19 Things to Do and Not to Do to Counter Phishing
How to Get Started?
1. Notify your employees in advance that a test will take place
During the first internal phishing campaign, many people are guaranteed to fall into the trap. On average, we see that up to 50% of employees get caught, even when they know something is coming.
2. Repeat the simulation after some time and make this new campaign more challenging
Do everything you can. For example, choose an email that involves typosquatting, which means an email where the sender's name or the used link closely resembles that of a trusted organization, except for a typo.
3. Alert a colleague when sending a phishing email that is supposed to come from their email address.
This technique is certainly worth testing, but make sure the person in question is not taken by surprise. We see that people generally like to be part of the conspiracy. However, you should choose someone who can keep a secret.
NOT TO DO
4. Do not make your first phishing simulation too difficult.
Choose a simple email that supposedly comes from a colleague. LinkedIn is a fantastic source for this. Do not immediately start with emails containing references to internal company knowledge or the well-known company structure.
5. Do not try to persuade people to click by promising a reward or bonus.
You could promise extra money in your phishing email, which would effectively entice people to click faster. However, when it turns out that your email was just a phishing test and the bonus doesn't exist, you will turn people against you. Criminals are not afraid of technology, but you want to keep your employees on your side. Keep it clean or be prepared for negative consequences.
How to emphasize the right objective?
6. Set a realistic goal. Nobody is infallible, so don't expect your entire organization to be at zero percent.
It's not necessary: with good and vigorous training, you can avoid the worst disasters. If someone falls for an inappropriate click, with a comprehensive training program, the entire organization knows exactly how to respond.
7. Communicate transparently about the results of your simulated phishing campaigns.
Let everyone know how many employees fell for it, but be aware that anyone can be caught. Ensure that everyone knows what the goal is, so you can work towards it as an organization.
NOT TO DO
8. Never punish individuals who click on a simulation email.
Awareness takes time, and not everyone learns at the same pace. Choose a positive approach with support and give people the time they need to improve.
Repeat, repeat, and repeat again.
9. Plan simulations on a regular basis.
It's not enough to work with an ad hoc approach and send simulations only when you think about it. You need to perform tests regularly because frequency and results go hand in hand. Creating and sending your own emails is a time-consuming process, so it's best to choose a tool that automates this work.
NOT TO DO
10. Don't limit yourself to only one test per year.
We find that an annual simulation has little to no long-term effect. Figures show that even thorough cybersecurity training is forgotten within six months. Therefore, repetition is the key to success.
Adding a personal touch.
11. Test people in different ways.
Approach the simulations with a personalized approach and surprise departments with emails tailored to their needs.
NOT TO DO
12. Don't stick to general simulations throughout the organization.
Colleagues will quickly inform each other when they find out what's going on, and it will ruin the simulation. Occasional testing where you test everyone in the same way will provide relevant information, as long as you alternate these tests with more personalized campaigns.
No testing without training.
13. Choose fun and interactive training.
For example, use a quiz, captivating video, or attractive infographic. Don't use these tools only for prevention purposes, but teach employees what to do when things go really wrong.
14. Choose locally relevant content.
Training courses on the dangers of end-of-year shopping around the Christmas period are relevant, but modules on holidays like Cinco De Mayo or July 4th in the United States won't work here.
NOT TO DO
15. Don't make high-knowledge employees take simple tests and quizzes.
They have their place with people who can learn more slowly, but don't put all your staff in the same category. Everyone follows their own learning path.
United against AI.
16. Give your employees the ability to report simulations.
This allows them to play an active role in the process. They also make the AI smarter, so that subsequent simulations become more challenging. Another benefit is that colleagues will automatically report spam and phishing messages, strengthening the company's security. We call this engagement activation.
NOT TO DO
17. Ensure that the training campaign is not too unengaging.
Simulations and training work best when everyone feels involved and understands the company's philosophy. Everyone means truly everyone, from the CEO to the worker.
Reporting and learning.
18. Clearly communicate the phishing rate to management.
This report is very useful for illustrating the return on investment of Phished. You can show the employees' learning curve using concrete figures and results.
19. Openly communicate the phishing rate to the entire organization.
We emphasize this practice again because it is crucial. Through API integration, for example, you can quickly share figures - anonymized if necessary - internally via the intranet or on internal screens. This visibility once again contributes to raising awareness across the organization.
Acknowledging that you are vulnerable is the first step to detecting and mitigating risks.
The main argument people use to avoid engaging in phishing - "it will never happen to me" - doesn't hold up: everyone is susceptible to a well-executed campaign.
Everyone can be less vigilant at times, which is exactly why continuous testing is important. Cybercriminals don't wait for your first cup of coffee or for you to complete your annual awareness training. All the training courses you take will be outdated the next day because hackers constantly use new techniques and methodologies to make their traps more realistic and up to date.