What an MSP and their clients need to know about Phishing Simulations

Why Phishing Simulations are Important

Phishing, in all its forms, is the number one social engineering tactic used by cybercriminals. Attackers manipulate people, including employees, to circumvent traditional security: a staggering 96% of data breaches are initiated by a phishing email.

The success of phishing can be seen in increased ransomware attacks and Business Email Compromise (BEC) scams: Recently, the FBI announced that BEC attacks cost global businesses more than $43 billion between 2016 and 2021, with a 65% increase in losses between July 2019 and December 2021.

The volume of attacks based on phishing leave companies exposed. How does an organization protect its staff and itself from phishing?

The answer is a mix of technical controls, such as email protection and DNS filtering alongside phishing simulator tools. The latter is becoming increasingly important to augment these technical controls, as cybercriminals use increasingly sophisticated methods to evade detection. Here are why phishing simulations are a must have defense mechanism for all businesses

 

What are Phishing Simulations?

Cybercriminals create email messages that use psychological tricks to encourage the recipient to act in a certain way. These tricks are clever, often mimicking well-known business brands such as Microsoft Office. For example, a phishing campaign caused a data breach that affected the LA County Department of Mental Health.

According to one report, the attacker stole login credentials associated with employees' Microsoft Office accounts: 74% of phishing emails are designed to steal login credentials.

Phishing simulators focus on phishing campaign tactics and are used to educate employees about the subtle and sophisticated methods used by cybercriminals when attempting to hack into a company.

For example, a phishing email generated by a phishing simulation platform mimics an actual phishing email, but it does not contain any malicious content; phishing simulations are a safe way to train employees about the dangers of phishing.

Phishing simulations are typically carried out by IT departments or through a managed service provider (MSP).

Phishing simulator tools are typically cloud-based. A series of phishing simulation exercises are designed to reflect phishing campaigns that target a specific industry or role within an organization.

TitanHQ SafeTitan delivers fully automated simulated phishing attacks. The simulated phishing attacks use a library of thousands of phishing email templates, each configurable to reflect a typical and current phishing campaign. This library is regularly updated to ensure that phishing campaigns are current.

 

What Happens in a Simulated Phishing Campaign?

When the IT team or MSP designs a phishing campaign, they will typically base it on a current or projected real-world phishing attack. A library of templates allows the spoof phishing campaign to be configured and ready to deliver across the company. These campaigns are performed at the department and individual employee roles.

Some employees, such as those with privileged access to sensitive information, or employees in accounts payable, HR, and C-level executives, are at high-risk of spear-phishing. Advanced simulated phishing platforms, such as SafeTitan, allow simulated phishing campaigns to be designed around these users.

The simulated phishing emails are delivered to an organization's user population via the platform. These simulated phishing emails will contain all the attributes of a real-world phishing email, such as malicious links that take the recipient to a spoof website.

For example, suppose the employee clicks on a malicious link or downloads an attachment, or enters credentials into a spoof web page. In that case, they will be presented with a learning exercise to show them why this was a dangerous action and tips to avoid this behavior in the future.

Giving feedback in an educational setting is a successful tactic for positive learning. By understanding where a learner has made a poor security choice, that learner can change their behavior.

 

Is it Important to carry out Phishing Simulations?

Phishing simulations are becoming increasingly crucial as phishing emails become more sophisticated and challenging to detect. Spear-phishing is an example of phishing emails that are so well composed that they are challenging to spot as being an illegitimate email. In addition, spear-phishing targets specific individuals in an organization. An example of this type of focused cyber-attack was carried out against U.S. firm Scoular Co.

The company was a victim of a Business Email Compromise (BEC) scam where the firm lost $17.2 million to fraudsters. The cybercriminals stole the money by tricking the company into sending wire transfers; the first entry point that opened the door to the fraudsters was a spear-phishing email that targeted the CEO.

Tailored phishing simulations reflect the type of spoof emails used against specific employees. This type of training will help the employee change their attitude towards security and stop any 'knee-jerk clicks' and other behavior that cybercriminals manipulate. Through phishing simulation exercises, employees will become wise to the tricks of phishers

 

How are Phishing Simulation Success Rates Measured?

Phishing simulation exercises are part of a highly controlled program. Part of this program is the collection of data during a phishing simulation exercise. Data includes event capture, such as did the trainee click on a malicious link? These data generate metrics on a per-trainee basis. The MSP or IT team running the phishing simulation tool can track how everyone is performing in the simulation exercise and adjust training material based on the metrics.

Metrics from phishing simulators are useful for:

• Feedback for trainees shows them how they are doing in spotting phishing emails and spoof websites.
• Data to generate graphs and other graphics to demonstrate to C-level and board members that security awareness training works.
• Determining the effectiveness of the training to allow tailoring of regular phishing simulation exercises.

 

Five Phishing Simulation Best Practices

To create an effective simulated phishing exercise, you should follow certain best practices:

1. Role-based phishing: as well as simulated phishing exercises that cover the general tactics used by fraudsters, use role-based simulated phishing. Fraudsters are finding success by targeting specific roles in an organization. These are typically individuals who have access to privileged corporate network resources or have management influence over finances. Replicate the tactic used by fraudsters and develop role-based simulated phishing exercises that focus on specific individuals in your organization.
2. Phishing templates that reflect reality: use regularly updated, ready-made templates to capture new and emerging phishing campaigns will ensure that your simulated phishing exercises reflect the real world of phishing. 
3. Test it out: perform trial runs of your simulated phishing exercise before rolling it out across your user group. A test run will ensure that you can fix any issues before production.
4. Perform regular simulations: one-off simulated phishing exercises are not enough to ensure that your employees are updated with the latest phishing tactics. Fraudsters regularly change their methods to evade detection – this is one of the reasons that social engineering, such as phishing, is so successful. Follow the fraudster's game by regularly simulating phishing across your employee base.
5. Use the data: use a phishing simulator with extensive metrics built into the system. Capture event data during exercises and use it to inform employees of their progress and tune future phishing exercises finely.

Phishing simulations are part of a more comprehensive security awareness program. Working with technological controls such as DNS filters and simulated phishing delivers a holistic method of controlling social engineering.

To see how simulated phishing can prevent cyber-attacks, sign up for a demo of SafeTitan.