Phishing – that scourge of the internet for several decades now – remains the most popular attack vector when it comes to bad actors trying to get their hands on confidential information. The targets span commercial enterprises, to government agencies (just ask the Police Service of Northern Ireland, which recently suffered a devastating data breach traced to phishing).
New generative AI-powered tools like FraudGPT are only accelerating the problem by allowing cybercriminals to create increasingly well-crafted and targeted phishing emails at scale. This means there are no longer as many of the typo-riddled messages of yore to help wave a cautionary flag when someone receives a message in their inbox. Even more concerning, generative AI can be instructed to mimic the tone or style of various people or personas – e.g., “Draft an email that sounds like it’s coming from the general counsel at company X” – enabling it to create uncannily persuasive and convincing messages.
Given the unrelenting nature of this onslaught, should organizations embrace phishing simulations as part of their security programs?
It might sound counterintuitive, but given how many organizations still struggle with phishing, casting some phishing lines into their own pond could help prepare users without the costly effects of a real bad actor attack.
A “heat map” of risk
The logic behind fighting phishing with more phishing is actually fairly straightforward: It’s a way to identify where within the organization there might potentially be some areas of risk.
If you send out a simulated phishing email, who are the individuals or groups that are likely to click on links? Would it primarily be those working from home, for example, versus those based in the office? Would it lean more towards the junior staff, or would it lean more towards the senior leaders in the company? Maybe there’s a particularly high concentration in one specific department, whether it’s the accounts payable team, the corporate legal department, or HR.
Knowledge is power – and once you identify where areas of potential risk lie, you’ll have a “heat map” of the organization and its more vulnerable areas. From there, you can take steps towards understanding why those particular groups or individuals are more susceptible to phishing and raising their awareness about the very real threat that phishing poses.
Sounds straightforward enough – but putting phishing simulations into practice within your own organization requires a little bit of finesse.
There might be some camps within the organization who are opposed to phishing simulations, feeling that it sends the wrong message to employees – simultaneously saying “We don’t trust you” and “You people don’t know what you’re doing.”
That’s not what this is about. No one is trying to create an environment of mistrust or to call anyone’s competence into question. This is about strengthening the overall security posture of the organization, and user awareness training – including phishing simulations – is a valuable piece of the puzzle. That’s precisely how the simulations should be positioned.
Keep some compassion
That being said, the phishing simulations need to be conducted in the proper way, with some compassion for the end users. The idea here is not to “name and shame” individuals and announce that “John from accounting clicked the link in the phishing email we sent out” or to publish the name of the department with the worst track record of clicking on links in your weekly newsletter.
Instead, work to identify the individuals that you need to educate, but also try to understand why they may have clicked on those links. It might not be lack of tech savviness or even a lack of training – maybe they were having a super stressful day and their attention momentarily faltered. Maybe one department is chronically understaffed, so they’re perpetually distracted, which leads to greater susceptibility to cleverly-written, convincing-sounding phishing emails
Again, naming and shaming is not the goal here. Phishing simulations are a way for people to safely make mistakes, with an end goal of making the organization’s defenses stronger.
As a final point, phishing simulations should not be run on a standalone basis: They need to be accompanied by ongoing organization-wide user education and awareness about phishing. Tests and training should go hand in hand.
Also, as crucial as simulations are, having the right technology in place that can monitor where sensitive content is stored and integrate with the enterprise security stack is also critical for today’s organizations and can help blunt some of the impact of phishing. Real-time threat monitoring and analytics, for example, can detect the anomalous activity of a bad actor downloading hundreds of classified documents using stolen login credentials, allowing the organization to quickly take steps towards remediation.
Ultimately, phishing simulations are a tool at organizations’ disposal – but like any tool, it needs to be used properly. Incorporating phishing simulations in a careful and considered manner, as part of a larger user education and awareness campaign around cybersecurity, will only help an organization to strengthen its defenses and better safeguard its sensitive information. Organizations should have little hesitation when it comes to phishing in their own ponds.