Phishing is hardly new, but its effectiveness has helped it to maintain a prime position in the hackers toolbox. Attackers use it to deceive their victims into thinking they are someone else, such as a trusted business like the victim’s bank, or even their boss.
Hackers then leverage this deception to trick their targets into handing over their credentials, credit card numbers and other valuable information, which they then either sell, or use to mount further criminal attacks.
Since phishing is still such a prevalent attack vector, companies need to take steps to defend themselves against it. While there are some technical measures like email filtering that can help to reduce the number of successful phishing attacks, the most important line of defence lies in employee training.
Your organisation’s employees are the ones receiving these messages, and the ones deciding whether to make the click or enter in their details. With proper training and awareness, you can help them to recognise scams and teach them how to handle phishing attempts appropriately, keeping your company safe. Here are our top three tips for effective training to defend against phishing.
1. Help Your Employees Understand Why Anti-Phishing Training Is Important
Let’s face it, if you don’t know much about cybersecurity, anti-phishing training seems like a boring waste of time. The person conducting it probably has a monotonous voice and reads unenthusiastically from a pamphlet, meanwhile most of the attendees fight not to fall asleep.
The training doesn’t have to be so bland. Instead of starting by covering the techniques and defensive measures, you can begin by talking about just how disastrous phishing attacks can be. Tell the tale of the cybercriminal who used phishing to scam $100 million from Facebook and Google, or explain how spearphishing was the most likely mode of entry in the 2014 Sony hack.
If your training starts by demonstrating just how consequential these attacks can be, it’s far more likely to grab the attention of your employees, make them understand the importance of the issue, and lead them to apply the skills that they learn.
2. Cover the Broad Range & Sophistication of Phishing Attacks
By now, most of your employees will have been using the internet for a long time, and subsequently have come across their share of basic phishing attacks. These are pretty easy to spot, and can make employees complacent. They may think that as long as they can spot these attacks, then they aren’t at risk of being deceived by phishers.
Because most internet users have become more savvy to these simple attacks, the phishers have upped their game. Spearphishing and whaling attacks can be highly targeted and seem realistic, while attacks that involve website forgery and link manipulation can easily fool someone who isn’t paying attention.
Your employees need to understand that even the most savvy of us can fall for these attacks. All it takes is a slight lapse of judgement, and the entire company can be breached. From high-ranking DNC members to a company’s newest intern, anyone can fall victim to these attacks.
3. Anti-Phishing Training Is a Process
Many organisations may want to herd all of their employees into a class and give them a rundown on the phishing basics, then hustle them back to work, never to touch on phishing again. While this approach may seem cheaper, it’s less likely to be effective, which could lead to successful phishing attacks.
Even if the initial anti-phishing training is top notch, the problem is that people forget things over time. If your organisation really wants to protect against this attack vector, then it needs to make training and awareness a regular focus.
This can involve posting signs in the office that cover the key aspects of phishing to look out for, as well as sending out memos that talk about the latest phishing attacks, in order to reaffirm awareness of the issue. Of course, new employees also need to go through the training, and older employees should also undergo supplementary training at frequent intervals.
Most businesses are busy with their core operations, so it’s easy to neglect anti-phishing education. Thankfully, Gridware can help with our cybersecurity training. Our training and workshops are conducted by experienced ethical hackers who can teach your employees everything they need to know about phishing, as well as the other key aspects of cybersecurity that are important for defending your company against the latest attacks.