Anti-phishing training vs. software: Does security awareness training work?

Mahwish Khan
August 10, 2018 by
Mahwish Khan

Due to the increasing advances in today's technology, endpoint protection, and security software solutions are becoming even better at protecting your data. However, while this software is becoming more efficient, so are cyber attacker's methods and abilities to phish for your data.

Phishing occurs when a fraudulent email or other mediums such as social media and phone calls that mimic that of a reputable company is distributed to individuals to unveil personal information such as credit card credentials and passwords. It is amongst the most prevalent security threats that companies must contain to keep their data secure.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

It has been reported that hackers send over 156 million phishing emails every day, and that doesn't consider other methods that are growing more popular with the widespread use of social media and smartphones further develop. Over the last eight years, 90% of hackers that were successful in data breaches were the result of spearphishing campaigns that targeted an unaware employee. 30% of phishing emails that contain malicious links are opened, and only 3% are reported to management.

How do you know if your company is a target of a phishing attack? Industries that are primarily in the crosshairs are the Financial, Government, Healthcare and Retail domains. More generally, it's the employees within the business that decide who falls victim to these deceitful practices. They almost always come into play when a person discloses their identity or login credentials. Anyone from the CEO to an entry-level worker could have the information required to complete an attack successfully. Phishing for information through people within a company is often much easier for the cyber attacker than attempting to hack into a system to acquire desired information.

An IT professional should be informed of the top data loss prevention tools to protect their place of work and career. Data loss prevention is strategies that businesses use to ensure that protected data doesn't end up in the wrong hands. There are many different variants of software that can be used to control who can access certain data, and better manage your network of employees.

Most large companies have some sort of protocol to prevent email spoofing (editing email domain to pose to be from a trusted email) and other tactics that phishers use as a tool to extract your data and make themselves be portrayed more convincingly. Most businesses have also adapted to two-factor authentication. However, this alone is not enough of a defense, as cyber-attacks can mimic legitimate emails very accurately nonetheless, which is enough to fool many people. IT security personnel need to up their game to make sure their company is protected.

IT professionals can use software from companies such as Symantec, Trustwave, McAfee, CyberInt, and Digital Guardian that give you a greater look into how data is stored within your business and analyze how that data is used. In addition to looking at spoofed email addresses, you're also able to detect specific content in the emails that are recognized to be malicious or untrustworthy, although the email does not need to contain malware for it to be considered phishing. You can also scan your devices for existing vulnerabilities to ensure that any data hasn't already been compromised with features included in the software above, or if you are a Windows user, try a more dedicated tool such as the Windows Malicious Software Removal Tool. These tools use in-depth analysis to identify untrustworthy emails, even if spoofing did not take place and the email was legitimately compromised altogether.

Cloud security gateways (CSGs) is a form of security software popular by many IT professionals that behaves as a policy enforcement point between cloud applications that employees have access to, and the enterprise. This software allows IT security to gain visibility into the cloud and monitor its usage, granting more control to the administrator and can protect further against data loss prevention, strengthen encryption, and present data on user's browsing history.

Installing strong firewalls on each network connected to your business as well as utilizing software capable of detecting and alerting IT personnel of possible breaches taking place is only the first step of the battle against phishing and scams seeping through the cracks of your workplace. Implementing solely software solutions are an incomplete fix, and simply not enough to maintain the peace of mind that your company is not in danger of phishing schemes.

Why technical solutions are an incomplete fix

As advanced as some security software has become, even the most up-to-date software can prevent you from your company becoming victim to a cyber-attack. This software is only able to respond to viruses and malware when they can identify a strain of the virus. When cybercriminals create new strains, they seek new opportunities to breach anti-phishing and virus software by at first going undetected.

When a well-executed phishing attempt does not contain malware or signs of malicious intent that an anti-phishing software may miss, it is solely in the hands of your employees whether they will take the bait.

MSA Safety, a Pennsylvania-based safety product manufacturer, experienced a 25% failure rate in phishing attacks, despite the software they had implemented to prevent it. After implementing a phishing training program, their numbers are down to only a 5 to 8 percent fail rate after only a few years.

