Phishing is a constant threat to data security. Cybercriminals use phishing attacks to break into accounts, steal company funds, and compromise sensitive data. In this article I will introduce you to the dangers of phishing and guide you through the process of running your very own phishing simulation using BrowseReporter, CurrentWare’s employee computer monitoring software.
Phishing is a form of fraud where an attacker pretends to be a reputable person or company through some form of electronic communication (email, SMS, etc). Phishing is used to trick victims into disclosing sensitive information or infecting their network with malware by clicking links or downloading malicious attachments.
The attackers – often called phishers – will typically use email to target their victims but they may also use other electronic communication tools such as social media and SMS.
Attackers use phishing to steal money and gain unauthorized access to sensitive data. They exploit the trust of employees to convince them to enter their account credentials on an illegitimate website or download malicious software such as ransomware.
Phishing campaigns are extremely effective at tricking employees. A report from Tessian found that a staggering 1 in 4 employees have admitted to clicking on a phishing email at work. The damages from these events are severe – the FBI’s Internet Crime Complaint Center found that phishing and related schemes caused $57 million in losses in 2019 alone.
These attacks can lead to:
Your first line of defense against phishing emails is to not provide your employees a chance to see them in the first place. Email filtering technology such as secure email gateways or email firewalls will help to reduce the amount of suspicious and potentially high-risk emails that reach your employee’s inboxes.
Anti-spam/anti-phishing tools will typically include advanced features such as attachment sandboxing to analyze incoming attachments in a lower-risk container and URL rewriting to help catch zero-day exploits. Should your email content filtering allow a phishing email through, a web filter can provide an added layer of security by blocking known malicious domains.
Email security tips
Do not add the emails of individual employees to any public-facing platforms such as your website. If visitors to your website need to contact anyone you can use webforms instead. This helps to reduce the amount of spam and phishing emails by making it difficult for attackers to collect email addresses using a bot.
Even the best anti-spam email filters will miss a few malicious emails. Employee security awareness training is non-negotiable for protecting sensitive data against phishing. A report from PhishMe found that employees who open a phishing email are 67% more likely to respond to another phishing attempt.
In addition to teaching your employees how to recognize a phishing email you will need to perform regular phishing simulations that measure the impact of that training. These tests will provide you with the data you need to determine who needs further training and how well equipped your workforce is to respond to phishing emails.
In the next section we will outline the steps you can take to perform a phishing test with your employees.
Phishing awareness training is designed to reduce the amount of phishing emails that your employees fall for. Because of this a typical phishing simulation will focus on establishing a baseline of employees that fall for the simulated emails and work to reduce that number over a given span of time.
Key metrics for a phishing test include…
Anti-phishing measures need to encourage employees to recognize phishing attempts and report instances where they have fallen for an attack. You should avoid punishing employees that fail the simulation as this will disincentivize them from reporting legitimate threats. Instead, reward employees that successfully report the phishing emails and provide targeted security awareness training for employees that fall short of your company’s goals.
If an employee discovers a phishing email in their inbox they need a convenient method to report it to your anti-spam solution or the IT department. Ideally they will be provided with a report button directly within their email client, though a designated email address to forward suspected phishing attempts can be used.
Though IT departments will seldom have the resources to continually monitor individual phishing reports, an increased awareness of phishing risks is valuable data. This data can help inform security policies, improve the accuracy of anti-spam filters, and provide the organization with a record of advanced phishing emails that they can warn their users about.
There are a few methods of running this test with BrowseReporter. This section will show you how to set up Email Alerts that will send an email every time the designated URLs are visited. Later in this article you will also learn how to use BrowseReporter’s Sites Visited report to see an overview of each employee that visited the target URLs.
For this test we will be using BrowseReporter, CurrentWare’s employee computer monitoring software. If you do not already own a copy of BrowseReporter you can get a free 14-day trial here. After downloading BrowseReporter you can follow these instructions to install CurrentWare on your computers.
This test will use BrowseReporter’s internet monitoring features to send an alert to an email address once a given webpage is visited. For the simulation you will be sending out emails with a chosen URL and encouraging your employees to click on the link. To ensure the accuracy of your test you must make this a unique URL that your employees would never visit or be familiar with.
With CurrentWare and BrowseReporter installed, you will next need to set up email alerts. You can configure CurrentWare’s email alerts to use either an internal SMTP mail server or an email service such as Gmail, Outlook, and Yahoo. If you do not already have this configured, you can find the instructions for that here.
Now that you have CurrentWare configured to send emails, you can use BrowseReporter’s email alerts to send reports to a designated email address when your users fail the phishing test.
That’s it! The email address you designated for the alert will receive an email each time your users visit the designated URLs. To test your email alert simply add yourself as a user to the alert and visit the URLs you used in the alert. Depending on your specific mail server configuration the alert may take a moment to arrive in the inbox.
Now you’ll just need to write 3-5+ sample emails that you will use to test your users. When writing your simulated emails, consider this: The top reasons people are duped by phishing emails are curiosity, fear, and urgency. Attackers attempt to bypass our logical thought process by triggering these emotions. Be certain to play into these themes to best simulate a legitimate attack.
Try these themes to convince users to click the URL:
If you’d like some inspiration, Norton has an article with a few real-life examples that you can reference.
At this stage you will need to create or designate an email address that will be used to send the emails. An attacker could be using a compromised account in an advanced attack, but the more realistic scenario would have the attacker using an email address that attempts to mimic a trusted vendor or employee.
Use the account to send convincing phishing emails that prompt your users to click a link that leads to one of the target URLs. Ideally you will avoid sending the emails to all of your employees simultaneously as they may warn each other about the emails once they figure it out. While this is an excellent thing to see from a cyber security perspective it may artificially skew your results in a way that doesn’t represent what a real phishing attack could be.
Most phishing emails are opened the day they are received. After 1-2 days you are likely to have enough data to understand who is the most susceptible to the attacks so you can prepare supplementary anti-phishing training for those users.
In addition to the email alerts you received when your users visited the URLs, you can use BrowseReporter’s Sites Visited report to see an overview of each employee that visited the target URLs.
There you have it! You now have a repeatable process you can take to run your very own phishing simulations. You can use this data to identify learning opportunities for your employees and improve the security posture of your organization. You can use this first test as a baseline to measure improvement by tracking repeat offenders and decreases in susceptibility over time.
Now is the time to create a positive feedback loop. If you have a process for tracking who successfully reported the phish be certain to reward them in some way. The reporting process could include forwarding a phishing email to a designated email address, filling out a report, or logging a ticket.
It is best to avoid punishing employees that did not pass the test as your employees need to feel comfortable self-reporting when they fall for phishes in the future. Instead, provide these employees with further training and support so they can be better prepared to identify and report phishing attempts in the future.
Phishing awareness training is a critical component of improving the security of your business. If you are already using BrowseReporter to monitor employee internet and application use you can use this guide to simulate your very own phishing attacks in-house without any other tools. As your organization grows you can also consider purpose-built phishing simulators that will help automate the process for you such as KnowBe4 or Beauceron Security.