Phishing Awareness 101: How to Email Test Your Employees

Phishing Awareness: How to test your employees - CurrentWare

Phishing is a constant threat to data security. Cybercriminals use phishing attacks to break into accounts, steal company funds, and compromise sensitive data. In this article I will introduce you to the dangers of phishing and guide you through the process of running your very own phishing simulation using BrowseReporter, CurrentWare’s employee computer monitoring software.

Phishing at a Glance

What is Phishing?

Personal data phishing concept background. Cartoon illustration of personal data phishing vector

Phishing is a form of fraud where an attacker pretends to be a reputable person or company through some form of electronic communication (email, SMS, etc). Phishing is used to trick victims into disclosing sensitive information or infecting their network with malware by clicking links or downloading malicious attachments. 

The attackers – often called phishers – will typically use email to target their victims but they may also use other electronic communication tools such as social media and SMS. 

What are the Different Types of Phishing Attacks?

  • Email Phishing. A standard phishing attack where the phisher attempts to convince the recipient of an email to perform an action. Standard email phishing attacks are not specific to the recipient and are sent in mass quantities.
  • Smishing & Vishing. These attacks use similar strategies as email-based phishing attacks. Rather than using email a smishing campaign will use text messages and a vishing campaign will use a phone call.
  • Spear Phishing. This type of phishing attack is more sophisticated than a standard phish. A spear phishing attack targets a specific user or group with inside information that an average phishing campaign would not have. This includes names of trusted employees, specific information related to job roles, and other details that are pertinent to the company. This information is gathered from data sources that are public (news, social media, etc) and non-public (leaked internal documents, insider information).
  • Whaling. This phishing attack is a type of spear phishing where the attacker targets high-value targets in the organization such as senior executives. Attackers may imitate other high-level employees in the organization in an attempt to gain access to other forms of non-public information that they can use to improve the success of future attacks.

What Attack Methods do Phishers Use?

  • Malicious URLs: An email that urges the recipient to click on a link. These links may potentially be exploiting a vulnerability that only requires visiting the link to execute the attack. 
  • Forms: A type of malicious URL attack that leads to a form requesting sensitive information. This may also be a fake login screen prompting the user to enter their username and password.
  • Malicious Attachments: The attacker sends emails with seemingly legitimate attachments. These can be Microsoft Office documents with macros that execute malicious scripts or Trojans that disguise themselves as legitimate files. These files are likely to contain malware such as ransomware.
  • Account Spoofing: The attacker masquerades as a legitimate figure such as a senior executive. They may use non-public information gained from insider threats or former phishing attacks to make their impersonation more convincing.
  • W-2/T4 Form Request: This is a common scam during tax season. Attackers will pretend to be from the company’s internal HR department and request that employees send them their tax forms. The information from these forms is then used to file fraudulent tax returns.

Why is Phishing Dangerous?

Yellow email letters flying out of a laptop computer.

Attackers use phishing to steal money and gain unauthorized access to sensitive data. They exploit the trust of employees to convince them to enter their account credentials on an illegitimate website or download malicious software such as ransomware.

Phishing campaigns are extremely effective at tricking employees. A report from Tessian found that a staggering 1 in 4 employees have admitted to clicking on a phishing email at work. The damages from these events are severe – the FBI’s Internet Crime Complaint Center found that phishing and related schemes caused $57 million in losses in 2019 alone. 

These attacks can lead to:

  • Theft or loss of sensitive data including the personally identifiable information (PII) of customers and employees
  • Non-compliance fines from leaking protected classes of data to unauthorized sources
  • An impact on business continuity as your organization struggles to prevent the spread of malware and recover from the losses caused by the phishing attack
  • Severe damages to company reputation from the perception that your company is not to be trusted with sensitive data.

Cyber Security Best Practices

A photo of a computer screen. The cursor is pointing to the word "security"

Use Email & Web Filters

Your first line of defense against phishing emails is to not provide your employees a chance to see them in the first place. Email filtering technology such as secure email gateways or email firewalls will help to reduce the amount of suspicious and potentially high-risk emails that reach your employee’s inboxes. 

Anti-spam/anti-phishing tools will typically include advanced features such as attachment sandboxing to analyze incoming attachments in a lower-risk container and URL rewriting to help catch zero-day exploits. Should your email content filtering allow a phishing email through, a web filter can provide an added layer of security by blocking known malicious domains. 

Email security tips

  • Use Domain-based Message Authentication, Reporting, and Conformance (DMARC). A DMARC policy verifies that the sender of the email is using authentication such as SPF or DKIM. This will help to catch phishing attacks that attempt to impersonate your company’s domain.
  • Block high-risk attachments such as .exe, .js, .zip, and JAR files. You should also be wary of Microsoft Office files from older product versions as hidden macros have been used to execute malicious code from these files. You may also want to consider blocking attachments altogether and instead have employees use secured file transferring services.
  • Provide employees with a way to flag phishing emails. Filtering will stop the majority of spam and phishing emails, but they can’t stop everything. Providing employees with a convenient way to report phishing will help you identify the malicious emails that are making it to your users. This can be accomplished with an in-client report button.
  • Links in emails should be treated as suspicious by default. The organization must do everything they can to reduce the reasons that an employee would have to click the links sent in phishing emails. 

