Phishing is the most common type of cybercrime today. According to the FBI, attacks have nearly doubled in frequency from 2019 to 241,324 incidents in 2020 and continue to spread like wildfire.
Since the Nigerian Prince scam in the 1980s, phishing attacks have come a long way and become much more sophisticated. Modern phishing attacks are targeted and use advanced techniques and pretexts to maximize their probability of success. They go so far as to mask themselves behind top brand names, their logos, and other identifying aspects, to trick individuals into engaging with malicious links and attachments.
No industry, organization, or individual is immune to phishing threats, but they can take measures to prevent an attack. That prevention starts with effective phishing protection as part of your overall cyber security awareness program.
This guide is for security and cyber security executives and professionals who need data-driven, behavior-changing phishing protection for their employees. By reading this guide, you’ll learn everything you need to know about phishing protection, including:
- A quick overview of phishing and phishing protection
- Why your employees need phishing protection
- The most common types of phishing attacks to watch for
- Phishing-related terms to keep in mind
- Why phishing simulations fail
- How to stop phishing attacks in their tracks
- Tips to boost the effectiveness of your phishing protection program
- Must-have phishing resources
- How to kick-start your phishing protection plan
Read on to learn how to safeguard your organization from a phishing attack by providing effective phishing protection for your employees.
What is phishing
Phishing is a cybersecurity offense that disguises email, telephone, or text messages as coming from a popular brand, such as PayPal or Netflix. It uses trickery to deceive individuals into clicking a link to a well-crafted counterfeit website or domain. At the site, victims leave their personal information or credit card numbers, which attackers then use to compromise devices and steal information.
These messages often use:
- Attention-grabbing subject lines: The subject lines in phishing campaigns are catchy and have compelling calls to action to create a sense of fear of missing out (FOMO).
- Authentic-looking hyperlinks: Hackers use operating system tools to disguise devious links and make them look harmless.
- Too-good-to-be-true content: Hackers create phishing campaigns based on free giveaways or unrealistic discounts, especially before holidays or major events.
All phishing scams tend to follow the same flow:
- A hacker sends a malicious message to an unsuspecting user.
- The potential victim opens the message and clicks the hyperlink.
- The victim is diverted to a phishing website, where they enter their personal or professional data.
- The hacker steals the data and then sells it on the dark web or uses it for other malicious purposes.
To prevent these types of attacks, organizations need phishing protection.
What is phishing protection
Phishing protection is part of an organization’s overall cyber security strategy to prevent cyber attackers from gaining access to and stealing data and sensitive information. Phishing protection consists of the following components.
Awareness training teaches employees about the different types of phishing, how they work, what to look for or listen for, and how to react if they suspect an attack. For example, employees learn how to identify malicious URLs and handle an email that contains a suspicious attachment.
Phishing simulations teach employees how to deal with phishing attacks through real-world, hands-on practice. To be effective, the simulations must occur regularly with greater frequency and focus on the threats employees are most likely to face based on their job role, department, or location.
Anti-phishing software inspects the content of emails, websites, and other ways to access data through the internet and then warns a user of a threat. It also prevents phishing emails from reaching an employee’s inbox.
Why phishing protection is important
Phishing protection is critical for several reasons: frequency of attacks, the cost of an attack, and a lack of phishing awareness by employees.
The rate of phishing attacks is increasing
As technology and digitalization have added automation and efficiencies to organizational operations worldwide, they’ve created avenues for the bad guys to come up with new ways to commit crimes. In fact, during the COVID-19 pandemic, hackers kept right on working, crafting new fraudulent sites, resulting in 7 million total sites between 2019 to 2020.
Hackers also discovered new targets and created new types of attacks. Corporate users of Microsoft 365 (formerly Office 365) email, in particular, have become a top target of phishing attacks, accounting for 51 percent of credential theft attacks in the second quarter of 2021. Even Apple users have also fallen victim to phishing—specifically smishing—resulting in a 700 percent increase in early 2021 compared to the second half of 2020. The rate of phishing attacks will continue to increase as cybercriminals have now come up with automated tools to scan for and steal data on social media platforms, company websites, and networks.
The fallout of phishing attacks is costly
The fallout of a phishing attack—any cyberattack or data breach, for that matter—can be detrimental to your organization. Phishing attacks create business disruption, reputational damage, financial loss, stolen intellectual property, and potential fines for serious data protection violations. The fines alone can cost over a million dollars, but the other financial impacts run much higher.
Over the past six years, phishing attacks have quadrupled their financial impact. The average cost of an attack has risen to $14.8 million per year for US companies in 2021, up to $11 million since 2015. In 2020 alone, the FBI found that the Business Email Compromise (BEC) cost Americans over $4 billion.
