Phishing Awareness 101: How to Email Test Your Employees
Phishing is a constant threat to data and endpoint security. Cybercriminals use phishing attacks to break into accounts, steal company funds, and compromise sensitive data.
In this article I will introduce you to the dangers of phishing and guide you through the process of running your very own simulated phishing tests using BrowseReporter, CurrentWare’s employee computer monitoring software.
What is Phishing?
Phishing is a form of fraud where an attacker pretends to be a reputable person or company through some form of electronic communication (email, SMS, etc). Phishing is used to trick victims into disclosing sensitive information or infecting their network with malware by clicking links or downloading malicious attachments.
Around 67% of data breaches occurred due to phishing before COVID-19. In 2020, Verizon’s annual Data Breach Investigations Report found that users are three times more likely to click on a phishing link than before the pandemic.
The attackers – often called phishers – will typically use email to target their victims but they may also use other electronic communication tools such as social media and SMS.
What are the Different Types of Phishing Attacks?
- Email Phishing. A standard phishing attack where the phisher attempts to convince the recipient of an email to perform an action. Standard email phishing attacks are not specific to the recipient and are sent in mass quantities. These mass email ‘campaigns’ tend to be referred to as spam , and, while the techniques are always changing to keep up with tightening safeguards, it is possible to work to stop spam emails.
- Smishing & Vishing. These attacks use similar strategies as email-based phishing attacks. Rather than using email a smishing campaign will use SMS-based phishing messages and a vishing campaign will use a phone call.
- Spear Phishing. This type of phishing attack is more sophisticated than a standard phish. A spear phishing attack targets a specific user or group with inside information that an average phishing campaign would not have. This includes names of trusted employees, specific information related to job roles, and other details that are pertinent to the company. This information is gathered from data sources that are public (news, social media, etc) and non-public (leaked internal documents, insider information).
- Whaling. This phishing attack is a type of spear phishing where the attacker targets high-value targets in the organization such as senior executives. Attackers may imitate other high-level employees in the organization in an attempt to gain access to other forms of non-public information that they can use to improve the success of future attacks.
What Attack Methods Do Phishers Use?
Examples of email phishing attacks include:
- Malicious URLs: An email that urges the recipient to click on a link. These links may potentially be exploiting a vulnerability that only requires visiting the link to execute the attack.
- Forms: A type of malicious URL attack that leads to a form requesting sensitive information. This may also be a fake login screen prompting the user to enter their username and password.
- Malicious Attachments: The attacker sends emails with seemingly legitimate attachments. These can be Microsoft Office documents with macros that execute malicious scripts or Trojans that disguise themselves as legitimate files. These files are likely to contain malware such as ransomware.
- Account Spoofing: In this sophisticated phishing attack, the attacker masquerades as a legitimate figure such as a senior executive. They may use non-public information gained from insider threats or former phishing attacks to make their impersonation more convincing. They’ll also attempt to match the sender’s email address to look like a trusted email address.
- W-2/T4 Form Request: This is a common scam during tax season. Attackers will pretend to be from the company’s internal HR department and request that employees send them their tax forms. The information from these forms is then used to file fraudulent tax returns.
Example Phishing Attack: Hiding Malicious Links in QR Codes
A sophisticated attack documented by email security company Inky details how threat actors are using QR codes to bypass email security solutions. Since many email security tools rely on scanning text and URLs to detect malicious or suspicious emails, a threat actor can simply replace all of the text content with an image that includes a malicious URL within a QR code.
What Are QR Codes?
A QR code (short for “Quick Response” code) is a type of two-dimensional barcode that can be read by an imaging device such as a camera.
QR codes are used to quickly provide access to a given URL without the end-user needing to type the URL in manually. While this can be convenient, threat actors can use QR codes to send their victims to a malicious URL. Legitimate QR codes can also be covered by a sticker with a QR code that links to a malicious URL.
Making a QR code is as simple as placing the desired destination URL into a QR code generator, then placing the generator QR code anywhere an end-user can scan it with their phone.
Need to make a QR code for your own project? You can generate a QR code with Adobe Express or another for free! You can also see this list of secure QR code generators.
Why is Phishing Dangerous?
Attackers use phishing to steal money and gain unauthorized access to sensitive data. They exploit the trust of employees to convince them to enter their account credentials on malicious websites or download malicious software such as ransomware.
Phishing campaigns are extremely effective at tricking employees. A report from Tessian found that a staggering 1 in 4 employees have admitted to clicking on a phishing email at work. The damages from these events are severe – the FBI’s Internet Crime Complaint Center found that phishing and related schemes caused $57 million in losses in 2019 alone.
