January 20, 2024 by Steven Tobolar

Employee Phishing Test – Check Your Phishing Attack Resilience

Even with state-of-the-art cybersecurity, nobody can fully control the human factor, making your employees the ideal entry point into your organization.

In this article, we are exploring:

  • What are phishing attacks.
  • The different types of phishing.
  • Subtle phishing email signs.
  • How to perform a phishing test.
  • Tips for avoiding phishing attacks.

What Is a Phishing Attack?

Phishing is one of the most prominent forms of cybercrime, designed to take advantage of a person’s trust and steal their personal information.

The attacker presents themselves as a trustworthy, legitimate entity or institution and tries to obtain confidential or sensitive information from their target.

Phishing attacks are among the most common types of cyber attacks in that 22% of all data breaches are caused by phishing and 54% of ransomware infections.

Phishing scams can have negative consequences for your business:

  • Loss of critical data.
  • Damaged reputation.
  • Monetary loss.
  • Failure to comply with data protection laws.
  • Loss of customers.
  • Intellectual property theft.

In most cases, phishing attacks are designed to get an employee to click on a fake link that can give the attacker access to their information or install malicious software on an employee’s computer.

Different Types of Phishing Attacks

Phishing by email is, without a doubt, still the most common type. But cybercriminals get more creative every day, so phishing takes numerous different forms.

Here are the most common types of phishing attacks to be aware of:

  • Standard email phishing — The attackers attempt to steal PII via email which appears to be sent by a legitimate organization or sender. Email phishing attacks are generally not targeted, but happen through mass messaging.
  • Spear phishing — Phishing attacks directed at specific individuals, businesses, or political organizations. The targets are usually high executives and public personas. Attackers tailor the attempts with background knowledge about the victim, making them seem trustworthy.
  • Smishing (SMS phishing) — Attacks that use text messages via carriers as bait, with the usual phishing goal of retracting personal details and sensitive information. They’re often disguised as prizes or account notifications.
  • Vishing — A blend made out of “voice” and “phishing,” and refers to phishing attacks using VoIP (voice over internet protocol) technology. The attacks forge caller ID to make it seem trustworthy and persuade the target to disclose personal or banking details. Most commonly reported vishing attempts are made to sound like someone from the target’s bank, technical support, or a government official is on the phone.
  • Clone phishing — These rely on previously sent or received emails with links or attachments. Being a “clone”, they’re almost a perfect copy of the original email, except that they eplace links and attachments with a virus or malware.
  • Angler phishing — Attackers pose as customer support from a trusted company on social media. The attacker attempts to convince the target to share personal information, most commonly including login details or a direct link to a fake customer support page
  • Pharming (DNS poisoning) — Redirecting traffic from a trusted, legitimate website to a fake website. Pharming involves DNS server software corruption or local network router targeting.
  • Whaling — Targets high-profile business accounts. Whaling performs scams often using the story of a complaint, legal issue, subpoena, or some other C-level problem.
  • Filter evasion — Uses DNS corrupting cache entries and rogue access points to evade common anti-phishing filters.
  • Content spoofing (content injection phishing) — Changing of elements or the entire content of a reliable website page. The revised part or page redirects the target to another site, where the attacker obtains the target’s personal information.
  • Search engine phishing — Attackers build their websites to offer amazing deals on products and index the website to appear in the search engine.
  • Tabjacking (tabnabbing) — Using the opportunity of the victim having multiple tabs open to load and redirect the user to a fraudulent website to obtain PII.
  • Man-in-the-middle phishing (MITM) — Utilizes three participants: the target, the entity that the target communicates with, and the “man in the middle”. The tactic relies on intercepting the victim’s communication with the entity by creating phony Wi-Fi hotspots. This attack consists of two phases: finding a vulnerability in the target’s internet connection and deploying tools for data interception and decryption.
  • Business Email Compromise (BEC) — Involves a non-legitimate email that seems to be from someone working in the target’s company and requesting urgent action, most commonly involving money or gift cards.

