What Is a Phishing Simulation and Is It Effective?

Phishing email scams put individuals and especially companies at risk. In one survey, nearly 81% of organizations globally saw an increase in phishing attempts between 2020 and 2021. The FBI Internet Crime Report shows Business Email Compromise (BEC) results in more victim losses than any other cybersecurity attack, with over $2B in losses in 2021.

Businesses are beginning to fight back. Email scanning tools are starting to catch and block some scams. However, they aren’t perfect. The ultimate email scanners are your employees. But how good are they at catching phishing attempts? How can they get better? This article discusses phishing simulations and how, when combined with basic phishing awareness training, they result in more security for your business from such attacks.

What Is Phishing?

Cybersecurity experts categorize “phishing” as one of several “social engineering” attacks where an attacker poses as someone else to gain the victim's confidence and persuade them to take the actions they want. The new technologies today provide a wealth of opportunities to scam more victims more cheaply, with less chance of being caught. Broadly speaking, phishing scams refer to the use of email to lure victims into downloading a virus or malicious software or going to a malicious website. However, cybersecurity researchers generally divide the technique into some additional categories. 

• “Phishing” is a general email scam with email subject lines like "Your payment has been declined," "Your account has been suspended," or even "Here is a coupon for coffee.”
• Spear-phishing is an email targeted at an individual (typically using information from social media) to sound more sincere, with email subject lines like "Your child's school is in lockdown.”
• “Whaling” is spear-phishing targeting company leadership, with subject lines like "Your Account is overdue for the attached invoice."
• “Vishing” is phishing using a voice phone call rather than email, with voicemails saying, “This is T, and we need to verify your passcode."
• "Smishing" is phishing using SMS messages on a cell phone, with messages like "Click this link to keep your account from being closed."

No technology can prevent such a broad range of potential attacks, so phishing awareness training is critical to keep employees up to speed on what to look for and what not to do. However, while basic phishing training is essential, experience has shown that employees begin to relax their guard after only a few weeks. The rate of clicks on phishing emails starts to go up, increasing risk to the business.

One way to reinforce phishing training without retraining is to run regular phishing simulations where scam emails are sent and the results measured. The results give employees (and management) feedback on how diligent the team is in identifying phishing attacks.

Phishing Simulation Explained

Companies, especially small businesses without IT departments, can partner with a professional cybersecurity organization to run regular phishing simulations, or phish testing. The technique is virtually identical to how actual phishing attacks are run. The contracted cybersecurity "white hat" engineers compose a series of emails and send them to many employees across the organization. Typically, only senior management (and the IT team) know about the simulation.

When an employee receives one of the simulated phishing emails, the proper response is usually to report the email for verification to the IT team. The verification provides a way to measure employee responses. If, on the other hand, the employee clicks a link in the email, the security researchers are notified.

At the end of the trial period (usually a couple of weeks), the results are tabulated and reported to managers. Typically, phishing simulations are run before and after employee phishing awareness training to measure training effectiveness. A phish test run can help determine your need for training is an option, too: In a recent study, an email purportedly from human resources convinced more than 20% of recipients to click, many within an hour of receiving the fraudulent message.

Why Conduct Phishing Simulations?

When done correctly, phishing simulations are an extremely cost-effective way to refresh and reinforce employee phishing awareness — and provide a wide range of benefits, including the below advantages:

• Scalable: Unlike formal training based on the number of participants, the budget for phishing simulations can adapt to fit an organization's needs. It can be company-wide or limited to one department. It can last from a few days to many weeks.
• Exposure to the Latest Attack Techniques: Phishing simulations can provide up-to-the-minute coverage of the latest attack techniques used by attackers. Simulated phishing emails can be crafted using recent, real phishing emails as models.
• Customizable: Unlike fixed classroom or video training, phishing simulations can be customized to a particular industry, region or company. The phishing simulation used in your company can reflect your terminology and processes, much as a sophisticated attacker would do.
• Measurable Results: Unlike many other cybersecurity projects, phishing simulation results are quantifiable. More important, repeated simulations can show progress over time.
• Easy to Schedule: Unlike formal training, a phishing simulation can be implemented without regard to other schedules in a short period of time. It's also easy to repeat regularly, whether monthly or quarterly.
• Easy to Gamify: Rather than penalize employees who fall for a phishing simulation, many companies use it as an opportunity to reward correct responses.
• Expandable: A good phishing simulation process can even be expanded to include partners and the supply chain (with permissions, of course). This brings your trusted partners into your sphere and helps emphasize their responsibilities.

Start Your Phishing Simulation Today

There is no time like the present to get started with phishing simulations. That's especially true if your company has not conducted employee security awareness training that includes phishing awareness. A good phishing simulation can provide valuable baseline data that you can use to plan what sort of employee training and additional simulations you will need.

You can begin the process by partnering with the experts at Calance for phishing simulation and phishing awareness training. In addition, a vCISO can help manage the rollout of this training throughout your organization. Contact experts at Calance today by visiting www.calanceus.com for more information.