These attacks can lead to:
- Theft or loss of sensitive data including the personally identifiable information (PII) of customers and employees
- Non-compliance fines from leaking protected classes of data to unauthorized sources
- An impact on business continuity as your organization struggles to prevent the spread of malware and recover from the losses caused by the phishing attack
- Severe damages to company reputation from the perception that your company is not to be trusted with sensitive data.
What Happens After Clicking on a Phishing Link
Clicking on a malicious link in an email can have severe consequences, including financial loss, data theft and potential account compromise.
All it takes is one wrong click of the mouse to cause a company reputational damage, possible downtime and even closure, depending on the severity of the attack. Once someone clicks on a phishing link, there’s a high risk that the device will become infected with malware, including viruses, spyware or ransomware.
Malware may collect device statistics, location information or other voluntary data the user has provided. The infection may deliver more phishing emails to people on the user’s contact list or give a threat actor access to other devices belonging to the user. Malware can also go undetected if it is installed behind the scenes.
How Phishing Causes Damages:
- Users are prompted to download malicious files, such as Microsoft Office files with malicious Macros
- Sensitive information such as usernames and passwords are collected with a fake landing page
Phishing Prevention Best Practices
This next section will overview practical advice for avoiding phishing emails.
Use Email & Web Filters
Your first line of defense against phishing emails is to not provide your employees a chance to see them in the first place. Email filtering technology such as secure email gateways or email firewalls will help to reduce the amount of suspicious and fraudulent emails that reach your employee’s inboxes.
Anti-spam/anti-phishing tools will typically include advanced features such as attachment sandboxing to analyze incoming attachments in a lower-risk container and URL rewriting to help catch zero-day exploits. Should your email content filtering allow a phishing email through, a web filter can provide an added layer of security by blocking known malicious domains.
Email security tips
- Use Domain-based Message Authentication, Reporting, and Conformance (DMARC). A DMARC record policy verifies that the email’s sender uses authentication such as SPF or DKIM. This will help catch phishing attacks attempting to impersonate your company’s domain. To make setting up SPF records easier, you can use an SPF generator.
- Block high-risk attachments such as .exe, .js, .zip, and JAR files. You should also be wary of Microsoft Office files from older product versions as hidden macros have been used to execute malicious code from these files. You may also want to consider blocking attachments altogether and instead have employees use secured file transferring services.
- Provide employees with a way to flag phishing emails. Filtering will stop the majority of spam and phishing emails, but they can’t stop everything. Providing employees with a convenient way to report phishing will help you identify the malicious emails that are making it to your users. This can be accomplished with an in-client report button.
- Links in emails should be treated as suspicious by default. The organization must do everything they can to reduce the reasons that an employee would have to click the links sent in phishing emails.
Deploy 2FA
Two-factor authentication is another layer of protection against account compromises caused by phishing scams. Should employees inadvertently leak sensitive credentials the second factor can help prevent an unauthorized login.
Avoid Sharing Company Emails Publicly
Do not add the emails of individual employees to any public-facing platforms such as your website. If visitors to your website need to contact anyone you can use webforms instead. This helps to reduce the amount of spam and phishing emails by making it difficult for attackers to collect email addresses using a bot.
Teach Employees How to Spot a Phishing Email
Even with a robust security system it takes only one negligent employee to be fooled by a phishing attack to compromise your network, sensitive accounts, or leak the data you’ve worked so hard to protect.
Even the best anti-spam email filters will miss a few malicious emails. Employee security awareness training is non-negotiable for protecting sensitive data against phishing. A report from PhishMe found that employees who open a phishing email are 67% more likely to respond to another phishing attempt.
For the best phishing education for employees you need to teach them how to recognize a phishing email and you will need to perform regular phishing simulations that measure the impact of that training. A phishing awareness exercise will provide you with the data you need to determine if further phishing training for employees is required.
Some common indications of a phishing email include:
- An unfamiliar tone or greeting
- Threats or a sense of urgency
- Inconsistencies in email addresses, links and domain names
- Unexpected file attachments
- Unusual requests
- Grammatical errors
- Generic greetings
While it’s true that legitimate companies can send emails with grammatical errors and spear-phishing campaigns can use high quality and highly targeted messaging, being aware of the signs of common phishing schemes goes a long way to avoiding the average phishing email.
NEW 2023: Google Introduced a .ZIP Domain; Here Are the Phishing Risks You Need to Know
Consider Email Validation Tools
One effective strategy for detecting phishing attempts is utilizing email validation tools. These tools use Email Validation APIs to assess the legitimacy of an email sender before it reaches your inbox. Phishing emails often come from spoofed or malicious addresses, which can be identified through real-time validation checks.