With so many phishing attack types it becomes very hard to recognize them, especially with the fact that they are constantly evolving with new technologies and ways to access your data.

How to Spot a Phishing Email

Phishing scams are becoming more and more sophisticated.

The attackers can successfully mimic any kind of trustworthy entity, from family and friends to banking institutions or government organizations.

Still, there are some phishing scam indicators to be on alert for:

  • Non-personalized salutations — Attackers usually send thousands of emails or messages, making it impossible for them to be personalized. It’s easy to recognize emails that start with “Hello”, “Hey”, or ”Hi there”… instead of your name in the greeting.
  • Suspicious address — Phishing scammers usually use non-official business email addresses as they don’t have access to them. Their domains usually look unusual and you can check their legitimacy by searching for the domain from the email address.
  • Poor grammar and spelling — Phishing is usually performed by attackers from a different country than yours, and you’re likely to spot mistakes in spelling or grammar. Be careful not to click on any links provided in a message like that, even if they seem to come from a legitimate source.
  • Urgency – Although a popular marketing conviction method, emails with a subject that advertises a limited-time offer, threatens account suspension, has an urgent mark, etc., are probably phishing attempts. It’s best to avoid replying, but if you believe you’re wrongfully ignoring a legitimate message, try contacting the source directly instead of opening the email.
  • Asking for donations — These often occur in the immediate aftermath of a natural disaster or another event of significant impact. The attackers count on their targets’ compassion and ask for donations. Check the legitimacy of the charity and follow the official donation path on their website instead of following the link sent to you via SMS, or email.
  • Suspiciously generous offers — Stay clear of “amazing sale deals”, offers to make easy money or anything that sounds too good to be true.
  • Unexpected attachments — Pay extra attention to suspicious attachments, as they typically contain either ransomware or a virus. Unless you were expecting an attachment, you shouldn’t open it, especially if it’s from an unknown address.
  • Hyperlinks — Hyperlinks within email messages can compromise your safety. Most commonly, they will install malware upon your clicking on them. The hyperlink displayed text may appear from a legitimate source, but a simple hover over the link will display the complete source URL. If you want to open it but aren’t sure if it’s safe, you can utilize URL scanners.
  • Unusual time of the day – As one of the staple signs of a phishing attempt, receiving an email during odd hours rather than the typical 9 to 5, is a red flag. Your bank or local court would never send you an email at 2 am.

Taking into account all of these tips, your employees should learn about phishing and the most common signs of phishing attacks.

One of the best ways to protect your organization from phishing is to perform regular phishing tests and get insights into what needs improvement.

How To Conduct A Phishing Test For Employees

The best defense against phishing attacks, on top of anti-phishing tools and spam filters, is employees themselves.

The importance of preparation is the fact that 32.4% of employees fail phishing tests when not provided regular training.

A phishing test or phishing simulation is a cybersecurity exercise meant to improve your organization’s resilience to phishing attacks through simulations of a real phishing attack.

They are usually performed by performing simulated phishing attacks on your own employees to gather insights into how you can improve security.

Phishing tests are conducted in five steps:

  1. Planning — Define the objectives and set the scope of your test. Decide on the phishing methods and frequency of phishing attacks simulated as well as the targets in your organization (individuals, departments, executives…).
  2. Drafting — Create realistic phishing email messages that resemble the newest phishing threats. Pay attention to details like subject lines, addresses, and the content of the email. Make a variety of templates to have a better understanding of what works for your employees.
  3. Execution — Utilize your IT team or outside vendors to send simulated phishing emails to your targets through secure means.
  4. Monitoring — Track and record how your employees interact with phishing emails by monitoring what they open, if they click on links, download attachments, or provide sensitive information.
  5. Analyze — Utilize the gathered data from the phishing test to determine the trend and vulnerabilities in your security. Use these insights to create new protection methods and educate your employees on how they can improve their security.

