We have written before about how employees are one of the biggest threats to security at any organization. We often think of cybercriminals as hoodie-wearing masterminds sitting in front of a tricked-out computer setup, relentlessly breaking down our technology defenses to steal data. The truth, however, is that most often, cybercriminals rely on us to give them the information they need. By depending on a general level of trust and lack of awareness, hackers can gain user credentials and confidential data and then ask for enormous sums of money to get it back. Performing a phishing test can help you better understand your vulnerabilities and provide necessary training to employees.
A simulated phishing test looks just like any other email, which is why it is effective. Scam emails have evolved over the years. They can effectively mimick a service or software provider alert, a request for a partnership, or even an email from your direct manager or CEO. The best way to see how vulnerable your organization is to these types of emails is to send one yourself and track what happens with it.
There are a lot of tools to use to send simulated phishing tests. Often they will have a variety of templates to choose from, so you can select one that would be relevant to your team. Often organizations send fake alerts from their productivity suite or storage software since these will eventually prompt recipients to provide credentials. These emails can contain a file or a link to follow, and opening either is one action that would be monitored for reporting purposes. If a user opens a suspicious file, malware could immediately launch on their device, whether they know it or not. Following a suspicious link could do the same thing, or it could simply take you to a fake landing page and prompt you for user credentials which can later be used to access accounts and data. Submitting credentials on a landing page would also be tracked in the simulated test.
Generally, when employees "fail" the phishing test, they will be automatically directed to a page that informs them it was a simulation, provides feedback and training materials to avoid actual phishing scams, or both. You and your IT team will have access to the results once the test is complete and can use that information to create or modify your security training.
It may feel weird to test your staff without their knowledge, but it is an essential part of your organization's security plan. Security testing is just as crucial as having spam filtering, antivirus, or firewall. No organization is entirely secure, but your employee risk level is usually higher than you think. If employees are your last line of defense, it is important that you know where additional training measures might be necessary. If you are interested in setting up a phishing test for your staff, please contact us.