What’s a Phishing Simulation Test and Why Would I Want One?
Posted on: September 19, 2019 By: Carolyn Kuczynski
90% of the time hackers deliver their malware through an email. If you’ve followed any cybersecurity stats, you’ve probably already heard this one from the 2019 Verizon Data Breach Investigations Report. So why do cybercriminals use email? Because they don’t have to search around to find a vulnerability in a website or software. Phishing is a simple, direct approach that doesn’t take much time. Hackers don’t even really have to be tech savvy to send phishing emails. They can buy tools online for as little as $2 and send emails to an infinite number of potentially unsuspecting people.
Cybercrime is all about finding vulnerabilities. Cybercriminals have an easy time finding the vulnerability in humans. Humans who are moving fast through emails, trying to get their jobs done. And humans are generally pretty trusting. As Nick Espinosa says in his Five Laws of Cybersecurity TedX talk, “Humans can trust when they shouldn’t.” His audience saw this first hand when Espinosa asked everyone to look under their chairs for something that was placed there. Everyone bent over, felt under their seats until Espinosa let them off the hook saying that there’s actually nothing under their chairs but hey, you all believed me, right?? Point taken.
But most of us know how to identify a phishing email at this point, right? This stuff is all over the news. We get it! Well, the data says we don’t get it. Because if we did, 90% of breaches wouldn’t be coming from email.
Phishing emails and websites can look real. Really real. It can be very difficult to tell that the email you just received isn’t actually Amazon asking you to verify your purchase. You just bought some tube socks on Amazon last week! Outlook needs you to click here for the software update? Makes sense. Software has to be updated! Isn’t it actually unsafe to not update software?? Krebs on Security reported a while back that half of all phishing scams are now hosted on websites whose Internet address includes the padlock and begins with “https://”, like the scam PayPal site image below. So not only do the emails and websites look legit, some of the clues we were taught to look for don’t work anymore.
If it’s so difficult to tell real from fake, then what do I do to protect my company?” you may be asking yourself. This is where employee education comes in. But before we start that, it’s a good idea to get a baseline to see how well your company’s employees recognize a phishing email and website.
A baseline phishing simulation is where safe but effective emails are sent to your employees for a set amount of time, say two weeks. You pick the templates that are used, based on what type of apps, software, websites, etc are used by your company or you know are common for your employees to use. LinkedIn, Airbnb, Microsoft, DocuSign, FedEx to name a few options. During the two weeks, the number of clicks on the test emails and attempts to enter sensitive information is captured. You then receive a risk report.
With the critical information you receive from a phishing simulation test, steps can be taken to reduce your company’s cybersecurity risk, which likely will include cybersecurity awareness training. Security awareness training takes only minutes per month and will reduce end user risks of phishing from 70 to 90%!
The simplest way to reduce risk of a breach, is to strengthen your end users’ ability to recognize and diffuse a phish. You’ve got to test and train the humans.
So if you could reduce your company’s cyberattack risk by up to 90%, would you do it?