“Here phishy phishy!” Train your employees to avoid the hook
SUMMARY
- Phishing is evolving
- New methods can take your employees by surprise and lead to compromise
- Phishing training methods have evolved too – it’s possible to train your team on resisting new attacks
You’ve probably been sent 100+ phishing emails in the last week. Depending on the software protecting your mail channel, some may even have made it all the way to your inbox, threatening your organisation’s security.
Multiply that number by all the people around you, and there are hundreds of opportunities for compromise, every week.
Phishing success rates are low. Some only achieve one compromise per million sends. That’s because most employees are capable of detecting and deleting suspicious-sounding emails.
But there is a success rate and the more sophisticated the attack, the higher that success rate climbs… and the bigger the payoff.
Phishing is evolving. Attacks don’t just arrive by email anymore. They can be delivered by SMS, voice messages or, in the most brazen attempts, by locally-dropped storage media (USB’s and storage cards). The most organised and well-drilled attackers have learnt that the greatest payoffs come from highly targeted attacks against just one or two individuals in the organisation.
Train Your Employees to avoid the Phish hook
Attackers don’t have it all their own way, of course. It’s possible to simulate each of the new attack variants with a training tool called PhishLine.
PhishLine is a zero-harm platform, meaning that when an employee does take an unsafe action, all they get is an education, not a compromised device.
Using PhishLine, Computer One can simulate a real-world attack scenario using household name brands that your business interacts with. We think that by using correct English and everyday brand references from the Australian context, we’re educating your employees using the attacks that will come their way in the next 12-24 months.
We can even take it to the next level (as an attacker might) and create a campaign using a near-match domain. eg, if your domain was Qwerty.com.au we might buy Qwerrty.com.au and stage the campaign from there. It’s a close match that can fly under the radar of an employee not inspecting their emails properly before taking a potentially dangerous action.
There’s a layer of management reporting from our Phishing Education as well. We can tell who your most likely targets for compromise are, and what kind of content is most likely to produce a compromise. That knowledge means you can target your general safety awareness education around those topics.
The last word…
Our experience suggests that the minimum click-compromise rate for a low-end phishing campaign is 1.38%. From an attacker’s perspective, that’s a pretty attractive rate. Although the opportunities are fewer and farther in between, the success rate for a more targeted attack is even higher.
Our view is that every team needs training in how to recognise and resist attacks that are evolving in sophistication. PhishLine is an excellent training platform with a comprehensive reporting mechanism. Combined with our experience, it’s everything you need to harden your workforce.
Phishing Training costs just a tiny fraction of the amount you will lose in a real-world compromise. Talk to us about how we can structure a training campaign to suit your team.