Employees lack cyber security awareness training
A study by IBM cited human error and system glitches as the cause for half of the data breaches. But phishing attacks almost entirely rely on human error for them to be successful. Employees can’t stop clicking links, and they won’t unless they have effective cyber security awareness training and phishing protection.
But all phishing protection programs aren’t created equally. Some only generate click rates as a measure of success or failure to determine whether employees or an organization can recognize a potential attack. They don’t provide immediate feedback and fail to engage employees at the moment to learn and retain the lesson behind their mistakes. Effective phishing protection gives employees the knowledge, skills, and confidence they need to detect phishing threats and stop attacks before they damage your organization, brand, assets, and customers.
Types of phishing attacks
Even as phishing attacks evolve, be alert to the following common types of phishing attacks:
- Clone phishing: Duplicated legitimate-looking business emails that trick targets into clicking a link that’s substituted with a malicious one.
- Deep fake: Use of artificial intelligence to spread false information or propaganda by manipulating a person’s spoken words, mannerisms, and expressions originally recorded as audio or video.
- Email phishing: A seemingly legitimate email message that tricks an individual into clicking a link where they unknowingly disclose personal information or credentials.
- Pharming: A strategy to create legitimate-looking links in phishing emails by redirecting internet users from a specific, legitimate site to a malicious one by changing the Domain Name System (DNS) table in the host web server.
- SMS phishing or smishing: A phishing scam via text communication that uses link shorteners to conceal malicious links within a text message.
- Spear phishing: A phishing scam in which hackers research an individual or small group and then target them by developing a personalized pretext with the goal of greater success than a general attack.
- Voice phishing or vishing: A phishing scam over the phone in which a “Visher” pretends to be a customer service or government agency representative with the goal of tricking their target into revealing sensitive information or sending money to the attacker.
- Whaling: A type of phishing attack that tricks C-suite employees into falling for a “fake” emergency where they click a link or attachment that installs malware or steals sensitive information.
Phishing terminology you must know
As you explore phishing protection programs as part of your cyber security awareness strategy for your organization, keep in mind the following key terms:
- Automated clicks: The number of clicks recorded in the background from phishing simulations.
- Breach: Unauthorized entry to gain access to computer data, applications, networks, or devices. Also referred to as a security breach or data breach.
- Click rates: The percentage of employees who click a link in a phishing simulation.
- Compliance: The act of applying effective technical and practical security measures to meet the regulatory or contractual requirements of a third party. Examples include SOC 2, HIPAA, and GDPR.
- Cyberattack: Unauthorized access and damage to a computer, system, or network with a goal to destroy or control technology systems and change, delete, lock, or steal the data within them.
- Cybercrime: Malicious use of technology or technological devices to steal information or cause damage. Examples include phishing, identity theft, hacking, and other social engineering attacks.
- Cyber security: Protection against unauthorized access to the ecosystem of technical devices, networks, hardware, software, systems, and the information inside them.
- Phishing awareness: Part of an organization’s security policy that refers to engaging employees in training and simulations to educate them on how to help protect against phishing attacks.
- Denial of Service (DoS) attack: An attack intended to make a machine or network inaccessible to its authorized users.
- Hacker: A person skilled in technology to gain unauthorized access to systems, networks, or data to commit crimes.
- Malicious actor: An entity that has the potential to break through an organization’s IT security. Also referred to as a threat actor.
- Malware: Malicious code—such as viruses, worms, and trojans—hackers use to gain access to sensitive information and create destruction.
- Man-in-the-middle attack: A way for an attacker to secretly eavesdrop or modify traffic between two parties to steal credentials or personal information or to destroy or corrupt data.
- Ransomware: Malware that blocks access to an organization’s computer system or data and encrypts files so the attackers can steal data or demand a ransom to unlock it.
- Risk: The probability of exposure or loss that can result from a cyberattack or data breach.
- Security: The people, policies, and tools that protect an organization’s assets and property.
- Security posture: The cyber security readiness of an organization’s employees and technology to protect its IT infrastructure, network, information, and equipment from an attack.
- Segmentation: A data-based approach in which employees are divided into groups based on threat risk to the organization.
- Simulation training: An approach to phishing protection that mimics real-life attacks as they occur in an employee’s workflow.
- Threat: The possibility of an internal or external attack to gain unauthorized access to, damage, or steal information, intellectual property, or data. Also referred to as a cyber threat.
- Trojan horse: Malware or virus disguised to look legitimate but takes control of a computer to damage, harm, or steal data or information on a network.
