Phishing simulations are an invaluable training tool and have been proven to help reduce the susceptibility of the workforce to phishing attacks. Phishing simulations are more than just a tool for testing whether employees have understood their training. Quizzes at the end of training sessions are good for that, but phishing simulations test whether the training is being applied when employees are working and not focused on cybersecurity.
If a cybercriminal were to send an employee a phishing email at the moment an employee had finished a training course, chances are the employee would recognize the email for what it is. The longer the time between the training ending and the threat being encountered, the greater the chance that the employee will be fooled.
Phishing simulations test whether employees are likely to be fooled by a real phishing email. The simulations are expected, but employees do not know when the simulations will take place. Phishing simulations mimic real world phishing attacks and tell an organization how an individual is likely to react if a real threat lands in their inbox.
If an employee fails one of these simulations and clicks a link, opens an attachment, or responds in another risky manner, an alert is immediately generated, and the employee is told what went wrong and how it was possible to tell that it was a phishing attempt. The employee can then be provided with a brief training session – generated by the phishing simulator – on how to respond when similar emails are received.
When ongoing security awareness training is provided and phishing simulations are conducted, security awareness improves. Over time, the combination of training and simulations greatly reduces susceptibility to phishing emails – much more than providing training alone. There are, however, some common mistakes that are made by employers that reduce the effectiveness of these phishing tests.
Mistakes to Avoid When Conducting Phishing Simulations
If you want to get the best return on your investment in training and phishing simulations, it is important to set up your program correctly and to avoid making these common mistakes.
Not Telling Employees You Will Be Conducting Phishing Simulations
Don’t broadside employees. Tell them during their training that you will be conducting phishing simulations as part of the training process. If employees are unaware you will be using simulations, they may feel that you are trying to catch them out. Make sure employees are aware that you are conducting these tests to identify training needs and to test how effective your training program has been. Don’t tell employees when you will be sending the emails, and make sure the HR department and other stakeholders are aware that you are conducting phishing simulations.
Making the Simulations Too Difficult
You want to test how employees will respond to a real phishing email; however, building up security awareness is a process. Your simulation program should include emails of varying degrees of difficulty and it is best to start with phishing emails that are relatively easy to identify. That will help build confidence.
Not Conducting Phishing Simulations on the Board
Members of the board are targeted in whaling attacks. They have the highest level of privileges and the credentials for their accounts are the ultimate goal in many phishing campaigns. You want to improve the security awareness of the board, so ensure they are included in your phishing tests. Also don’t avoid conducting phishing attacks on infrequent email users. Any credentials can be valuable. Attackers can use them to conduct internal phishing campaigns and move laterally.
Conducting Phishing Simulations on Everyone at the Same Time
If you use the SafeTitan phishing simulator you can create your simulation program and schedule emails to be sent at set times. Don’t send the same emails to everyone at the same time, as employees will likely tip each other off. You will then not get valid results. Vary the times you send the emails and target different individuals in a department at different times.
Not providing retraining in real-time
You should not be conducting these campaigns and then sitting on the results until you can arrange a training course for everyone that failed the test. The simulator should be configured to automatically tell a user when a test was failed and assign immediate training. The training modules should be brief, and concisely explain how the threat could have been avoided. It should only take a couple of minutes, but that training is likely to be much more effective when delivered instantly.
Punishing employees for failing phishing simulations
It may be tempting to punish employees who repeatedly fail phishing simulations, but this approach is best avoided. The goal of training and phishing simulations is to change employee behavior. You are likely to have far greater success achieving that goal by encouraging employees to take security seriously rather than punishing them for failures. Focus on positives – departments that performed well, individual successes – rather than any failures.
SafeTitan Security Awareness Training and Phishing Simulations
SafeTitan is a comprehensive security awareness training platform that makes it easy for businesses to develop training courses for their employees. The content consists of short training modules on all aspects of security, allowing businesses to create tailored and relevant training courses for the entire workforce, and the phishing simulator has hundreds of customizable templates for conducting realistic phishing tests. The training content is gamified, engaging, and fun, and when combined with simulations, has been proven to be highly effective at changing employee behavior and reducing susceptibility to phishing and other cyberattacks.
Email is the most common way that cybercriminals reach employees, but there has been a major increase in vishing attacks on businesses in 2022, with Agari reporting a 625% increase from Q1 to Q2, 2022. Ransomware gangs are mostly gaining access to business networks through email phishing, but groups that have broken away from the Conti ransomware operation have readopted the hybrid phishing techniques attacks that were used by the group’s predecessor, Ryuk. Contact is made with targeted individuals via email and vishing used to get those individuals to provide the attackers with account and network access.
