The Importance of Phishing Awareness Training
Team Calance | 28 Feb 2023
Phishing is a major security threat that can cause significant damage to both individuals and organizations. It is a type of cyberattack that uses social engineering techniques to trick people into providing sensitive information, such as passwords or credit card numbers, to cybercriminals. Hackers have discovered that phishing can be done at a very low cost, so the return on investment (ROI) to the attacker is attractive.
As a result, this threat is growing rapidly. In fact, phishing attacks increased by 61% in 2022 over the previous year, and dealing with one phishing email can cost an IT organization up to 28 minutes, or about $31, even if the phishing attempt is unsuccessful. However, a single successful phishing scam can cost your business even more.
To confront this threat, many organizations are turning to automated email scanning tools to detect and block phishing scams, but they can only offer partial coverage. Phishing scammers have started using "polymorphic" approaches in which each email is varied to escape automatic pattern detection. The bottom line is that phishing attacks exploit human ignorance rather than technology vulnerabilities, so the solution to phishing attacks is also human: education.
The Changing Threat Landscape
One of the reasons hackers have been successful in using phishing techniques is that they are constantly changing and improving their approach and types of phishing attacks. That means someone who was educated to resist phishing attacks a few years ago can fall victim to some of the newer phishing tactics today. Regular education must evolve to keep up as hackers evolve their phishing attacks.
Spear Phishing
For example, hackers frequently use targeted "spear phishing" attacks by collecting personal information from social media sites and then including it in a phishing email to a particular employee. This approach helps the email to sound more personal.
BEC
Another common tactic is to use Business Email Compromise (BEC) style phishing attacks. These phishing emails spoof internal company email addresses and exploit legitimate business processes to get employees to pay fake invoices or ship additional products. A common technique is to send an email from a legitimate supplier saying that the banking information has changed for payment. The attacker may even time the phishing email for the end of the month when orders are being rushed out to meet deadlines.
Fake Website Login
Another common phishing tactic is to try to get the employee to log into a fake website and enter their credentials. After collecting the credentials, the malicious website displays an error message and sends the victim to the actual website, where they log in normally.
The victim assumes they mistyped the password the first time and has no idea the scammer just collected their user ID and password. Once the scammer gets the credentials, they can log into the website. If it's a financial institution or partner portal, the attacker can incur significant damages.
Your employees can easily fall victim to these types of phishing scams if they aren't paying attention and following strict processes. They need to know how scammers can use personal information for spear phishing, emulate business emails, and compromise credentials using fake websites — and if they aren’t aware of these and other phishing techniques, they and your business are at risk.
Phishing Scams Evolving, Harder to Detect
Over time, new style phishing attacks are beginning to emerge as well. First, attackers have been detected using artificial intelligence (AI) engines like ChatGPT to compose personalized spear phishing emails. These emails can easily pass automated filters and are very convincing.
Also, the scenarios created by attackers have become much more plausible. For example, many phishing emails are now claiming to be security warnings about account breaches, ironically exploiting the trust users have in security itself.
And phishing attacks are no longer confined to emails. Many social media platforms, such as Facebook, LinkedIn, Instagram, and others, have direct messaging capabilities. Meanwhile, cellphone numbers are often discoverable, allowing scammers to send SMS phishing messages (often called "Smishing").
Scammers are exploiting these new channels to send phishing messages, bypassing traditional email entirely. Your employees may be cautious with email, but they can still be at risk if they aren't vigilant across all media channels.
Benefits of Phishing Awareness Training
If employees are trained to detect phishing emails, they can do a better job of protecting your organization from risk. Starting with determining the annual loss expectancy, or ALE, cybersecurity experts use the below-modified ROI calculation to justify such an expense.
Cost = (number of attacks during one year) X (percentage of successful attacks) X (expected losses from a successful attack)
The factor most easily influenced in the calculation is the percentage of successful attacks. If that number can be reduced by half or more (a common goal of phishing awareness training), then the return on investment for phishing awareness training is positive.
However, there are other benefits and savings which also come into play. For example, referring to the statistics mentioned earlier, if employees are trained to deal with phishing emails, they reduce the cost burden on IT staff to deal with them.
In addition, regular phishing awareness training, whether quarterly or annual, lays the groundwork for additional employee security training and sensitivity in other parts of the business. For example, such training makes employees more sensitive to physical intrusion detection, insider threats, and business fraud.
Phishing awareness training also benefits your employees directly because the lessons learned to protect your business from phishing can apply to their personal lives and families. By providing phishing awareness training, you are providing a valuable benefit to your employees. More about its pros and cons here.
Partner With Calance for Expert Phishing Simulation and Training
The evolution of phishing scams has made ongoing phishing awareness training more critical than ever. In fact, the ROI is easily justified as part of your regular employee training regimen, but it's easy to get started.
You can protect your business and employees with phishing simulation and phishing awareness training from Calance. In addition, a vCISO can help manage the rollout of this training throughout your organization. Contact Calance today at www.calanceus.com to see how to get started.