- Virus: Malware that spreads through devices to damage them or steal the data within them.
- Vulnerability: A flaw in software code, system misconfiguration, or security practices that hackers use to gain unauthorized access to a system, network, or data.
- Worm: A self-replicating program that spreads across a network—scanning for security holes to steal sensitive information, corrupt files, or gain remote access to the system.
- Zero Trust: The concept that all internal and external users must have security authentication, authorization, and validation before gaining access to applications or data.
Why phishing simulations fail
When organizations implement phishing campaigns but find themselves the victim of an attack, it often boils down to several common errors. Keep reading to learn the five reasons phishing simulations fail.
They’re too difficult
Security leaders incorrectly assume all employees have the same or similar knowledge about phishing. However, the knowledge and familiarity an employee has about phishing are unique to their individual experience. Some might have some knowledge of phishing, others might have little to no knowledge about it, and a few might have a solid knowledge of it.
Baseline understanding aside, security teams feel the need to create a specific, over-challenging risk. These simulations fail because employees quickly fall for them and wonder if the real purpose of the simulation was to trick them into clicking. Instead, security teams must ease employees into phishing simulations, so over time, they can demonstrate their progress in understanding the content.
They target only some groups or departments
Some phishing simulations are set up to target only parts of an organization. This approach leaves the other employees in the organization without the protection they need against a potential attack. Phishers cast a wide net to see where they can take advantage of an unsuspecting victim. It takes just one case of human error to gain access.
When running phishing simulations, security teams can’t afford to select who they think are their higher-risk groups. It increases the threat risk for the rest of the organization and fosters distrust among employees who might feel targeted as high-risk. Instead, phishing simulations must target every employee in the organization, across divisions, departments, leadership levels, and locations.
They don’t engage employees
Comprehensive and long lectures, videos, or reading material don’t engage employees in important lessons about phishing. When phishing content is too deep or too general, employees find it difficult to consume, learn, and retain the information. This one-size-fits-all approach to phishing protection might be fast and easier to deliver, but it’s ineffective.
Phishing protection requires dynamic content that’s based on expertise in organizational learning and development. It requires resources to create custom versions that relate closely to each employee’s department and position in the organization, enabling them to learn from their mistakes.
They’re poorly timed
One-and-done phishing approaches might seem like an efficient way to deliver training to employees, but the concept is deceiving. When security teams send phishing simulations to all employees on the same day and same time, the process backfires. Employees who identify the simulation email or click the links in it often alert other employees who then report it to the help desk. The employees miss out on the valuable training aspect of the simulation and end up generating inaccurate click rates.
An effective phishing simulation requires:
- Customizing emails by job role, department, or location
- Carefully coordinating when to send them out
- Monitoring the process and results
- Making sure the help desk agrees with the timing of the plan, so they’re not overloaded with calls
By following this approach, your organization will see more accurate and effective results based on precise metrics that indicate both progress and issues that require additional training.
They emphasize failure over results
Click rates might seem like a good measure of phishing simulations, but they’re misleading. They prove only where employees failed a simulation. Besides, if employees know about a simulation in advance, they’re more likely to be on the lookout so they don’t click on it. In this sense, click rates are falsified on the low side.
Measuring the success of phishing simulation must go beyond click rates. It requires examining:
- The number of times an employee clicked a link after multiple challenges
- Employee engagement in learning the security training
- The overall progress the organization demonstrates in embracing a security culture
Instead of looking at failure, phishing simulation metrics must measure each employee’s progress over time as it contributes toward creating overall organizational behavioral change.
How to stop cyberattacks with phishing protection
Protecting your entire organization against phishing attacks requires engaging and effective phishing awareness training—something traditional phishing protection programs can’t provide. Follow these steps to prepare your employees as your first line of defense to stop phishing threats.
1. Identify your ‘phish’
To start your phishing protection plan on the right track, know which type of phishing attack to target. For example, you might begin by providing in-depth training on email phishing. As employees demonstrate an understanding of the content, you can shift to the next type of attack to target, such as vishing.
2. Focus on your employees’ unique needs
Personalize the training content to each employee’s role, cultural experience, or language. Employees will learn and retain the material better so they can apply it when faced with a real phishing attack. As a result, you’ll see greater success in keeping your organization and employees safe from an attack than a generalized phishing protection solution can.
3. Engage employees in simulation
Actions speak louder than words. The same is true for phishing protection programs that engage employees in real-life phishing simulations— a key criteria that one-time, long training sessions can’t deliver. Make recurring phishing simulations part of your employees’ workflow to make it easier to prompt them to question whether an email is real or a scam.
