Phishing Simulation Training

We’ve all received phishing emails in the past. Messages from princes in other countries or lawyers representing the estate of long-lost relatives. These are easy enough to spot, but the phishing emails used by hackers are a bit more complex. They may be accurate mock-ups of emails from genuine businesses, or they might include the names of other employees in your business. It’s important that your team knows what to be on the lookout for and feels confident in their ability to spot one.

Phishing emails are emails which are sent by cybercriminals, but which purport to be from genuine contacts. They often attempt to convince the recipient to either open a malicious link, download malware/ransomware, or hand over sensitive data like passwords or bank account details.

Phishing emails are often generic and sent to thousands of email addresses at once, but there are also hyper-targeted phishing emails aimed at specific targets such as a company’s CEO or IT admin. These targeted phishing emails are known as “spearphishing”.

Falling for phishing email scams could result in grave consequences.

• You could be tricked into downloading ransomware that encrypts your data and renders it inaccessible until you have paid the hacker a ransom.
• You could be sent to a dummy site which resembles a service you use (Office 365, Amazon, Facebook, etc) and tricked into handing over your login details, meaning the hacker now has access to that service (having multi factor authentication active is a great defence against this!).
• You could be tricked into handing over other sensitive data such as your bank account details or sensitive data on your customers.

Here are some of the tell-tale signs that an email may not be genuine.

• Poor Spelling/Grammar
  The majority of phishing scams originate outside of the English-speaking world. As such, they often have spelling and grammar errors.
• Time Pressure
  Many phishing emails will try to instil a sense of urgency. Emails asking you to “act now”, “reply in the next 24 hours”, etc are normally fake. If something were really that urgent, the person would have called you rather than sending you an email that you may not see for days.
• Slightly Altered Email Addresses
  This one can be harder to spot, but often the spammer will have used an email domain which is almost identical to a genuine, trusted domain. For example, they might use nnicrosoft.com (with two Ns instead of an M). At a glance, your eye will read the domain you were expecting to see and not notice the swapped characters. If you are suspicious about an email, you should always double check the domain.

Carden IT Services can supply a dummy phishing email programme. Periodic, randomised phishing email simulations are sent to your team members. These mimic real phishing emails without the risk to your network.

If your team members are successfully convinced by the simulated phishing email to click on its link, or to divulge sensitive data, they are directed to an online refresher course reminding them of how to spot phishing emails and demonstrating the signs they could have recognised in the phishing simulation they were just sent.

This puts your employees on high alert for phishing emails, as not only do they not want to click on a phishing email, but they also REALLY don’t want to click on the fake one because it demonstrates to everyone observing the test that they are not being careful enough about the links they click.

Without informing your team about the risks of phishing emails and regularly testing your team on phishing emails, an employee who clicked on a genuine phishing email could say that they had no idea they existed. With phishing email simulations in place, they have regular tests and reminders, meaning there’s no excuse for them not to be engaged in your company’s email security.