Even the strongest security protocols are rendered ineffective if your employees can not distinguish fraudulent offers and links, as they are often the weakest link in the security protocol chain. Hackers use "social engineering" to fool unaware employees to grant them access to the information they are seeking.

Social engineering is a deceptive scheme used to manipulate individuals into complying with a cyber attacker's requests to obtain confidential information. These tactics go together with phishing, and ensuring your employees are aware of these malicious buzzwords is important in protecting your data systems' integrity.

Malware, a damaging component of software intended to disable computers' security systems or aid in breaching secure information, comes into play when a hacker codes a virus that a user opens in the form of an attachment, link, or pop-up that has been infected. While not necessary for execution, malware is commonly linked with phishing attacks.

A common strategy social engineers use for profit is a form of malware, named ransomware. On average, 9 out of 10 phishing e-mails carry ransomware and is amongst the most difficult version of malware to remove with anti-phishing software in place. This version of malware is rightly named, as it is when data is captured and encrypted by the hacker who launched the attack and is then held until the target has paid a fee they've demanded.

The only way to restore your files is to either restore your device to a previous backup, using decryption tools available online to identify which type of ransomware you are dealing with and search for further solutions if the database can produce results, or if you've already turned every corner, try negotiating with the cybercriminal.

A good example of a ransomware attack on a large company due to phishing is the attack on HBO in August 2017. The hackers were alleged to have stolen 1.5 terabytes of data from the company, including script summaries from unreleased seasons of hit TV shows such as Game of Thrones, Vice Principals, and more in addition to other sensitive information. The hackers requested $7.5 million from HBO to retrieve their stolen information. This is hardly an unusual case.

In fact, in the first quarter of 2017, there were 100,000 million more incidents of phishing attacks compared to the first quarter of 2016. Today, that number is only increasing, and methods of distributing acquiring secure data through phishing are becoming more evasive as well as intuitive. Don't think that if you run a small business that you're out of the crosshairs either; 20% of small business suffered a data breach, which is far from reassuring that it won't happen to you.

These examples and statistics are hard evidence that strong technical solutions should be coupled with employee education to ensure your company doesn't wind up in a similar situation as HBO, or the millions of other businesses that have fallen victim to these schemes.

Protecting your company is no longer as easy of a task as implementing such security software. This should only be the first step in maintaining network and device security, as 84% of all spearfishing attacks penetrate an organization's security. There should be more of an emphasis on educating each employee within your business to enable them to be informed on common phishing and spam methodologies, so they are prepared to recognize fraudulent emails, downloadable content, and networks. Your company's vulnerability lies within your employees.

Training tips for conducting an anti-phishing simulation

An anti-phishing simulation assesses your employees on their competence in avoiding malicious links delivered through their company emails. Errors will result in correctional and educational content such as quizzes, videos, and more customizable protocols. They send automated attack simulations and security awareness training to your employees and report back to you with actionable reporting metrics.

Once deciding to proceed with a variant of an anti-phishing simulation within your company, it is important that it is handled carefully.

Give your employees a heads up. Be sure not to create a negative connotation about the program by giving no rhyme or reason for the simulation. Be sure to notify them in due time that the training will be beginning and inform them of its goals to make the work environment safer and more protected by making sure all employees are on the same page. By informing them of the upcoming tests in advance, you will be able to keep the element of surprise in tact as the simulated phishing emails will be distributed sparingly amongst their day-to-day messages, rather than suddenly receiving many suspicious emails altogether within a short span of time.

Make your initial email as professional as possible. Be sure to use a familiar email format, complete with company letterhead and signature, as well as the trusted domain name used in the rest of your company emails. It may also be a good idea to hold an in-person meeting to launch the training to free up any confusion or uncertainty.