4. Deliver content in small bites
For greater retention of the phishing protection content, give employees shorter, concise lessons in small bites. Keep the lessons to about one-minute long so employees can quickly skim through the information and engage with it. By giving employees small bites of content right in their workflow, they retain it better so they learn the lesson and can apply it when faced with a real phishing threat.
5. Maintain continuous training
Continuously train employees with phishing simulations and concise content to drive awareness of potential threats. Even as you complete training on one type of attack, you can then progress training to address another type of attack. By keeping the training in their workflow, it becomes part of their daily routine.
6. Measure effectiveness with data
To determine the effectiveness of your phishing protection program, look beyond click rates. By continuously training employees, you see how they progress over time, giving you insights into behavioral changes across your organization. This data also helps you identify and manage your high-risk employees and demonstrate your return on investment to upper management.
Tips for effective phishing protection
Now that you understand the basic steps to carry out a phishing awareness program, follow these tips to create organization-wide, effective phishing protection. When you pair these tips with the steps to stop a phishing attack, your organization transforms its behavior to better understand and respond effectively to a cyberattack.
Train all of your employees
Training only some employees, teams, or departments leaves the rest of your employees at risk of a phishing attack. Just one vulnerable employee is all phishers need to gain a foothold in your organization. As the first line of defense, train all employees so they know how to recognize and respond to a potential phishing threat.
Deliver just-in-time learning in the workflow
Phishing protection training that takes employees away from their daily workflow has little impact on their learning and retaining the information. Keep the learning right in your employees’ workflow so they can see and engage with it at that golden moment when they’re going through their email where most phishing lures start. Providing timely, engaging, and effective content creates a lasting impression.
Conduct regular, hands-on training
Phishing awareness training that’s scheduled is predictable and ineffective, takes employees away from where attacks happen and doesn’t create a lasting impact. Just as phishing attacks are unpredictable, your phishing protection training should be too, but at regular intervals. Conduct regular, hands-on, experiential training that teaches employees how to recognize and respond to a potential threat.
Customize your training
Giving the same content to all employees creates knowledge gaps between those who understand and relate to the information and those who don’t. Customize training that corresponds to each employee’s job role, department focus, or location. Customization also enables you to target the learning needs of high-risk employees who tend to be “serial clickers.” As employees master one level of learning, you can advance their training to the next level.
Adjust campaign frequencies
Some employees consistently fall for phishing scams. For these serial clickers, schedule more frequent training intervals, so they get the repetition they need to drive behavioral changes. However, for employees who learn quickly from their mistakes, reduce training frequencies. Over-training fast learners only annoy them and reduce productivity with no added value.
Give immediate feedback
Annual, one-time training events don’t allow for real-time feedback to employees so they can learn from their mistakes. Make sure your phishing simulation program provides real-time feedback immediately after they fall for a phishing email. This additional learning gives them the training they need to avoid falling for an attack in the future.
Look at the data
Phishing protection solutions that only give click rates don’t reveal the full view of whether and which employees are learning the information. By gaining insights from a data-driven phishing protection solution, you identify which employees, teams, or departments need more focused training while maintaining employees’ privacy. You also gain a greater vision into where behavioral changes occur within the organization on your path to creating a security culture.
Resources for phishing protection
As you plan for phishing protection, keep in mind the following resources. Each one highlights unique challenges that you can overcome by choosing an effective phishing protection program as described in this guide.
Top 13 best phishing protection solutions
Phishers rely heavily on the art of disguise, often hiding behind trusted name brands, such as Facebook, Microsoft, Amazon, and PayPal. From behind the mask, they lure individuals into engaging with seemingly authentic, although maliciously intended links and attachments. Their success is often due to missing or ineffective phishing protection and cybersecurity awareness training programs for employees. It’s also due to the many ways in which attackers carry out phishing attacks.
To protect your organization from phishing attacks, cybersecurity strategies must include awareness training, phishing simulation, and anti-phishing software. Plus, employees must understand what phishing is and why they need phishing protection. Learn about these concepts and explore the 13 best phishing protection solutions to help your organization prevent an attack before it’s too late.
How to protect Microsoft 365 users from phishing attacks
With the rate of phishing attacks increasing over the last couple of years, no one is safe, not even users of Microsoft 365, formerly Office 365. In August 2021 alone, Microsoft issued not just one, but two alerts about new types of phishing attacks they discovered. As phishers continue to come up with new types of attacks, the risks for employees will be even greater.
Stop phishing attacks in Microsoft 365 by following these critical steps:
- Use Microsoft’s built-in phishing protection.
- Apply advanced third-party phishing protection.
