Phishing victims doubled between 2020 and 2019. And yet, when a lot of end-users think of a phishing attack, they picture a good old Nigerian prince scam email. 

The truth is, hackers have become extremely sophisticated with their phishing attacks. Gone are the days of the easy-to-spot emails : spear phishing is now the name of the game. So how should you train your teams to detect these attacks? 

This article will look at 10 must-haves in order to run trainings that significantly and lastingly decrease a company’s vulnerability to phishing emails. Overall, there are two main insights : A. you should train your users in real-life conditions by simulating what hackers would do, B. and you need to keep them engaged.

Phishing : what people think of vs what it really looks like

1. Understand it’s all about context

Users need to be trained in real-life conditions by exposing them to simulations that mimic the attacks that hackers will use. Since hackers can easily gather information (C-suite, customers, software... ) and integrate these elements into their attacks, simulations must reflect this threat environment.  

  • Software : Which email suite you use, or what antispam or key software can easily be found out : attacks spoofing these will have a much greater chance of success. 
  • Impersonations : Simulate C-level impersonation (or CEO fraud) which is used to legitimize phishing emails and tricking the user into taking action.    
  • Key customers and suppliers : Impersonate key customers or suppliers. People are used to interacting with these third parties and generally let their guard down. 

2. Use targeted attacks 

Hackers will spear-phish departments and roles within a company with targeted attacks that are relevant to each specific user. Simulations should therefore be tailored to be relevant for each team. For example, sending a Github simulation to someone in the HR department wouldn’t make much sense. Or sending someone in Marketing an app permission request for a code-verification tool will raise flags.  

Hackers wouldn’t make that mistake, and simulations shouldn’t either.

3. Make simulations unique to each user

Sending the same simulation email to every user in the company, at the same time, clearly does not reflect what real attacks will look like. Also, people talk to one another : if they discuss the simulation, this will reduce its effectiveness since many will expect it. 

These will be personalized, relying upon prior research and Open-Source Intelligence (OSINT), and tailored to each team. In order to simulate this, your users need to see simulations that are unique to them. This means : 

  • Sending simulations at different times and dates, even within a team
  • Sending simulations of different attacks to different team members within each campaign

4. Train for every scenario

“Fool me once, shame on you, fool me twice, shame on me”, so the saying goes. It is obvious - but worth highlighting nonetheless - that effective training needs to be varied : you want your teams to be able to recognize a multitude of threats, not just the email that Joe from IT sends every semester. 

There are numerous ways to try and hook users in a phishing attack :

  • Calendar requests
  • New app permissions
  • Credentials expiry
  • Software updates
  • Resumes from candidates
  • Social media notifications…

The list goes on and on. Your users should see as many of these as possible.  

5. Expose users to different payloads

In addition, hackers have developed a number of payloads, even allowing them to bypass MFA protections. Your users should be exposed to as many of them as possible : 

  • Click : The classic version of the simulation email, used to test whether users click on links in email (in real life, this could lead them to malicious websites) 
  • Attachment : Hackers have become extremely crafty in hiding malware in attached documents such as Excel spreadsheets, and the click/open rate is still very high if used with spear phishing, psychological triggers and OSINT
  • Credentials : The goal here is to lead the user to a login form, and either harvest his credentials or steal his session token
  • Drive-By-Download : Another payload used to deploy malware, this attack relies on convincing the user to download a document. Users who have decided to trust a link or site are actually invested, from a psychological standpoint, in maintaining this trust. 
  • Consent : A sophisticated form of attack, this tricks the user into granting access and permissions to a third-party app controlled by the hackers

6. Use the same psychological tricks as hackers

Hackers - or, at the very least, those who craft spear phishing attacks - are expert psychologists. 

This is because their livelihood depends on convincing someone into taking an action that is not beneficial to them, in an environment where cybersecurity risks are mentioned regularly. In order to achieve this, hackers leverage psychological tricks to trick their victims. 

Effectively training your teams requires the same approach ie. users should be exposed to attacks that simulate these tricks such as :

  • Urgency
  • Enticement with the lure of benefits
  • Fear
  • Authority/social proof… 

7. Keep it frequent

Don’t train your users once a year! Too many companies conduct only a few simulations (notably because they have to set them up manually) every year : the problem with this is that it doesn’t change behaviors. People forget, results and reflexes take time to set in, and infrequent simulations  mean users aren’t exposed to multiple scenarios and situations, and aren’t kept up to date with the latest techniques used by hackers. 

This is why simulations should be run frequently, at least once a month, in order to keep users alert and engaged and to truly change habits. 

The best way to set this up in a functional way is to automatize the entire process : from selecting templates from a broad range of options to simulating different attacks, at different times, every month, to each user of the company. Relying on manual options will only lead to ineffective campaigns. 

8. Provide your users with visibility on their results

As your users report the simulations that are sent to them, they need to have visibility on their performance. Users and teams need to be able to access a personalized dashboard where they can track their improvement. Too often, simulations provide aggregated results that do not speak, and provide no motivation to users. 

While it is important for admins to have access to granular performance figures, in order to tailor training programs, this is not sufficient from a user engagement perspective : you are training your users, they need to know how they’re doing, as individuals. 

9. Make it fun 

After all, why shouldn’t it be? Studies have shown that training that relies upon gamification to engage users is more successful than traditional options. Trying to change people’s deeply ingrained habits can be something of a chore, but enjoying playing is rooted in us since childhood. 

Changing the narrative and relying on friendly competition, performance rewards and personal progress yields significant benefits in terms of user engagement. It also sends the signal that you are not trying to trick your users, and that the emails they receive really are for practice (this is also why sensitive issues such as covid scares or raises, for example, should not be included in the simulations). 

At Mantra, we believe that cybersecurity training should be fun, and gamification is an integral part of our simulation module. 

10. Change habits

Training is all about changing deeply ingrained habits (ie. clicking on links and trusting the emails we receive) : simply asking users, or informing them via videos or presentation, not to do so just doesn’t work. Successfully replacing this old habit with a new one - being alert and investigating emails received, and reporting any suspicious ones - requires that the simulation environment you set up provides your users with an easy-to-use tool for them to report any threats they detect. 

Finally, don’t forget to inform the users who have reported a threat about the status of that alert, even if it’s not an attack : it will be gratifying for them to know their efforts are appreciated, which will generate engagement and encourage them to continue reporting suspicious emails. 

Make your teams smarter than hackers! 

To recap, in order to be effective training should simulate real-life conditions as much as possible, while generating engagement. 

Simulations should be run frequently, feature user-specific and varied simulations (use the right software, impersonations, different payloads and psychological triggers…) and should incorporate training best practices : it should be fun and build lasting habits.

Mantra helps companies achieve this by providing an automated simulation engine which allows them to free up time for IT teams while providing best-in-class phishing protection.