16 Feb 2017
How to Run a Phishing Simulation Test: An Example from GlobalSign
As the number of cyber-attacks continue to grow, organizations are battling to keep their defenses up. Naturally, the technology is evolving to be stronger and harder to breach and as a result, people become the weakest vulnerability point.
That moment when an innocent employee opens a personal email on their lunch break and clicks on a link to a phishing site or the moment when someone in HR opens an email labelled ‘contract’ only to find out the Word document is actually a hidden script that brings in ransomware – whatever individual circumstance led to the attack happening in the first place, for the most part, they have innocent beginnings.
You don’t have to worry, it’s not just you. An article in Dark Reading suggests that around 20-30% of your workforce will click on a link in a phishing email. That’s a lot!
In the hopes of bringing that number down to 0%, I wanted to write this guide on phishing simulation tests based on the ones we do here at GlobalSign. Our IT Security Manager, Jeremy Swee has been keeping our teams vigilant and well-trained in the art of phishing tactics for over a year now. As we are a cybersecurity company, we take these things seriously, which is exactly why we make a great case study for you to emulate.
Before Getting Started
Before a phishing simulation test should begin in your organization, you need to start by planning an introductory training scheme. The initial training will be given to all current employees and then given to all new employees on arrival (preferably before they get access to their email accounts).
Make sure you set-up an email such as: firstname.lastname@example.org which can be used by employees when they suspect they have received a phishing email. Explain what steps they should take in order to report the email and arm them with the necessary equipment to report phishing email
The first step to any good phishing simulation test is the planning. You don’t want to send a phishing test too frequently or people will come to expect them and you don’t want to have them to infrequently either because then you will have too few statistics to report on.
You also don’t want to send phishing emails to the entire company at once as this might spark suspicion. That’s why we normally send around one phishing test a month to a test group of employees.
The next step is to devise the scenarios in which you will send these phishing emails and plan them out over the course of 12 months. You don’t have to have them all planned perfectly, some will come out of topical news stories and therefore be more ad-hoc, others will be based on real phishing emails you have seen or been reported to.
This is where you need to start thinking like a phishing attacker. What emails would really get your employees clicking? Can you dupe your employees into clicking?
Here’s a few examples from the past year at GlobalSign.
The ‘We Won’t Pay This’ Test
Try sending a phishing email to departments who deal with invoicing. Give the email an angry tone to spark a sense of emergency in your staff and get them to act with haste. Phishing emails will often use this technique to get people to click or download attachments.
The lesson for staff is to look at the sent address, if they don’t recognize the name or company, they shouldn’t be forced to work at haste because of the tone.
The ‘Get Something Free’ Test
Another psychological ploy used by phishing attackers is the ‘get something free’ approach. Nothing beats the idea of getting something for free – who wouldn’t be tempted to click!
Employees should learn that ‘free’ always comes with a catch and all emails like this should be seen as suspicious. Hovering over the links in the email should cause some suspicion but emails like this should never be clicked on as they are often expected to be malicious in nature.
The ‘Topical News’ Test
An email about topical news is enough to stir conversation in every inch of a business. Not long ago, in the GlobalSign UK office there was not much else we could talk about but Brexit. So it made good sense to use the opportunity to make a simulated phishing email.
Employees would be expected to see the from address was not recognizable and when they hovered over the link in the email they would see something suspicious there too. It is also not typical for us to communicate issues like this internally as an email so that might arouse suspicion in staff who have been with the organization long enough to have seen another event of this kind pass us by.
The ‘Popular Trend’ Test
When Pokemon Go came out, everyone was playing it. I’m sure you can think of at least one person in your organization who would spend their lunch breaks out on the hunt. When a popular trend arrives in an organization, phishing attackers can use it as a way to get into your defence system.
Employees will be expected to see the from address is not internal and that the link is suspicious.
Reporting and Training
If you employ a good phishing simulation tool, reporting will be part of the package. Important stats to track would be the individual email open rates, click through rates and how many people reported the incident using the steps you provided them before you began testing.
The expectation is that the trend click through rate will decline while the trend report rate will increase. You should use these results to determine the weakest link in your organization. In particular look at which departments or global offices are clicking on links the most.
You should also take a more granular look into which individuals are clicking on the links the most. If there is a specific person who seems to be clicking on phishing links regularly, perhaps this person should be taken in for a more personalised training session with someone in IT.
The great thing about sending phishing simulation tests is that you can adjust and mould the training based on the results. This in turn provides a greater overall efficiency within your company as you are not providing training to employees who don’t need it.
Follow Up With an Email
A few days to a week after a phishing simulation is sent, you should aim to send a follow up email. Explain why this scenario was devised and what employees should have been expected to notice from it.
Here’s an example follow up email from our ‘we won’t pay this’ test.
The recent simulated phishing email sent out on 20 December 2016 was based on an actual phishing email reported to us by one of our colleagues. It was an unusual phishing email that was crafted in a format we have not seen before.
The phishing email appears as if you wrote the first email and this was just a reply, all to reduce the recipient’s suspicion.
There are some Indicators-of-Phishing worth noting:
- Use of vulgarities to “shock” the recipient into a sense of urgency
- Link appears suspicious
Many employees informed us they checked their email sent box and confirmed they had never communicated with this sender. Some took the additional step to verify that the sender’s email address was not within our Salesforce customer database.
We set out with the expectation that this scenario based on a well-crafted phishing email would result in a high victimization rate but we are happy to report that most of our employees are one step ahead and proactively checked before clicking.
Continue to inform us of any suspicious emails you encountered, even if you have already clicked it, by letting us know at email@example.com.
These kind of emails will help in continued development of your employees.
The Right Tools
A phishing simulation tool is essential for any organization’s IT department. Sending test phishing emails to employees keeps them alert and simulates different environments at which an attack could happen.
Another tool in your toolkit should be Digital Certificates. You should work on implementing Digital Certificates to identify and authenticate the users within your organization. Emails that have been digitally signed validate the email sender, helping to distinguish legitimate emails from spoofs. Coupled with training, this will help reduce the risk of opening phishing emails that seem to come from work colleagues.
If you would like to know more about implementing Digital Certificates for intra-company email communication, contact us today.
Share this Post