How to Train Employees Not to Fall for Phishing Attacks
Companies have lost more than $12 billion to spear phishing and account takeover, according to Barracuda Networks.
“And those numbers obviously don’t include anything that doesn’t get recorded,” said Dennis Dillman, VP product management of security awareness at Barracuda Networks. “So chances are you could be looking at a much larger number than that. The scariest part is how rapidly the trend is growing in terms of the volume and sophistication of the attacks that we’re seeing.”
Five years ago, attackers rarely targeted business email accounts for financial gain, Dillman said. “And now it’s an extremely common way to get money out of an organization without using ransomware or that kind of attack.” More than 75% of targeted cyberattacks start with an email, according to Barracuda.
Attackers Cashing In on COVID-19
More recently, attackers are cashing in on COVID-19 and the related business disruption and societal uncertainty and using phishing attacks to steal company and employee data.
“My biggest caution to any organization at any time is that when there is a disruption to the usual way of doing business you are at your most vulnerable,” Dillman said. This can be something as trivial as moving floors in an office building, or it can be the colossal unplanned increase in remote workers, from around 10% to more than 95%, in just a matter of weeks.
“There’s a compromise in the standards that you might have had when things were running normally,” Dillman said.
In addition to working on a home WiFi network and accessing corporate data from personal devices — both of which put employees and companies at greater security risk — this newly distributed workforce relies more heavily on email and other forms of electronic communication. “So their diligence isn’t going to be as high as it should be when they are dealing with potentially suspicious email,” he added. “These are times when you want to increase your security awareness training focusing specifically on the idea that because things are different now, our organization is going to be more vulnerable.”
Barracuda sells email security products, like its new Sentinel that uses artificial intelligence (AI) to protect companies against phishing attacks and account takeover. But it also has training videos and a platform called PhishLine that provides security awareness training for employees. And whether we’re talking about pre- or post-pandemic security, “my philosophy really doesn’t change,” Dillman said. “And emergency should trigger an extra level of diligence on the part of people responsible for doing security awareness training in your organization. But the approach from my playbook remains the same.”
Barracuda’s Anti-Phishing Playbook ‘Remains the Same’
In discussing what companies should do to train employees, Dillman starts with what they shouldn’t do.
“What you should not do is keep sending out the same old training and emails that you’ve always been sending out,” he said. Using the same old security training tools may look like it’s improving a company’s security posture. Employees get used to seeing the same emails, so they are less likely to click on these emails, and thus security educators can say “look, our tool has allowed you to decrease your click rate,” Dillman said. “That creates a very nice chart, but it creates the illusion of security rather than providing actual security.”
Instead, he suggests sending out emails that look like those currently being used by attackers. Right now, they are COVID-19-themed emails. This includes fake infection maps, scam links to donate protective equipment to first responders, and emails that appear to come from the Centers for Disease Control and Prevention or World Health Organization but contain malicious links. Barracuda has more than a dozen different COVID-19-themed email templates that look like real phishing attacks, Dillman said.
“Send out examples of threats that are relevant and current, and let employees know that they are out there,” he said. “Not in an attempt to play gotcha with your employees, but rather use the tool as a way to communicate, like a newsletter. Let them know to watch out for these emotional triggers in an email and take a moment to evaluate whether or not they think it’s legitimate. And if you do think something is legitimate, then access the information independently of any URL that’s presented to you in an email from somebody purporting to be from the Red Cross. Go to the Red Cross site on your own.”
Gamification Works, But Don’t Create Losers
Positive incentives are more effective when it comes to email security training, he added. “I know it’s an extremely overused term in security awareness, but gamification is extremely important.”
Gamification works because it invokes employees’ competitive nature — but don’t make it juvenile, Dillman said, for example turning a quiz into a go-cart race, because that will backfire. And, again, keep it positive. “I don’t recommend any gamification that is engineered to create losers,” he said. “It should be engineered to create varying degrees of winners. PhishLine, for example, has the ability to assign points to certain activities. You might lose points if you click on something, you might gain points if you complete training or if you use the phish reporting button.”
Employees can then use points to buy company swag or host a (virtual) pizza party.
“But that requires sponsorship,” Dillman added. “That requires an executive commitment to the idea that we want to reward people, and focus on the reward not the punishment, for accomplishing certain tasks related to security awareness. There’s no application in the world that can be a substitute for executive sponsorship.”