Phishing victims doubled between 2020 and 2019. And yet, when a lot of end-users think of a phishing attack, they picture a good old Nigerian prince scam email.
The truth is, hackers have become extremely sophisticated with their phishing attacks. Gone are the days of the easy-to-spot emails : spear phishing is now the name of the game. So how should you train your teams to detect these attacks?
This article will look at 10 must-haves in order to run trainings that significantly and lastingly decrease a company’s vulnerability to phishing emails. Overall, there are two main insights : A. you should train your users in real-life conditions by simulating what hackers would do, B. and you need to keep them engaged.
Users need to be trained in real-life conditions by exposing them to simulations that mimic the attacks that hackers will use. Since hackers can easily gather information (C-suite, customers, software... ) and integrate these elements into their attacks, simulations must reflect this threat environment.
Hackers will spear-phish departments and roles within a company with targeted attacks that are relevant to each specific user. Simulations should therefore be tailored to be relevant for each team. For example, sending a Github simulation to someone in the HR department wouldn’t make much sense. Or sending someone in Marketing an app permission request for a code-verification tool will raise flags.
Hackers wouldn’t make that mistake, and simulations shouldn’t either.
Sending the same simulation email to every user in the company, at the same time, clearly does not reflect what real attacks will look like. Also, people talk to one another : if they discuss the simulation, this will reduce its effectiveness since many will expect it.
These will be personalized, relying upon prior research and Open-Source Intelligence (OSINT), and tailored to each team. In order to simulate this, your users need to see simulations that are unique to them. This means :
“Fool me once, shame on you, fool me twice, shame on me”, so the saying goes. It is obvious - but worth highlighting nonetheless - that effective training needs to be varied : you want your teams to be able to recognize a multitude of threats, not just the email that Joe from IT sends every semester.
There are numerous ways to try and hook users in a phishing attack :
The list goes on and on. Your users should see as many of these as possible.
In addition, hackers have developed a number of payloads, even allowing them to bypass MFA protections. Your users should be exposed to as many of them as possible :
Hackers - or, at the very least, those who craft spear phishing attacks - are expert psychologists.
This is because their livelihood depends on convincing someone into taking an action that is not beneficial to them, in an environment where cybersecurity risks are mentioned regularly. In order to achieve this, hackers leverage psychological tricks to trick their victims.
Effectively training your teams requires the same approach ie. users should be exposed to attacks that simulate these tricks such as :
Don’t train your users once a year! Too many companies conduct only a few simulations (notably because they have to set them up manually) every year : the problem with this is that it doesn’t change behaviors. People forget, results and reflexes take time to set in, and infrequent simulations mean users aren’t exposed to multiple scenarios and situations, and aren’t kept up to date with the latest techniques used by hackers.
This is why simulations should be run frequently, at least once a month, in order to keep users alert and engaged and to truly change habits.
The best way to set this up in a functional way is to automatize the entire process : from selecting templates from a broad range of options to simulating different attacks, at different times, every month, to each user of the company. Relying on manual options will only lead to ineffective campaigns.
As your users report the simulations that are sent to them, they need to have visibility on their performance. Users and teams need to be able to access a personalized dashboard where they can track their improvement. Too often, simulations provide aggregated results that do not speak, and provide no motivation to users.
While it is important for admins to have access to granular performance figures, in order to tailor training programs, this is not sufficient from a user engagement perspective : you are training your users, they need to know how they’re doing, as individuals.
After all, why shouldn’t it be? Studies have shown that training that relies upon gamification to engage users is more successful than traditional options. Trying to change people’s deeply ingrained habits can be something of a chore, but enjoying playing is rooted in us since childhood.
Changing the narrative and relying on friendly competition, performance rewards and personal progress yields significant benefits in terms of user engagement. It also sends the signal that you are not trying to trick your users, and that the emails they receive really are for practice (this is also why sensitive issues such as covid scares or raises, for example, should not be included in the simulations).
At Mantra, we believe that cybersecurity training should be fun, and gamification is an integral part of our simulation module.
Training is all about changing deeply ingrained habits (ie. clicking on links and trusting the emails we receive) : simply asking users, or informing them via videos or presentation, not to do so just doesn’t work. Successfully replacing this old habit with a new one - being alert and investigating emails received, and reporting any suspicious ones - requires that the simulation environment you set up provides your users with an easy-to-use tool for them to report any threats they detect.
Finally, don’t forget to inform the users who have reported a threat about the status of that alert, even if it’s not an attack : it will be gratifying for them to know their efforts are appreciated, which will generate engagement and encourage them to continue reporting suspicious emails.
To recap, in order to be effective training should simulate real-life conditions as much as possible, while generating engagement.
Simulations should be run frequently, feature user-specific and varied simulations (use the right software, impersonations, different payloads and psychological triggers…) and should incorporate training best practices : it should be fun and build lasting habits.
Mantra helps companies achieve this by providing an automated simulation engine which allows them to free up time for IT teams while providing best-in-class phishing protection.
Some of our best-performing phishing simulation scenarios as observed in campaigns with various companies
What is SMishing (SMS phishing) and how do hackers conduct these attacks?
A bit lost navigating all the different kinds of phishing cyberattacks? Here's a quick guide to give you an overview of each: phishing, spear-phishing, whaling, smishing, vishing.