Here’s how Email Validation APIs help in phishing detection:
- Syntax Validation: The API checks if the email address conforms to standard formatting rules (e.g., missing domain extensions or illegal characters). Phishing emails often use slightly altered versions of legitimate email addresses (e.g.,
company@examp1e.com
instead ofcompany@example.com
) to deceive recipients. - Domain Validation: These APIs analyze whether the domain in the email address is valid and active. If the domain doesn’t exist or is associated with suspicious or low-reputation sources, it’s a red flag for phishing. Some advanced tools can even check if the domain is commonly used for phishing activities.
- MX Record Validation: Email Validation APIs check for valid MX (Mail Exchange) records for the domain, ensuring the domain is set up to receive emails. Phishing emails often come from domains without proper MX records, indicating the email is more likely fraudulent.
- Disposable & Temporary Email Detection: Phishing campaigns frequently use disposable email services to hide the sender’s true identity. Email validation tools can flag these addresses, as they’re often used in malicious campaigns.
- Blacklist Check: Advanced Email Validation APIs cross-reference sender domains and IP addresses against known blacklists of malicious or phishing-related sources. If the email is sent from a blacklisted domain or IP, it can be flagged as suspicious.
- Risk Scoring: Some email validation tools assign a risk score based on several factors, such as past behavior of the sender, IP reputation, and domain age. This score helps determine whether an email is likely to be phishing.
Incorporating the best free email validation APIs into your cybersecurity strategy enables early detection of phishing emails, providing an automated layer of defense. You can prevent exposure to phishing links and malware attachments by identifying suspicious senders before their messages are opened.
What Employees Should Do If They Clicked on a Phishing Link
Phishing scams may not be obvious to the average employee, so someone could accidentally click on malicious links. There’s a high probability that someone will accidentally download a dangerous email attachment.
Thankfully, there are specific actions people can take to safeguard any sensitive information and quickly recover from the attack. Here are the steps someone can take after clicking on a phishing link or accidentally downloading a malicious attachment.
Disconnect the Device
The first step is disconnecting the device from the internet immediately. Unplug the internet cable if it uses a wired connection, or navigate to the Wi-Fi settings and turn Wi-Fi off. Any compromised devices connected to Wi-Fi should be disconnected. If you’re having trouble disconnecting the device, consider bringing the device to the IT team.
The main reason for disconnecting the device is to prevent malware from spreading to other machines on the network. It also prevents malware from taking sensitive data and sending it from the device. Nothing can be shared with the public if there’s no internet connection. Additionally, it prevents someone from gaining remote access.
Contact Your Company’s IT/Security Team
Phishing attacks are so common among cybercriminals because they’re easy to execute and usually have a high success rate. If you’ve fallen victim to a phishing attack, don’t be too hard on yourself. You’re not the first victim of a phishing scam, and you certainly won’t be the last. Once you’ve disconnected the compromised device, you should alert the IT or security team in your organization as soon as possible.
Your IT team must be aware of the incident so they can respond appropriately. Many modern teams have incident response plans designed for these attacks. They will identify the source of the attack, contain the infection, repair any damage, assess why the attack was successful and create a plan to move forward. The team may improve phishing awareness training for all employees to reduce the chances of a future attack.
Back Up Critical Files
Now is the time to back up any critical files from the device. Some users will back up files to an external hard drive, a cloud storage account or a thumb drive. Employees should focus on backing up the most critical files or any documents that contain sensitive information, trade secret, financial records or confidential data.
Using an external hard drive or a USB drive is a simple way to effectively back up files. The cost to purchase one of these storage devices has dropped considerably. If your company has a dedicated IT team, they can guide you through the backup process and may provide you with a hard drive or USB drive for file storage.
Scan the Device for Malware
The next step is to check the device for malware. It’s common for people to use antivirus or malware software for this purpose. IT teams can get the scanning process started for you if you’ve never completed a scan on your own. Do not reconnect the device to the internet without the approval of your IT team.
Once the scan is complete, the software will show any suspicious files discovered and recommend options to fix the problem. This may mean deleting or quarantining the files. An experienced IT professional should make this decision to ensure the problem is rectified.
Change Passwords
The ultimate goal of a phishing attack is to gain access to login credentials or accounts, so it’s wise to change any passwords. Employees within an organization likely rely on various accounts or software that require a username and password. Changing them can make it more difficult for a hacker to access data.
