Have You Gone Phishing Today?
By David Fuge, Chief Information Officer, Johnson Lambert LLP

Phishing, the act of sending malicious emails disguised as innocuous ones, continues to be a simple and effective tool to compromise IT systems. Phishing preys on human vulnerability rather than vulnerabilities in technology systems. Although organizations continue to invest heavily in technology to keep phishing emails out of employee inboxes, malicious messages still get through. Additionally, employers often have no control over their employee’s personal email and social media accounts, and many employees visit their personal accounts on company computers thus exposing company property and systems. In addition to deploying technology to keep their IT systems secure many organizations are turning to simulated phishing campaigns to help educate and train their users on how to avoid phishing scams.

Continue Reading from eInterpreter...

Simulated phishing campaigns utilize phishing messages developed either in house or by third party managed phishing services. These phishing messages are crafted to look like phishing messages seen in the wild, but instead of deploying a malicious payload, users who click on the links or download the attachments are redirected to training pages and the activity is reported to internal IT. These training pages help the offenders understand what they did wrong and how to avoid the same mistake in the future. Executing a simulated phishing campaign can be a great employee learning exercise and provide actionable information to internal IT staff. By tracking opens, clicks, and downloads of the simulated phishing messages internal IT can see who needs additional training and can track improvement through historical analysis of simulated phishing messages.

Successful simulated phishing campaigns are built on the understanding that the goal is training and prevention, not to fool staff. This means when dealing with post simulation follow ups the dialog is educational not punitive. Many campaigns begin with a baseline simulated phishing email to gauge overall susceptibility in the organization. These baselines are not advertised to staff and generally do not contain training. By establishing a baseline, management and IT can understand the level of education required in their organization, and whom to emphasize that education with. Once a baseline is established, notifying employees of the upcoming campaign becomes important to make sure they understand that the training is legitimate. If they fall victim to the simulated phishing emails it is important that they review the training. The notification should also provide a refresher on how to report phishing emails. Many companies have discovered that incentivizing phishing reporting through either recognition or compensation results in a workforce that is much more vigilant towards phishing emails.

Simulated phishing campaigns are a great way to educate employees about the dangers of phishing email. Combined with technology pieces to prevent phishing emails and malicious attachments from getting to employees, education through simulated phishing campaigns can significantly contribute to bolstering an organization's security posture.

For more information contact David Fuge, at dfuge@johnsonlambert.com