Avoid Sharing Company Emails Publicly

Do not add the emails of individual employees to any public-facing platforms such as your website. If visitors to your website need to contact anyone you can use webforms instead. This helps to reduce the amount of spam and phishing emails by making it difficult for attackers to collect email addresses using a bot. 

Teach Employees How to Spot a Phishing Email

Even the best anti-spam email filters will miss a few malicious emails. Employee security awareness training is non-negotiable for protecting sensitive data against phishing. A report from PhishMe found that employees who open a phishing email are 67% more likely to respond to another phishing attempt.

In addition to teaching your employees how to recognize a phishing email you will need to perform regular phishing simulations that measure the impact of that training. These tests will provide you with the data you need to determine who needs further training and how well equipped your workforce is to respond to phishing emails. 

In the next section we will outline the steps you can take to perform a phishing test with your employees.

Best Practices for Performing a Phishing Test

Determine Your Goals & Key Metrics

Phishing awareness training is designed to reduce the amount of phishing emails that your employees fall for. Because of this a typical phishing simulation will focus on establishing a baseline of employees that fall for the simulated emails and work to reduce that number over a given span of time.

Key metrics for a phishing test include…

  • Click rates (how many times the links have been clicked)
  • The number of employees that leaked sensitive data (e.g. submitting usernames/passwords to spoofed webforms, sharing sensitive information requested in the email)
  • The percentage of employees that reported the phishing emails

Create Positive Feedback Loops

Anti-phishing measures need to encourage employees to recognize phishing attempts and report instances where they have fallen for an attack. You should avoid punishing employees that fail the simulation as this will disincentivize them from reporting legitimate threats. Instead, reward employees that successfully report the phishing emails and provide targeted security awareness training for employees that fall short of your company’s goals. 

Provide Employees With a Way to Report Phishing Emails

If an employee discovers a phishing email in their inbox they need a convenient method to report it to your anti-spam solution or the IT department. Ideally they will be provided with a report button directly within their email client, though a designated email address to forward suspected phishing attempts can be used.

Though IT departments will seldom have the resources to continually monitor individual phishing reports, an increased awareness of phishing risks is valuable data. This data can help inform security policies, improve the accuracy of anti-spam filters, and provide the organization with a record of advanced phishing emails that they can warn their users about. 

How To Perform a Phishing Test For Employees With BrowseReporter

There are a few methods of running this test with BrowseReporter. This section will show you how to set up Email Alerts that will send an email every time the designated URLs are visited. Later in this article you will also learn how to use BrowseReporter’s Sites Visited report to see an overview of each employee that visited the target URLs.

1) Download & Install BrowseReporter

BrowseReporter logo, computer monitoring software

For this test we will be using BrowseReporter, CurrentWare’s employee computer monitoring software. If you do not already own a copy of BrowseReporter you can get a free 14-day trial here. After downloading BrowseReporter you can follow these instructions to install CurrentWare on your computers.

2) Determine the URLs That Will Be Used in the Test

This test will use BrowseReporter’s internet monitoring features to send an alert to an email address once a given webpage is visited. For the simulation you will be sending out emails with a chosen URL and encouraging your employees to click on the link. To ensure the accuracy of your test you must make this a unique URL that your employees would never visit or be familiar with. 

3) Configure Your CurrentWare Email Settings

CurrentWare email settings

With CurrentWare and BrowseReporter installed, you will next need to set up email alerts. You can configure CurrentWare’s email alerts to use either an internal SMTP mail server or an email service such as Gmail, Outlook, and Yahoo. If you do not already have this configured, you can find the instructions for that here.

4) Setup Email Alerts to Be Notified When Employees Click the Link

Now that you have CurrentWare configured to send emails, you can use BrowseReporter’s email alerts to send reports to a designated email address when your users fail the phishing test.

  1. Launch the CurrentWare Console
  2. Click on BrowseReporter (under the Products menu on the right-hand side)
  3. Click on Email Alerts
  1. Click the Add button near the top of the window
  2. Fill out the Create a New Alert section
    • Alert Name: Give your alert any name you’d like
    • Email Alerts To: Put the email address of the account that will receive the failed phishing test alerts
    • Threshold: Set this to 1. This will trigger the alert after the designed URL is visited once.
    • Select PCs or Users: Set this to User. Click the PC/User button on the right-hand side to select the users you will be testing. Be certain to include yourself so you can test the alert. Click the OK button to apply your changes.
    • Alert Type: Set this to URL.
    • Domain Name: Type the URL that you will be using for your test, then press the Add button on the right-hand side. Repeat this step for each URL you’d like to test for. You can also import a list of URLs from a .txt tile using the Import button.
  3. Press the Save Alert button to save the alert.

