It’s time for The Talk. You know which one – it’s when your kids innocently ask that oh so delicate question: “Where do data breaches come from?”
All too often, successful data breaches can be traced back to employees who fell victim to a phishing scam. The pandemic has dealt a dual blow to the fight against phishing, providing an easily exploitable subject for scammers to manipulate, and leading to a swift rise in remote working.
Google’s Transparency Report shows an alarmingly steady rise in the number of phishing sites being created. And it’s been happening for the last few years. With thousands of new malware and phishing websites popping up weekly, this is a threat that organizations must take seriously.
People need support to help them recognize phishing scams, but they also need to help organizations to spot phishing attacks and react accordingly. Communication is key.
Teach People to Report Suspected Phishing Attacks
If employees simply ignore or delete suspected phishing scams, then it’s difficult for security teams to track trends and combat attackers. They need data to distinguish between one-off attacks and coordinated phishing campaigns with a common goal.
If one person is suspicious about an incoming email, but simply decides to delete it, then that phishing scam is not on the radar of the security team. It could still be successful when it’s sent to someone else, or it may have already persuaded another employee to hand over credentials or download malware. By contrast, when it’s reported, security professionals can investigate and act to nullify the threat.
This issue is even trickier when someone suspects that they’ve fallen victim to a phishing scam. Fear of reprisal and embarrassment can both play a role in discouraging people from reporting their actions. But a culture of silence only serves the scammers. Make it clear that potentially risky behavior should always be reported; encourage victims to report their actions without fear of repercussions.
Make Reporting as Easy as Possible
The easier it is for people to report a suspected phishing scam, the more likely it is they will do so. Provide an alert button right there in the email client, so if someone is suspicious of an email, they can simply click the alert button. The alert button should send the email to a central email address so that IT can investigate, analyze, confirm and chart trends.
Build in a feedback loop. It’s important to notify people whether they identified a phishing scam, a test, or just plain old spam email. Providing some form of confirmation will encourage people to report in the future. It can be beneficial for everyone to take this a step further and introduce positive reinforcement to reward employees who successfully spot and report phishing tests or real-world phishing attacks.
For situations where phishing scams come via social media, text message (smishing), or even phone call (vishing), it’s vital to have a clear point of contact for employees. It should be easy for them to report suspicious messages they received or risky behavior they observed.
Be Open About Security Awareness Training
It may be tempting to run simulated phishing tests without the knowledge of employees to see how they cope, but it’s better to clearly communicate the importance of security awareness training and explain how it’s accomplished. Making people aware of a simulated phishing test doesn’t diminish its value. In fact, telling employees that they will be tested heightens their awareness and makes them more likely to behave responsibly all the time, which is precisely the behavior you want.
Consider the Consequences and Use Positive Reinforcement
Perhaps the most difficult aspect of fighting against phishing is deciding what to do when an employee fails a phishing test or falls victim to a real phishing scam. Given the right set of circumstances, anyone can fall victim, but there are situations when appropriate consequences can have value. There’s a range of possibilities depending on the level and frequency of any transgression, from additional education and training through locked down devices and forced password changes to HR involvement, bonus reduction and even termination.
Keep this simple rule as a guide as you develop your policy: consequences should not come as a surprise and they must be applied equally across the organization regardless of the position of the transgressor. In other words, don’t create a “three strikes and you’re fired rule” unless you’d be willing and able to enforce it on your CEO. Use positive reinforcement as a counterweight, rewarding desirable behavior with public recognition, small gifts or even cash bonuses. With the right combination of consequence and reward built on a foundation of clear communication, you can effectively tackle the phishing threat.