When we speak with companies about performing phishing tests, one of the most common responses is “We know a lot of people will click, so why bother?” There are two issues with that mindset. First, yes, many employees might click a link in an email depending on the pretext used. However, counting link clicks is not the most important thing in a campaign. What we like to see is how many people will report a
phishing email.
Second, how can the employees and the company get better without training and testing? Most businesses are aware that they need to periodically test their servers for weaknesses (often referred to as a penetration test, or pentest) and know there is a likelihood that issues will be found. When you know the issues that exist and their severity, you can weigh and address the risk. These same considerations should be taken when thinking of social engineering against employees.
A Multi-Layered Approach
For proper protection we recommend phishing awareness training among employees, but it should not be the only line of defense. A defense-in-depth approach is always recommended. In addition to employee education, the mail servers should have proper spam filters in place. Those filters should be able to catch emails with insecure links and malicious attachments. The mail server should quarantine those files appropriately. Workstations should have up-to-date anti-virus in place, in case a malicious file does make it to the email inbox and is executed. Accounts should have multi-factor authentication in case credentials are leaked. The network should also have proper monitoring and alerting in place for when accounts are performing abnormal activities. Networks should be properly segmented so accounts in one segment cannot easily cross boundaries into other unnecessary segments. Accounts should follow the principle of “least privilege,” meaning only give accounts the minimum necessary permissions.
If all these steps are properly followed, one employee clicking on a malicious email link should not do widespread harm to the company. But let’s talk a little more about a phishing education program.
What We Are Really Testing
Too many phishing education campaigns focus on clicked links, the number of times a link gets clicked in a malicious message. Our focus is on the reporting of malicious emails.
When we perform a phishing campaign, our system measures:
- How many emails were sent
- How many emails were opened
- How many emails had the links clicked
-
- How many of these were reported as malicious
- How many emails were reported without a link being clicked
We like to see a very high percentage of the opened emails reported. In one recent phishing campaign for a financial institution, we saw 6,826 of our phishing emails opened. Out of those, 6,465 (94.7%) were reported as malicious. This is an outstanding number!
Why Reporting Matters More Than Click Rates
Most companies have a team that focuses on protecting their networks and responding to incidents. This staff is very good at their job, if they know there is an intrusion or if employees are under attack. When these teams are notified, they can spring into action by looking for indications of compromise. Your IT staff can immediately delete the malicious email from all other inboxes and find any rogue processes running. System administrators can force a password reset and look for any unexpected attempts to access the network. When these incidents go unreported, it gives the malicious actors more time locate sensitive data, increase their network access and build upon their attacks.
What We Do Differently
At
Social-Engineer, our focus is on report rates and on education. When an employee clicks a link in a phishing test, we show them a web page that tells them this was a test. Additionally, we use that moment to educate them on the various hints that were intentionally included in the phishing email. Some tips that we point out may include, the URL the email came from does not match the company’s domain or the request is stressing urgency with a tight deadline. Instead of this being a “gotcha!” moment, we want this to be a learning moment. People want to do the right things and the best way to help them is to use education and empathy, not shame or fear.
Lastly, we are flexible in the types of phishing campaigns that we offer. Our
Managed Phishing Service campaigns are customized and built by our team of certified and trained social engineers, not an automated email plucked from a library of templates. If there are specific attacks or campaigns that are unique to your industry, we will work with you and build a campaign that best fits your needs.
