Could your staff spot a phishing email in their inbox?

Phishing campaigns have been a security concern for years plaguing our email systems and clogging up resources. Yes, spam filters are getting better but these pesky emails are still getting through to staff and are still claiming victims. Is this a lack of training or are we going down the wrong track while trying to educate staff on what to look for?

I have been running user awareness-training sessions for clients over the last few months as part of my daily work (I work for Davichi an MSSP/MSP in Brisbane) and it is glaringly obvious that most people do not know even the basic identifying factors in a scam/phishing email.

In Australia so far this year there have been 10,862 victims of a phishing attack/scams reported to the ACCC (This number is likely to be much higher in reality as this is just reported incidents and most people would not report this type of incident). The gender ratio for victims is evenly split between men and women with close to 50% on each side. It is also indicated by ACCC that $293,900 was lost as part of these scams and only 1.4% of the people who reported the incident said they had a financial loss as a result.

Does this mean many of the victim's systems were infected by malicious applications/viruses for ransomware or resources used for crypto mining? I would say that this might be worse than a direct financial loss if you take into account lost productivity, repair and clean-up costs and just plain annoyance that this type of incident would produce.

For years I have heard people talking about user awareness training and making sure we all do it with our staff but it seems to me that most organisations are conducting the security awareness training solely for compliance purposes. Purchase some online training package or a once off physical training session with staff, then tick the box off for compliance to say that it has been done without giving it another thought. If that is how the organisations feel about the user awareness training value than it makes sense that most users don’t find much value in the process.

It is my belief that we in the cybersecurity industry need to do everything we can to change this opinion for both business executives and all of their staff to ensure that every business gets the full potential of a security user awareness training program, explain to them in plain English what we are trying to do and how it will not only help them but us all as a whole and we will be on the right path.

Provide both educational and if possible slightly humorous training programs so that attendees remember what we have tried to teach them, don’t over complicate it and try to teach them too much in one go. Just make sure we teach them the basics so they can better protect themselves online and during their normal business activities.

This is not a new concept I am talking about here and is something that many of us are trying to achieve but the part that surprises me is most people don’t do anything more than this. Do you simulate a phishing attack prior to the training session to gauge the level of understanding by your organisation staff? Do you publicly announce a leader or loser board of the results? Do you then follow up the training with another round of test/simulations or do you just complete the training and have no further follow up?

User awareness training should have multiple methods and should include a simulated phishing attack carried out against its staff. Users, in my opinion, should not be told of the initial phishing simulation so that we can get a true picture of how our users will respond to different types of email phishing campaigns.

These results should not be made public and staff that fall victim to them should not be publicly shamed as this will only hinder the staff members learning. The information should be used by the team running the user awareness program to know what level staff are currently at and help gauge how effective the training program is at helping to improve the security awareness on follow up simulated phishing attacks.

If the results of the follow-up tests have no improvement or are worse than, our training program is not effective and we would need to adjust our methods to try to ensure that we have a better result. This is one of the biggest problems I see in these types of initiatives/programs is that they are run once by the organisation with no follow up testing to gauge if the staff actually improved and the training programs are forgotten until the next compliance audit is coming up.

Do your organisation a favour and conduct a regular awareness program and test your staff before and after the training programs to ensure you know if you are actually getting anywhere or not. If it isn’t working change things up, reach out to your peers in the industry and find out what works for them. You may be surprised how happy people are to discuss what they are trying to achieve and how they approach things.

We are all in this together and everything is a work in progress. Keep trying to improve what your staff know and they will come to see that you are just trying to help them. In the end, the better you can educate them, the easier your job will be.