Phishing tests give you great insight into what needs improvement, but they need to be both secretive to get the best results and conducted regularly to be on top of your security.

While phishing tests take time and effort on your part and can’t be performed too frequently, your managers can still test employee phishing attack resilience through smaller free phishing tests.

Here are some free online phishing tests to try:

How To Avoid Phishing Attacks

One of the key best practices to determine cyber resilience is to take an organization-wide phishing test every six months.

Another one is educating employees through phishing training sessions.

Here are some best practices to include in your training:

  • Never share passwords with others. No legitimate entity will ever ask you to do it.
  • Never share personal details via email, SMS, social media messages, or through the links in any of them.
  • Do not click hyperlinks if you aren’t expecting them. Even if you are, use URL checkers to see what’s in the link.
  • Change your passwords regularly to prevent any unwanted login as your access might have been compromised without you knowing.
  • Never open attachments from unknown senders if you don’t expect to receive them. If you receive an email containing attachments without a heads-up, it’s better to consult the source whether they were intended.
  • Never click on pop-ups, even if they annoy you. It’s better to go off of a website than risk clicking on a hidden link.
  • Install anti-phishing add-ons on your computer that can spot malicious websites or emails and warn you about opening them.
  • Use sandboxing for inbound emails to check and filter out suspicious emails and files. Sandboxing is a practice that can help prevent your host systems and devices from being exposed to threats and is one of the most efficient threat detection practices.
  • Report any phishing attempts to the appropriate authorities or a member of the IT department at your organization.
  • As an organization, implement spam filtering, regularly updated firewalls, and anti-phishing software.
  • Trust your gut. If an email or another received message seems odd, do not open it or click on any links and attachments.
  • Keep your cyber-security tools and software up to date and stay alert to the latest phishing techniques. Always look for the best cybersecurity practices.

Conclusion

Cybersecurity is now more important than ever and phishing attacks are still a problem even with the latest technology.

It only takes one email to crumble an organization.

This is why protecting your organization and educating your employees is so important when it comes to electronic communications.

Having an email archive is one of the best ways to make sure your data isn’t lost due to a potential attack and make sure it is protected for prolonged periods.

Stay compliant with all data retention regulations with Jatheon’s archiving solution allowing you to archive all communication, perform ediscovery, and protect your data.

 

Read Next:

How To Recognize and Prevent Social Engineering Attacks

Social Media Attacks and How to Prevent Them

Email Retention Policy Best Practices for 2024

 

FAQ

What is a spear phishing attack?

A spear-phishing attack is a targeted phishing attack where a cybercriminal creates a message for a specific individual in an organization trying to get them to click on a malicious link. It differs from traditional phishing which is sent to thousands of individuals without a clear target.

What to do after a phishing attack?

After a phishing attack, change all of your passwords, report the attack to your IT/security team, monitor your accounts for unusual activity, and run a malware search on your machines. It’s best to inform the whole organization of the attack to prevent further disaster.

Is phishing punishable?

Yes, phishing is punishable by law as it is an illegal activity. Attackers can face criminal charges, fines, and in serious cases imprisonment depending on the severity of the attack.
How effective is a phishing test?
Phishing tests are a must-have cybersecurity strategy as they improve an organization’s resilience to these attacks. Research shows that after five or more phishing tests, the percentage of susceptibility dramatically dropped to a single digit.

About the Author
Steven Tobolar
Steven Tobolar is Jatheon’s Head of Tech Support and an experienced engineer specializing in large-scale migration projects, AWS, Exchange Servers, and Microsoft Azure. Outside work, he enjoys reading, movies, off-road driving, and mountain biking.

See how data archiving can simplify compliance and ediscovery for your organization

Book a short demo to see all the key features in action and get more information.

Get a Demo

Jatheon is a “Trail Blazer” in The Radicati Group’s 2024 Information Archiving MQ

Share via
Copy link
Powered by Social Snap