Avoid using the same password for all accounts. Everything will be at risk of being compromised if someone gains the password to one. Use unique passwords with special characters, set up two-factor authentication (2FA) and consider using a password manager to keep everything organized. Your IT team can suggest new passwords for you to use and recommend a password manager to keep your account information safe. It’s also smart to set up reminders every few months to change passwords and update your password manager accordingly.
Consider Setting Up Fraud Alerts
Suppose an employee believes their information could be compromised. In that case, they can set up fraud alerts on their credit reports as a safeguard. It will prevent anyone from opening up new accounts in their name and notify the worker of any suspicious activity.
Following each of these steps will ensure employees minimize the damage to their organization. They must know what steps to take if they accidentally click on a phishing link.
Best Practices for Performing a Phishing Exercise
Determine Your Goals & Key Metrics
Phishing awareness training is designed to reduce the amount of phishing emails that your employees fall for. Because of this a typical phishing simulation will focus on establishing a baseline of employees that fall for the simulated emails and work to reduce that number over a given span of time.
Key metrics for a phishing test include…
- Click rates (how many times the links have been clicked)
- The number of employees that leaked sensitive data (e.g. submitting usernames/passwords to spoofed webforms, sharing sensitive information requested in the email)
- The percentage of employees that reported the phishing emails
- In the case of a phishing reply test, how many employees replied to the phishing email
Create Positive Feedback Loops
Anti-phishing measures need to encourage employees to recognize phishing attempts and report instances where they have fallen for an attack. You should avoid punishing employees that fail the simulation as this will disincentivize them from reporting legitimate threats. Instead, reward employees that successfully report the phishing emails and provide targeted security awareness training for employees that fall short of your company’s goals.
Provide Employees With a Way to Report Phishing Emails
If an employee discovers a phishing email in their inbox they need a convenient method to report it to your anti-spam solution or the IT department. Ideally they will be provided with a report button directly within their email client, though a designated email address to forward suspected phishing attempts can be used.
Though IT departments will seldom have the resources to continually monitor individual phishing reports, an increased awareness of phishing risks is valuable data. This data can help inform security policies, improve the accuracy of anti-spam filters, and provide the organization with a record of advanced phishing emails that they can warn their users about.
How To Perform a Phishing Test For Employees With BrowseReporter
There are a few methods of running this test with BrowseReporter. This section will show you how to set up Email Alerts that will send an email every time the designated URLs are visited. Later in this article you will also learn how to use BrowseReporter’s Sites Visited report to see an overview of each employee that visited the target URLs.
1) Download & Install BrowseReporter
For this test we will be using BrowseReporter, CurrentWare’s employee computer monitoring software. If you do not already own a copy of BrowseReporter you can get a free 14-day trial here. After downloading BrowseReporter you can follow these instructions to install CurrentWare on your computers.
2) Determine the URLs That Will Be Used in the Test
This test will use BrowseReporter’s internet monitoring features to send an alert to an email address once a given webpage is visited. For the simulation, you will send emails with a chosen URL and encourage your employees to click on the link. To ensure the accuracy of your test you must make this a unique URL that your employees would never visit or be familiar with.
3) Setup Email Alerts to Be Notified When Employees Click the Link
Now that you have CurrentWare configured to send emails, you can use BrowseReporter’s email alerts to send reports to a designated email address when your users fail the phishing test.
- Launch the CurrentWare Console
- Click on BrowseReporter (in the menu on the left-hand side)
- Click on the Email Alerts icon
- Click the New Alert button near the top of the window
- Fill out the Create a New Alert section
- Alert Name: Give your alert any name you’d like
- Email Address: Put the email address(es) of the account(s) that will receive the failed phishing test alerts
- Computers/Users: Select the users you will be testing. Be certain to include yourself so you can test the alert.
- Alert Type: Set this to URL.
- Threshold: Set this to 1. This will trigger the alert after the designed URL is visited once.
- Add Domains: Click this button to open a new window where you can add the domains for the phishing test. Type the URL that you will be using for your test, then press the Add button on the right-hand side. Repeat this step for each URL you’d like to test for. You can also import a list of URLs using the Import button. Then, click “Select all” to select the URLs you entered, then press the “Select Button” to save the selected URLs.
- Click the Save Alert button to apply your changes.
That’s it! The email address you designated for the alert will receive an email each time your users visit the designated URLs. To test your email alert simply add yourself as a user to the alert and visit the URLs you used in the alert. Depending on your specific mail server configuration the alert may take a moment to arrive in the inbox.
