Phishing awareness and phishing training explained

There is no more effective initial attack vector than phishing. With an ability to reach well-within your organization’s logical perimeter all the way down to an individual user’s Inbox with some form of malicious content, phishing has proven to be a challenge to organizations working to maintain a proper security stance. 

On top of this, phishing attacks have some pretty impressive accolades:

• Phishing scams focused on Business Email Compromise are the initial attack vector in 60% of cyber insurance claims
• 61% of successful phishing attacks have resulted in compromised credentials
• Phishing accounts for losses of $17,700 per minute

The exponential growth seen this year with phishing attacks and their success is extremely dangerous when combined with operational shifts to users working from home, using personal devices and lowering their sense of corporate vigilance as part of trying to find a work/life balance. The use of social engineering techniques such as domain, brand, or user impersonation augment the credibility of phishing scams at a time when the user’s sense of defenses is at an all-time low.

The current state of both cyberattacks and lack of cyber-readiness dictates that your organization look to elevate its security stance by making its users more aware of phishing attacks, the methods used, and the repercussions of attack success.

What is phishing awareness? 

First off, it’s important to differentiate phishing awareness from security awareness. Security awareness programs and training seek to create a security culture within an organization – of which, being aware of phishing attacks plays a role. Phishing awareness is more laser-focused in on the what, why, and when of phishing attacks and how to avoid becoming a victim.

Common types of phishing attacks 

Phishing attacks utilize a number of mediums, leveraging common tactics to get potential victims to respond in the desired fashion. Some of the mediums include:

• Phishing (email) – Most people familiar with phishing instantly think of email as the medium.  It’s the easiest method to get the undivided attention of their intended victim en masse using automated tools to hit literally hundreds of thousands to millions of individuals with a single click.
• Spear Phishing (email) – Attackers intent on targeting certain companies, industries, or even individuals will send out phishing attacks created specifically for that victim.
• Whaling (email) – Whaling attacks are spear phishing campaigns targeting executives, generally using only social engineering techniques to trick the C-level exec into becoming a victim.
• Vishing (phone) – Phone calls can be a viable medium to trick individuals into resetting passwords, giving up credit card details, and more.  Attackers have gone as far as to use deepfake audio – a technology that allows them to sound like anyone they want, including your CEO – to trick users over the phone.
• SMiShing (text message) – Similar to email as a means of getting directly to the victim in question, SMiShing uses text messages to direct victims to websites intent on infecting mobile devices, stealing online credentials, or obtaining personal details.

Cybersecurity IQ Training

Measure and improve the cybersecurity awareness of your organization and address compliance requirements

Learn more

Do different company sizes and verticals have differing phishing vulnerabilities?

It may seem logical that larger organizations or those companies subject to data regulation laws will have more security solutions in place, helping to minimize the possibility for phishing attacks to reach their intended victim. And on the other end of the spectrum, smaller organizations are assumed to have less budget and expertise to implement as strong a defense as their larger counterparts. 

But in actuality, organizations of every size and vertical are targets of phishing attacks daily.  Like any legitimate product or service, there are many businesses that focus on specific geographies, org sizes, industry verticals, etc.  It’s the same for cybercriminal organizations engaged in phishing attacks; they each have a target demographic they’re really good at attacking.

And every organization has the same problem when it comes to stopping phishing attacks: their users.  Users that aren’t aware of phishing attacks are doomed to fall for them. In a recent poll of 1,000 users in the U.K., 95% of them failed to identify 10 pretty-obvious (in my opinion) email-based phishing scams. In essence, your users need to be trained.

What’s involved in phishing awareness training offerings?

There are two really important parts to phishing awareness training – awareness education and phishing testing. Solutions designed to help improve a user’s phishing awareness begin by educating them on what is phishing, what communications mediums are used, what phishing attacks look like, what social engineering tactics are used and how to spot a scam a mile away.  This is generally most effective when done online, but there are some organizations do classroom-based training, and even breakroom-based training.

Once users are trained, it’s time to see if they were paying attention.  Creating simulated phishing campaigns – ones that are benign in their impact but use the same techniques and tactics as their malicious counterparts – are an impactful way to see where the user-layer, as it were, of your security is weakest.  Solutions providing phishing awareness training usually have some form of phishing testing functionality as well.  The phishing testing creates a feedback loop to determine the effectiveness of the training.

It’s important to note that phishing isn’t going anywhere; the bad actors know it’s an extremely effective way to attack your organization. And recent data shows they’re getting better at their craft with more sophistication and frequency in their attacks.  So, it’s critical that you improve your security posture as well. Phishing awareness and training is a key component to that end.