Employee Simulated Phishing: Should Your Business Bother?
16 May 2018 00:00
Phishing scams - they’re about as old school as a scam could be. But what exactly are they? And how can you tell the difference between a legitimate email and a fraudulent one? Well, dig in, we’re about to tell you.
What is a phishing scam?
In short, phishing is an online scam where a cyber criminal (usually impersonating a trusted company) sends an email to someone, encouraging them to provide sensitive information. The objective often involves having the victim click a link within the email - which then directs the user to a fraudulent website waiting to harvest their information.
Although phishing emails are far from being the new kid on the block in terms of cyber scams, the latest phishing statistics are showing no signs of ageing.
How does a phishing scam work?
Many of these scams are emailed in a “spray and pray” approach, with generic email templates sent in their masses. This attempt of luring victims into its bait is where the term “phishing” was coined, due to its similarity to fishing for, well… fish.
But don’t be fooled, not all of these scams are as generic as this. Social engineering and Pretexting techniques offer much more personalised techniques of attack - with prior research of a victim being used in order to add some extra layers of knowledge and trust to the eyes of an unsuspecting victim.
You might still be wondering what real value phishing can bring to a cyber criminal. I mean, what sort of information could they really obtain to do any damage? The answer is - a hefty chunk. Credit card numbers, account numbers and account passwords are just a drop of the data up for grabs in the old phishing pond.
Are there other forms of phishing?
If there’s one thing we’ve learned about cyber criminals, it’s that they never stop drawing up new ideas to get hold of our hard earned cash. More modern scams, such as smishing, vishing and whaling, have now forced their way into our lives.
These techniques focus on the same approach and the same end game as a phishing scam - the only difference being their preferred tool of choice.
Smishing relies on SMS messaging rather than emails, vishing focuses on telephone interaction, and pharming incorporates the more technical scam of redirecting a website’s traffic towards a fake one.
How can I spot the warning signs?
Phishing is becoming increasingly cunning, but there’s still some clear signs of a con if you know where to look. For instance, if you get a legitimate email from, let’s say, Amazon, it’s highly likely that this email has been reviewed and crafted by numerous people. So if you notice that this message is littered with spelling mistakes or unusual language, then Amazon are most likely not the sender.
Other noticeable signs to look out for include URLs containing a misleading domain name, a message asking for personal information/ money, and even when an included offer just seems too good to be true.
There’s lots more ways to spot these fraudulent emails, we’ve put together some of the most popular types of phishing templates for you to take a look at.
Am I a target of phishing scams?
We hate to be the bearer of bad news, but yes - anybody with access to email is a potential target. This is partly because of the mentioned “spray and pray” approach, and also due to the fact that we’ve all got some level of valuable information that these cyber criminals can use.
Employee phishing scams, however, are where cyber criminals have a soft spot. The opportunity to steal information (and serious money) from companies is the foundation of the staggering rise of phishing attacks.
Why education is the key to prevention
Technology is vital for cyber security, but it can only keep us so safe. That’s why it is key to educate employees on the threat of phishing. After all, human error in the workplace is the root cause of over 90% of security breaches.
So, how can you effectively educate your employees on the phishing threats? Go phish ‘em.
Now, phishing your own employees might sound like an iffy subject to raise in front of the board, but the results it supplies cannot be ignored. From phishing real businesses ourselves (don’t worry, we had had the IT department onboard!), a first time phish with a 25%+ compromise rate is a common result - although considerably reduced during the second phish (want to see what your end users phishing awareness level is? Try our phishing simulation service for a free trial)
So there you have it, your introduction to a phishing scam. Feel free to register for our once-per-week blog notification (delivered straight to your inbox), packed with similar security tips and topics.
Want a similar read? Take a look at the real reason why phishing is so successful