4) Write the Phishing Messages You Will Be Using for the Test
Now you’ll just need to write 3-5+ sample emails that you will use to test your users. When writing your simulated emails, consider this: Phishing emails typically use a phishing message that invokes curiosity, fear, and urgency to persuade their victims. Attackers attempt to bypass our logical thought process by triggering these emotions. Be certain to play into these themes to best simulate a legitimate attack.
Want free phishing templates? Check out these 10 examples.
Try these themes to convince users to click the URL:
- Account Activity: Falsified alerts saying that their account on a given service has suspicious activity, a password change, or requires user intervention. Mimic the branding of these companies (logos, tone, footers, etc) to improve the believability of the email.
- Contest Winner: Congratulations, you’ve won a contest! Click here to claim your prize.
- CEO Request: Attackers will impersonate high-level executives as they know most employees will be eager to comply.
- File From Scanner: 36% of respondents in the PhishMe report fell for this type of attack. If your company has scanners that can send files to email you can copy the formatting of one of these emails and replace the expected file with a text file requesting they visit the URL
If you’d like some inspiration, Norton has an article with a few real-life examples that you can reference.
5) Start the Simulation
At this stage you will need to create or designate an email address that will be used to send the emails. An attacker could be using a compromised account in an advanced attack, but the more realistic scenario would have the attacker using an email address that attempts to mimic a trusted vendor or employee.
Use the account to send convincing phishing emails that prompt your users to click a link that leads to one of the target URLs. Ideally you will avoid sending the emails to all of your employees simultaneously as they may warn each other about the emails once they figure it out. While this is an excellent thing to see from a cyber security perspective it may artificially skew your results in a way that doesn’t represent what a real phishing attack could be.
6) Review the Data Collected
Most phishing emails are opened the day they are received. After 1-2 days you are likely to have enough data to understand who is the most susceptible to the attacks so you can prepare supplementary anti-phishing training for those users.
In addition to the email alerts you received when your users visited the URLs, you can use BrowseReporter’s Sites Visited report to see an overview of each employee that visited the target URLs.
- Launch the CurrentWare Console
- Click on BrowseReporter (in the menu on the left-hand side)
- Click on the Run Report icon
- Select the Sites Visited report from the Report Type drop-down menu. Set the Criteria to Specific URLs and choose the URL History option under the Select URLs From section that appears. Select the computers/users you would like included in the report as well as the reporting period. Scroll down to Additional Settings, expand it, then Click Omit users with no data.
- Click the Select URLs button. In the next window, type in the URL you will be testing in the Enter URL text field. Press Add to add the URL. Repeat this step for each URL you would like to see in the report. Click Apply then OK.
- Press the Run Report button to generate a report of employees that visited the specific URLs. The report will show you each user, the endpoint they used to access the site, the amount of time they spent there, and the time/date the visit occurred.
There you have it! You now have a repeatable process you can take to run your very own phishing simulations. You can use this data to identify learning opportunities for your employees and improve the security posture of your organization. You can use this first test as a baseline to measure improvement by tracking repeat offenders and decreases in susceptibility over time.
7) Reward High-Performers & Provide Training to Employees
Now is the time to create a positive feedback loop. If you have a process for tracking who successfully reported the phish be certain to reward them in some way. The reporting process could include forwarding a phishing email to a designated email address, filling out a report, or logging a ticket.
It is best to avoid punishing employees that did not pass the test as your employees need to feel comfortable self-reporting when they fall for phishes in the future. Instead, provide these employees with further training and support so they can be better prepared to identify and report phishing attempts in the future.
Conclusion & More Resources
Phishing awareness training is a critical component of improving the security of your business. If you are already using BrowseReporter to monitor employee internet and application use, you can use this guide to simulate phishing attacks in-house without any other tools.
As your organization grows you can also consider a phishing assessment with purpose-built phishing campaign tools such as KnowBe4 or Beauceron Security. You can also try a free online phishing test through a free phishing simulator such as PhishingBox.
- Haven’t tried BrowseReporter yet? Click here to download the free 14-day trial.
- Need to test the security of your email filters? Try a spoof email tester | Learn More
- Free phishing email templates – https://blog.usecure.io/10-best-phishing-simulation-examples
- These phishing email examples for training provide inspiration for writing your very own phishing awareness email template for use in an internal phishing awareness exercise
- DoD Cyber Exchange Phishing Awareness v6 – https://public.cyber.mil/training/phishing-awareness/
- This interactive training explains various types of social engineering, including phishing, spear phishing, whaling, smishing, and vishing. Users learn to recognize indicators of social engineering and the steps to take when targeted by social engineers.
Portions of this article were contributed by Zachary Amos of ReHack.com