization’s ability to identify and address vulnerabilities swiftly with the help of employees.
Define Key Metrics to Measure Simulation Program Effectiveness
One key metric is click-through rate (CTR) or the percentage of recipients who clicked on a malicious link or downloaded the attachment in a phishing email. A high CTR suggests significant vulnerability. Organizations should also look at their Phishing Simulation Reporting Rate, which is the percentage of employees who report the suspicious emails or communications they receive. For this metric, higher is better.
Next, organizations should examine their Time to Report. This is the average time it takes for employees to report a phishing email after the time they’ve received it. Faster reporting is preferable, since it reduces the potential impact of an attack. Moreover, the false positive rate – the percentage of legitimate mails that have been mistakenly flagged as harmful – also merits a close inspection.
Tracking all of these metrics over time, and segmenting by department, can help security teams to optimize simulations according to the areas that most urgently need to be addressed.
Conclusion
While phishing simulations can be a valuable tool in enhancing cybersecurity awareness, their effectiveness hinges on thoughtful design and implementation. Organizations should move away from simplistic simulation and enhance their phishing testing methods by combining different attack vectors, ensuring realistic scenarios and variety, providing personalized training and feedback, promoting transparency and self-reporting, and measuring the success or failure of the phishing simulation program.
