Avoiding phishing scams | Digital insurance

While phishing attacks seem like a product of the 21^St century, the first reported phishing attack actually took place in mid 1990s. Posing as AOL employees, a group of hackers used instant messaging and email to steal passwords and hijack the accounts of those foolish enough to take the bait.

Nearly three decades later, phishers are still at it, using increasingly clever means to tempt unsuspecting users — your employers — into opening emails and clicking links that immediately put their accounts, systems and data at risk.

To counter these threats and minimize potential risks, many companies have implemented phishing simulations. These simulations involve conducting regular exercises to assess employees’ skills in recognizing and reporting phishing attacks without falling for them or compromising personal information and system access.

But not all phishing scams are equally effective. We see common mistakes made by some organizations that can dilute the success of their mitigation efforts. Here are some common mistakes and how to avoid them.

1. Making simulations too difficult
Make sure your phishing simulations are instructive and have the desired effect of educating and raising awareness. If simulations are deemed too difficult, employees can quickly become frustrated and disillusioned, with a sense of helplessness that can cause them to lose interest in the security messages you are trying to enforce. Try to find the right balance between getting employees interested and setting the bar too high.

2. Performing universal size simulations
Employees in different roles or working in different types of jobs will have different vulnerabilities. A one-size-fits-all approach will not be precise enough to ensure that your simulations are relevant and have the desired impact. Customize training content to fit your audience. Make it relevant and make it address the specific vulnerabilities that concern you most.

3. Don’t require everyone—including senior leaders—to participate
Employees are not the only members of the organization who are prone to fall prey to phishing attempts. So does senior management, including the C-suite and the board. Excluding their participation can send the wrong message that the company is not fully committed to establishing a strong security culture. Phishing mock exercises should be required of everyone, and leaders can set a good example by openly sharing when they failed a phishing mock test.

4. Using the same methods in each simulation
If every simulation is identical, then employees will quickly become complacent. Hacker techniques used to thwart security efforts are varied and evolving, never the same; nor your simulations. Mix it up. Keep participants engaged and on their toes by varying the types of social engineering tricks and phishing scams.

5. Failure to provide adequate communication and follow-up
Just like when organizations conduct surveys but fail to report the results to employees, conducting phishing simulations without tracking can hinder the effectiveness of training exercises. After the simulations have been run, go back to employees as soon as possible and share the results and best practices—and report what didn’t work well.

6. Adopting a unique approach
Employees come and go or move into different roles. Hackers are redesigning their tactics in their attempt to manipulate users, infiltrate systems, and access proprietary data for exfiltration. A single phishing simulation conducted annually will most likely not meet cybersecurity expectations or compliance standards. Ongoing training, conducted monthly or quarterly, based on lessons learned from previous exercises and employee input, better ensures that these simulations will have lasting positive effects.

7. Being punitive
Phishing simulations are designed to educate and inform. You and your employees will learn from what works – and what doesn’t. Some individuals will fail these simulations, providing an opportunity to gain experience and provide a teaching moment. Taking an overly punitive approach will result in employees being reluctant to participate or unwilling to inform and share experiences. Create an environment where users feel motivated and empowered, not admonished.

8. Lack of measurement
Understanding security awareness requires continuous measurement to track successes and trends. Track metrics and trends such as click-through rates on phishing emails, percentage prone to phishingreporting rates and frequency of security threats to drive continuous improvement.

Done well, phishing simulations can raise awareness and minimize risk. Done poorly, they can erode confidence in your cybersecurity and education efforts and create stress and frustration. Make sure your phishing efforts are designed to engage rather than infuriate.

See moreHow to protect yourself against the growing threat of cyber attacksInbox is the source of over half of cyber insurance claims: Coalition