Phishing Testing: Not long ago, it was a snap to recognize a phishing email.
It usually started out with an absurd claim—“you’ve won the lottery,” or “I’m a Nigerian prince who wants to send you a million dollars.” Then it asked for something you would never share with someone you didn’t know personally—your bank account, social security, or credit card number.
Times have changed. Today, about half of all internet email is unsolicited, and much of that unsolicited email is malicious. Worse, it’s increasingly difficult to tell the difference between a phishing email and a real note from a colleague or client.
Software and security protocols can help, but there will always be sophisticated phishing attacks that make their way to your employees. That means employees are bombarded with mail that may require an immediate response—or may lead to a major security breach.
That’s a lot of pressure to cope with; fortunately, training and support can make all the difference.
- Create a security policy your employees can follow. Make it easy to change passwords regularly and report questionable email. Make sure your security personnel have the resources they need to follow up on reports quickly and effectively.
- Train employees to ask before clicking. Many phishing emails contain clickable links or attachments that launch malware or viruses. Train employees to recognize questionable emails and have them ask the sender directly whether the note is from them.
- Provide training that includes phishing simulations. Today’s phishing emails often come from spoofed addresses that look legitimate. The subject lines may refer to “prior emails,” “upcoming meetings,” or “projects.” It’s not always easy to tell a phishing email from the real deal. That’s why your employees need risk-free opportunities to learn about and interact with phishing mail. Simulations are a great way to make this happen in a fun, supportive environment.
While all these techniques can help limit phishing incidents, they can’t eliminate them. The bottom line: employees should know that all email is suspect; there are no silver bullets to end all security threats!