Email phishing is one of the most common attack vectors that organizations have to worry about, and the attacks are getting smarter.
Email phishing attacks involve an attacker pretending to be someone else to get personal information from a user through an email. Modern attackers use public information from social media sites such as LinkedIn to tailor attacks directly to users. As a result, users must understand how to recognize and avoid phishing now more than ever.
IT can limit risk with an email phishing test, where it sends its own phishing emails to users to determine who understands how to handle phishing and who doesn't. IT's phishing emails are, of course, harmless and only supply IT with data on how users interact with email.
The stakes are much higher with actual phishing. Organizational and personal user data are at risk of phishing attacks every day, so IT's main defense is to educate users with an email phishing test.
Who should IT test?
Email phishing testing should target everyone in an organization. This means more than just the users IT professionals believe they need to test. HR professionals and legal staff should also be subject to testing. IT pros should include themselves in the test as well to make sure the department understands all the signs and dangers of phishing.
They may not relish being tested, but executives are a common target for phishing attacks, so it is essential for them to participate. Executives have access to their organization's most sensitive data, so they could be the subject of a whale attack, in which attackers target high-level employees.
It may sound simple, but IT must explain the plan to executives as well so they buy in. An email phishing test could come off like a trick or a way for IT to embarrass users who fail. With the support of management and executives, IT can be sure that users take the testing seriously and hear out any feedback.
What methods should IT use?
IT should design an email phishing test using any method users might encounter in their work. One of the most common email phishing approaches is social engineering attacks, which involve attackers customizing an email based on information from social media sites, job profiles on the company site and more. The hacker can then generate an email designed to look like it's from a reputable source -- a family member, friend or co-worker. Often, these emails are urgent, so the user acts quickly and without thinking.
IT should prompt users for network credentials in an email phishing test because such information would be detrimental in the hands of a hacker. IT should also mimic techniques such as minor misspellings of reputable email accounts and prompts for common workplace external links, including employee handbooks and company events.
IT pros should go further than one click to determine if a user passed or failed the test. They can try to have users download potentially malicious software from an external site and then prompt them for personal or company information. Some users may know not to download suspicious files, but might freely give away information, while other users might do the opposite. A phishing email test with multiple attempts at a breach can provide IT with more data on user performance and offer users more to learn from.
What should IT do after the test?
Once the email phishing test is complete, IT should bring the results to management. If an organization's security is at risk, management should make decisions right away to protect the company against vulnerabilities. Users may not want to hear about their shortcomings, but it is essential to make them aware of how and why they failed the test.
IT should highlight how and where users failed specifically rather than explaining every facet of phishing defense. For example, an IT pro could explain the dangers of downloads from unknown sources to all the users who downloaded a potentially malicious file.
Users who performed perfectly on the test might have done so simply by luck or by ignoring the email. A test shines a light on areas where users can improve, but it does not guarantee perfect performance moving forward. An email phishing test is not a cure-all for phishing security, but IT should use it as part of a plan to minimize user vulnerability to phishing attacks.