That’s it! The email address you designated for the alert will receive an email each time your users visit the designated URLs. To test your email alert simply add yourself as a user to the alert and visit the URLs you used in the alert. Depending on your specific mail server configuration the alert may take a moment to arrive in the inbox. 

5) Write the Emails You Will Be Using for the Test

Now you’ll just need to write 3-5+ sample emails that you will use to test your users. When writing your simulated emails, consider this: The top reasons people are duped by phishing emails are curiosity, fear, and urgency. Attackers attempt to bypass our logical thought process by triggering these emotions. Be certain to play into these themes to best simulate a legitimate attack.

Try these themes to convince users to click the URL:

  • Account Activity: Falsified alerts saying that their account on a given service has suspicious activity, a password change, or requires user intervention. Mimic the branding of these companies (logos, tone, footers, etc) to improve the believability of the email.  
  • Contest Winner: Congratulations, you’ve won a contest! Click here to claim your prize.
  • CEO Request: Attackers will impersonate high-level executives as they know most employees will be eager to comply. 
  • File From Scanner: 36% of respondents in the PhishMe report fell for this type of attack. If your company has scanners that can send files to email you can copy the formatting of one of these emails and replace the expected file with a text file requesting they visit the URL

If you’d like some inspiration, Norton has an article with a few real-life examples that you can reference.

6) Start the Simulation

Cybercriminal in a black hoodie about to perform a phishing attack

At this stage you will need to create or designate an email address that will be used to send the emails. An attacker could be using a compromised account in an advanced attack, but the more realistic scenario would have the attacker using an email address that attempts to mimic a trusted vendor or employee.

Use the account to send convincing phishing emails that prompt your users to click a link that leads to one of the target URLs. Ideally you will avoid sending the emails to all of your employees simultaneously as they may warn each other about the emails once they figure it out. While this is an excellent thing to see from a cyber security perspective it may artificially skew your results in a way that doesn’t represent what a real phishing attack could be.

7) Review the Data Collected

Most phishing emails are opened the day they are received. After 1-2 days you are likely to have enough data to understand who is the most susceptible to the attacks so you can prepare supplementary anti-phishing training for those users.

In addition to the email alerts you received when your users visited the URLs, you can use BrowseReporter’s Sites Visited report to see an overview of each employee that visited the target URLs.

  1. Launch the CurrentWare Console
  2. Click on BrowseReporter (under the Products menu on the right-hand side)
  3. Click on Run Report
  4. Select the Sites Visited report from the Report Type drop-down menu
  5. Set the Criteria to Specific URLs and choose the URL History option under the Select URLs From section that appears

  1. Click the Select URLs button. In the next window, type in the URL you will be testing in the Enter URL text field in the bottom-right corner. Press Add to add the URL. Repeat this step for each URL you would like to see in the report. Click Apply then OK.

  2. Set the rest of the report criteria as such:
    • Select the PCs or Users Section: Click Omit users with no data. Click the User radio button. Click the PC/User button on the right-hand side to select the users you will be testing, then press the Okay button to apply your changes.
    • Reporting Period: Set this to the date range you would like to review.
  3. Press the Run Report button to generate a report of employees that visited the specific URLs. The report will show you each user, the endpoint they used to access the site, the amount of time they spent there, and the time/date the visit occurred.

There you have it! You now have a repeatable process you can take to run your very own phishing simulations. You can use this data to identify learning opportunities for your employees and improve the security posture of your organization. You can use this first test as a baseline to measure improvement by tracking repeat offenders and decreases in susceptibility over time.

8) Reward High-Performers & Provide Training to Employees

Now is the time to create a positive feedback loop. If you have a process for tracking who successfully reported the phish be certain to reward them in some way. The reporting process could include forwarding a phishing email to a designated email address, filling out a report, or logging a ticket.

It is best to avoid punishing employees that did not pass the test as your employees need to feel comfortable self-reporting when they fall for phishes in the future. Instead, provide these employees with further training and support so they can be better prepared to identify and report phishing attempts in the future. 

Conclusion

Phishing awareness training is a critical component of improving the security of your business. If you are already using BrowseReporter to monitor employee internet and application use you can use this guide to simulate your very own phishing attacks in-house without any other tools. As your organization grows you can also consider purpose-built phishing simulators that will help automate the process for you such as KnowBe4 or Beauceron Security.

Haven’t tried BrowseReporter yet? Click here to download the free 14-day trial. 

Dale Strickland
Dale Strickland
Dale Strickland is a Marketing Coordinator for CurrentWare, a global provider of endpoint security and employee monitoring software. Dale’s diverse multimedia background allows him the opportunity to produce a variety of content for CurrentWare including blogs, infographics, videos, eBooks, and social media shareables.