Analyze your user's performance. Why should another bother testing something if you don't track performance and make actionable changes as a result? Analyzing data allows you to identify strengths and weaknesses and adjust resources accordingly. Metrics to pay attention to include who clicked fraudulent links, what system they have access to, when the incident occurred, and how or why the email they believed was authentic enticed them to be led to believe so.

An anti-phishing simulation is primarily for assessment, not education. Rolling out an anti-phishing project using a simulation will not adequately educate your employees if this is the only test performed. They are great tools for establishing a threshold of awareness amongst those in your organization. This is the project's primary function. While most anti-phishing simulations incorporate educational videos and quizzes upon clicking the malicious email within the test, those who don't click remain unaware of the helpful practices described on these landing pages. These outlets also may not grab the reader's attention enough to make an impact, or the reader may not be susceptible to learn after making a mistake that they could feel ashamed about. Then, in the future, they may be less likely to click on any email they think may be a phishing email, but they still aren't exactly sure why it might be a phishing email.

A non-click alone is not considered a success. Just because an employee didn't click the phishing email does not mean that they made a conscious decision to do so. There is a multitude of reasons that the link may not have been clicked other than recognizing the threat. They may not be interested in its contents or too busy to investigate the links, be out of the office, or someone had warned them about the bait.

Make your training repeatable and continuous. Like a virus, cyber attackers are always adapting and coming up with new ways to penetrate your security protocols and fooling users to help them along the way. Make your training an ongoing exercise to raise awareness of new tactics and remind employees of the repercussions of clicking suspicious links.

A good simulated phishing campaign should be well planned, and a regular exercise for your company. Consider the behavior of your employees and think what would be best in capturing their attention and engaging in the exercise.

High-performance tools for infosec professionals

Infosec Institute offers many different outlets to assist IT professionals in protecting their systems against phishing emails. Computer-based training enables your co-workers to be able to receive quality education remotely from the office, home, or anywhere with an internet connection. This is generally favorable, as it is more adaptable to their schedules.

As previously described, anti-phishing simulators are an effective way of training individuals in your workplace to be competent in spotting malicious sources within emails or elsewhere. Infosec Institute's SecurityIQ platform offers a multitude of software and resources to help protect your company and educate your employees about the dangers of phishing, and how to spot malicious messages.

Amongst the resources built-in to Infosec's SecurityIQ platform, their approved phishing simulator, PhishSim, provides realistic tests against phishing attacks and social engineering practices. They offer phishing messages that similar real-world conditions much like what an individual would encounter in their own inbox. You are also able to customize the tests to your own liking or choose one of many templates and proceed from there. These simulators are seldom free, but PhishSim is available to users at no charge. This allows you to test out the platform and see if the simulations are an effective tool for your business risk-free. You can get started right away and should have no problem integrating the platform into your cybersecurity protocols.

The Infosec blog is also filled with hundreds of quality articles within the IT domain including how to recognize phishing emails and techniques to avoid phishing scams. If you're wondering how vulnerable your company is to phishing, Infosec has you covered with a free diagnostic test that evaluates how susceptible you are to different kinds of phishing schemes.

Security is more important today than ever today within a business. Even if your company must sacrifice some other efforts within your brand, it will be worth nothing if cyber-attacks can infiltrate your databases and erode the foundation of your business from the inside out.

No one is safe from these scams, and they will prove to be a consistent problem for the future of business. It is important to stay educated on the strategies that hackers use to attempt to infiltrate systems and security awareness, on top of the defenses you have at your disposal to counteract their efforts.

It can be concluded that the strongest defense against cyber-attacks including phishing, ransomware, and other malicious practices is a healthy combination of both software that protects against phishing and malware, as well as assessing and training each one of your employees to ensure everyone is making smart choices when browsing through their email, social media, or making calls.

Get six free posters

Get six free posters

Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.


Mahwish Khan
Mahwish Khan

Mahwish Khan is a Pharm-D graduate from The University of Faisalabad. She is experienced in technical writing. She currently works for a university as a technical trainer and documentation specialist. In the past, she has taught university writing courses and worked in two university writing centers, both as a consultant and administrator.