To Phish or Not to Phish?

  • Published: Wednesday, July 15, 2020

That is the question. There are plenty of arguments to share when it comes to phishing simulations in the workplace. Many people feel like it is not fair to “trick” their staff, shame them for falling for the phish or deal with the push back for conducting the exercises. Supporters feel that these simulations are conditioning the users on real world phishing schemes and therefore heightening their awareness.

Whichever way you feel, it is important to know the statistics of criminal phishing tactics. Here are a few from the Verizon Data Breach Investigations Report (DBIR) from 2019.

  • 33% of breaches included social attacks
  • 29% of breaches involved use of stolen credentials
  • 94% of malware was delivered via email
  • 32% of breaches involve phishing

More interesting stats:

  • 37.9% of untrained users fail phishing tests
  • Nearly half of data breaches are due to human error and glitches
  • 88% of organizations reported experiencing spear phishing attacks
  • 94% of malware is delivered via email

Your phishing campaigns do not have to be covert. You can send out a phish, tell them it’s a phish, have them select all the indicators and submit them. You can then award the winner a prize or, in case of a tie, have a drawing. Have a phishing derby where you can have users opt in and then send multiple phishes within a certain time period. Those who correctly identify the most phish will win.

Education. Is. Key.

Conducting phishing campaigns should involve more than counting the number of clicks and reporting of the phish. There should be ongoing education and listening to the conversations and questions asked after each exercise. Phishing exercises are an important part of a security awareness program. Your program should be ongoing and varied in content covering all aspects of cybersecurity; mobile, Internet, social media and phishing/smishing campaigns. Use varied methods of delivery such as computer-based training, gamification, posters, blogs and newsletters. There is only so much that hardware defenses such as anti-virus/spam and firewalls can do. Hardening the ‘human firewall’ can help keep your organization, as well as your staff, safe.