Preventing Cybersecurity Threats with Email Phishing Simulations
Social engineering schemes continue to grow in their sophistication, and phishing campaigns, in particular, are causing concern as they make their way to employee inboxes. These fraudulent email campaigns (and phone calls too!) appear legitimate and take advantage of employees who are often too busy or simply unprepared to identify a scam. In either case, if the employee clicks a link, downloads an attachment or provides credentials or financial information to a hacker behind the scenes, it is a gateway to potentially very serious scenarios.
And these scams are working. A 2016 study by Verizon found that 30 percent of phishing emails are opened by the recipient. According to the FBI, spear-phishing campaigns between 2013 and 2015 cost companies more than $2 billion.
And while there are next-generation firewall protections and email security features and tools to act as security barriers to targeted attack emails, unfortunately, some of these emails are still going to get through and pose a threat to your firm’s security posture. (Side note: to learn more about each of these cybersecurity defense layers, watch our webinar replay below).
Employee awareness, education and training are going to act as your firm’s best line of defense against these types of cybersecurity scams. Generally, phishing emails share a set of common characteristics employees should beware of:
Sense of urgency! Beware of any email saying something must be done NOW ‘or else’
Poor grammar or misspelled words or typos
Generic sender information, such as from ‘payment processor’
Domain is not legitimate; for example, a subdomain may be used or the spelling is incorrect (contains an extra letter than could be overlooked)
There are a number of ways to educate and train your firm’s employees on the dangers of phishing scams and how best to sniff out fraudulent emails. Annual information security awareness trainings typically cover phishing scams and can provide high-level information and tips for users to keep in mind. Many firms also hire cybersecurity consultants or experts to provide in-person trainings that help legitimize the seriousness of these issues.
The most effective way to train employees on phishing dangers, however, is through the act of actually phishing them. Managed phishing services are rising in popularity, as they effectively use phishing email simulations to test existing knowledge and also provide in-the-moment education to ensure users are best equipped to thwart cyber attacks.
To give you a better picture of how managed phishing tools work, let’s use Eze Managed Phishing & Training Service as an example. On a regular basis (typically quarterly), Eze Castle Integration, acting as the managed service provider, delivers controlled, mock phishing campaigns against a firm’s employees. When a user clicks a faux-fraudulent email in a campaign, he or she is taken to in-the-moment training to reinforce key concepts and provide tips on avoiding real phishing threats. Regardless of the type of phishing simulation delivered (attachment downloads and login credential techniques are also used), all results are captured and provided to the firm in a full report. Click-rates, locations and endpoint analysis are some of the summary-level metrics provided. Employee training completion is also reported to ensure employee accountability.
Using phishing simulation exercises is both an effective and cost-effective method for training users on the dangers of social engineering schemes and demonstrating the importance of safe cyber and email practices. To learn more about Eze Phishing and Training, as well as two other cybersecurity defense layers to safeguard your firm’s information, watch our webinar replay below or contact us.
More articles on investment firm cybersecurity best practices: