Even with the best two-factor authentication, next-generation firewalls, and latest antimalware or web content...
filtering systems in place, if users don't know how to avoid phishing emails, an organization's security can be compromised.
Email phishing is a form of cyberattack that disguises spam as emails from a reputable source to bait users into clicking unsafe links. It is an extremely dangerous attack vector in the enterprise. Phishing can target any user in an organization, so phishing security relies on users understanding what to look for to stop the threats.
The best way to get the attention of users and management is by demonstrating just how easy email phishing is to pull off. To do this, IT must put together an email phishing test, which involves IT creating its own phishing emails and executing the plan over time.
What makes a good email phishing test?
Management buy-in. The organization's higher-ups must understand the importance of an email phishing test, and they must be willing to be tested themselves.
Test all users. A phishing test conducted solely in the IT department can't possibly be successful. Executives must be involved. The same is true for departments such as human resources and legal. There are no exceptions. Everyone is fair game for attack, so IT's phishing test should be no different.
Go beyond the click. Old-school email phishing attacks, which consisted of getting users to click on an online banking or e-commerce link, are relatively easy to mimic. For today's phishing, however, testing through clicks is not enough. To prepare users for more sophisticated phishing attacks, the test should dig deeper to lead users on and ask for sensitive information, such as network login credentials.
Add clues. Include common indicators of a phishing email, such as different domain names and misspellings to give users hints that something is up. The more advanced the user, the fewer clues IT should provide.
Don't underestimate users. It is amazing what information users will give up when phishing emails are properly constructed. For example, IT could send an email from the executive committee encouraging users to click a link and acknowledge the latest employee handbook updates.
Be clear. Make sure the subjects and methods of the test are clear. Bring security policies, procedures and standards into the fray and test to see how they are enforced or ignored. Make sure that the phishing emails get through spam filters and are not merely a test of network security controls.
Don't rest on your laurels. If IT is already email phishing testing, it may not be enough. IT must step back and look at where the gaps are so it can fill them in. Just because IT executed email phishing tests in the past and users did well doesn't mean they haven't let their guard down.
What to do with the results
Most importantly, IT needs to share the results of the email phishing test with management and the people who failed the tests.
IT should approach it in a positive way -- outline the facts and discuss the lessons that users must learn.
In the end, email phishing tests are just another security exercise that should help an organization's systems and people get better over time. Small, incremental progress should be the goal.