You may already be familiar with vishing, or voice phishing as it is otherwise known. It is the use of social engineering techniques over the telephone to manipulate people into revealing sensitive information such as login credentials or tricking them into opening a remote-control session on their computer or installing malware that gives the attacker remote access to a device.
Many vishing attacks are speculative – An attacker obtains phone numbers and impersonates a broadband provider or other trusted entity, in a tech support scam where the target is tricked into thinking they have a malware infection or other issue that needs to be urgently dealt with. The ransomware gangs are conducting callback phishing attacks, where initial contact is made via email and the user is told to call the provided number to avoid a charge to their account – a subscription that is about to renew or a free trial that will end.
As with email phishing, many reasons are given by scammers as to why action needs to be taken. Steps are also taken to make these scams more realistic, such as spoofing caller IDs to make it appear that a local area number is being used or even that the call is made from a trusted number. The latter occurred in a vishing campaign on the Michigan healthcare provider, Spectrum Health, where the calls appeared to have been made using a Spectrum Health phone number.
These types of scams can be highly effective against businesses. Most businesses have implemented email security solutions that can detect and block phishing emails, but email security solutions will not block vishing attacks. The voice network is largely unprotected.
Voice traffic filters can be used to filter out calls from numbers that are known to be used for scams. In the United Kingdom, the phone carrier EE says it uses AI-based technology to block scam phone calls and has blocked 11 million such calls since implementing the technology, but scammers can simply change the numbers they use. The main defense against these scams is security awareness training.
Employees may be aware that phishing threats will land in their inboxes, but they may not be aware that phishing can take place over the phone. Awareness of these scams should be improved through security awareness training and employees should be taught about the signs of a vishing attack to allow them to identify and avoid these scams.
TitanHQ can help in this regard. TitanHQ offers a comprehensive security awareness training platform – SafeTitan – for educating the workforce on the full range of cyber threats, including email phishing, vishing, and smishing attacks. The training content is gamified and engaging and has been proven to reduce the susceptibility of employees to shams such as phishing and vishing.
For more information on improving your human cybersecurity defenses, give the TitanHQ team a call.
A largescale phishing campaign has been detected that targets Microsoft 365 credentials that takes advantage of vulnerabilities in websites that allow open redirects. Open redirects are a tried and tested phishing method and are used to redirect website visitors to an untrusted website, where malicious content is hosted. That could be malware that is downloaded onto a user’s device or, in this case, a phishing form that is used to steal Microsoft 365 credentials.
These attacks are made possible due to the misconfiguration of websites, which allows a web application to accept a user-controlled input, which specifies a link to an external site, and redirects visitors to that malicious URL. This technique is very effective. It can allow email security solutions to be bypassed. If an email security solution performs a reputation check of the URL, since the URL included in the phishing email directs a user to a reputable site, chances are the email will be delivered. This technique is also effective at tricking victims, since they will initially be directed to a trusted site.
In this campaign, at least two trusted domains are used – Snapchat and American Express – which both have open redirects that send victims to malicious websites. Like many Microsoft 365 phishing attacks, the emails impersonate a variety of brands, including Microsoft Office 365, FedEx, and DocuSign. The lures used in the campaign are relative to the brand being impersonated, such as alerts from Microsoft 365 that the user has unread messages that could not be delivered, or a collaboration request on a document hosted on DocuSign.
American Express has addressed the open redirect issue, Snapchat has yet to confirm that the issue has been resolve; however, other websites could similarly be attacked and have open redirects abused. The campaign has involved thousands of emails from hijacked Google Workspace and Microsoft 365 accounts.
Website owners can improve their defenses against attacks such as these by displaying a prompt when a visitor is about to be redirected to a third-party website, requiring a click to proceed. Businesses can improve their defenses against Microsoft 365 credential phishing campaigns such as this by implementing an advanced spam filtering solution that rewrites URLs and follows all redirects – SpamTitan Plus for example, using a web filter that blocks access to malicious web content, and providing security awareness training to their employees. The latter is especially important as these open redirect tactics can often see email security solutions bypassed.
Open redirects should be specifically covered in security awareness training, without getting too technical. Employees should be told that legitimate looking URLs in emails can redirect them to malicious sites, and to always check the actual domain they are being directed to, not just the link text. These redirects can be identified as the URL will contain terms such as “url=,” “redirect=,” “external-link,” or “proxy,” and often multiple occurrences of “HTTP”. They should also ensure they carefully check the URL they land on and make sure it is the official domain used by the company being spoofed.