According to the most recent Verizon data breach report, a phishing email is often the first phase of an attack. That's because it works well, with 30 percent of phishing messages opened, but only 3 percent reported to management.
But when employees are trained on how to spot phishing emails, and then get tested with mock phishing emails, the percent who fall victim decreases with each round.
Of course, it's impossible to get to a zero response rate. The criminals are becoming extremely clever with their messages. Fortunately, it's not necessary. If enough employees forward phishing emails to security, then the company becomes aware that it is the target of a campaign, and be prepared to deal with those messages that do slip through.
The Anti-Phishing Working Group offers a variety of resources, including a phishing education landing page that companies can use in conjunction with their anti-phishing campaigns. Some of the vendors below, including Phishme and KnowBe4, also offer free resources.
BetterCloud, which offers security and monitoring services for cloud-based office applications, started worrying about phishing when another company in their office building lost $2 million to a phishing scam, and their cybersecurity insurance would not cover the cost.
"Their business took a really bit hit," said Austin Whipple, the company's senior security engineer. "It was hard to recover from that."
In response, BetterCloud ran a company-wide training, then created its own phishing email campaign that seemed to be a note from the HR system, but actually came from an external email address. This was followed up with more education.
"Compared to other organizations, or to the Verizon report, we did fairly well," he said. "But there are still some areas we can improve on."
Once some time has passed, there will be another phishing test, he added. The employees forward suspicious emails to him personally, he added, and it's clear that the company has already been specifically targeted because some of the real phishing emails include inside information that would have required some research.
According to Whipple, setting up an anti-phishing training program is not too difficult.
"Any one tech person can do this whole thing," he said. "It doesn't take a massive amount of set up. Educate your people, do the test, then educate the people again, and do a follow-up test."
PhishMe’s phishing simulation, training and reporting platform is used by more than 800 customers world-wide, including nearly half of the Fortune 100, to proactively engage thousands of employees in simulations that condition them to detect and report phishing threats.
Sign up for Computerworld eNewsletters.