- Create phishing simulations.
- Continuously train and test employees on phishing awareness.
Explore each of these steps to learn how to protect your Microsoft 354 users from phishing attacks.
Train your employees to spot voice phishing
Voice phishing is a rapidly growing form of attack, with 83 percent of organizations reporting it as a threat. However, almost 75 percent of people don’t even recognize or understand the meaning of the term. Although the risk of such attacks is minor compared to phishing attacks, just one attack can set your whole company off course.
Training employees on vishing attacks is not as easy as it might seem. These attacks don’t occur as frequently as phishing attacks. Also, vishing simulations aren’t automated or scalable and, therefore, require specific training. Discover how you can enforce a positive security culture that encourages employees to be more aware of email and phone scams in Train Your Employees to Spot Voice Phishing.
Understand the impact of automated clicks
Many phishing simulation solutions gauge success based on automated clicks or click rates. Security managers use the data to prove their technology or awareness program is working well. In reality, it’s quite the opposite.
One problem is they don’t give insights into actual real-time risks, but rather only a point-in-time view. Another problem is they don’t provide immediate, just-in-time feedback. Improving the integrity of phishing simulation training requires the right mix of people, processes, and technology:
- Foster a no-blame culture around security awareness training.
- In a phishing simulation test, measure only what you can manage.
- Trust your internal data to help you isolate a simulated phishing attack.
Learn why automated clicks don’t work and how to deliver phishing simulation training that does in Understanding the Impact of Automated Clicks on Phishing Simulation Training.
Measure real progress in phishing simulation
How do you know if your phishing simulation training is working? Security leaders who rely on click rates to measure success often ask this question. High click rates mean employees are just clicking and not actually learning about the attack. However, low click rates can mean simulations are so easy or repetitive that employees don’t bother clicking.
A true measure of success is based on the context of the phishing simulation. It’s also based on the progress of employees as measured over time. Learn what click-rate measuring is, how to add context to your phishing simulation program, and how to measure its success. Read Go Beyond Click Rate: Start Measuring Real Progress in Security Awareness Training. Then, watch the video about how click rates are detached from learning curves.
Know the truth about spear phishing employees
A common mistake of phishing simulations is when security teams create complex and sophisticated phishing simulations. They try to mimic spear-phishing attacks or emulate other compromising threats against management or executive-level employees. Even hackers don’t put this much effort into an attack.
The challenge of this approach is that only some employees receive phishing training. As hackers cast their net, they have a better chance of successful attack by reaching the employees who didn’t receive any training. The key is to protect your entire organization from a phishing attack.
An ideal approach is to adopt a solution based on machine learning that engages and trains employees to recognize the types of scams that they’re most likely to fall for. These solutions deliver phishing simulations that are proven to be effective within specific employee groups, whether by location, team, department, or another differentiator.
Gain insights into the challenges of complicated spear phishing in the post Is Spear Phishing Employees an Effective Training Technique?. Then, watch the video about how simulated attacks can be successful even if they look simple.
Launch your phishing protection plan
In this guide, you learned about the importance of and best practices for phishing protection. As you search for an effective phishing protection plan, keep in mind the following considerations:
- Conduct ongoing employee phishing awareness training: Train employees regularly on the impact of phishing and risks and how to react to a potential attack.
- Take a hands-on learning approach: Provide phishing simulations at timely intervals in the workflow to ensure employees correctly apply the knowledge from their awareness training.
- Focus on targeted persona groups by risk: Develop and implement highly targeted interventions that aim to change the behaviors of employees based on their role, department, or location.
- Use predictive analytics: Identity and actively monitor high-risk employees by using a machine-learning-based solution to generate predictive analytics.
- Give real-time feedback: Provide immediate feedback to show employees security gaps as evidence of their need for more phishing training.
- Create cultural change: Train all employees at a deeper level, engaging them on a specific threat, to drive a cultural change that tackles employee attitudes and beliefs head-on.
- Adopt a scientific training method: Combine learning expertise, data science, and automation to optimize each employee’s learning experience.
These considerations are critical to ensuring your employees and your organization has what you need to become phishing-aware and to reduce phishing attacks.
Get started with BLAST
Choose a phishing protection solution that works. Choose BLAST from CybeReady. This automated phishing protection program features:
- An award-winning machine-learning engine that smartly assigns custom simulations by employee segment.
- Powerful advanced analytics to generate insights into employee training achievements and identify risk groups.
- Location-based training for global employees thanks to a localization engine that can run simulations in 35 languages.
See how BLAST can protect your organization, assets, and employees from potential phishing attacks. Request a demo.