Anti phishing training best practices
Phishing is one of the oldest, yet one of the most effective attack vectors that puts companies at risk every day. According to statistics, 3.4 billion phishing emails are sent every day, costing companies $4 million on average when successful. To make matters worse, nearly 22% of successful phishing attacks lead to a data breach, causing financial and reputation damage to companies.
FBI report 2022: Increasing rate of phishing attacks and associated costs (source)
While most companies conduct anti-phishing training for employees, it often becomes a tick-the-box, annual exercise or testing that does not create change. A high-quality training program is essential so employees don’t fall victim to the phishing trap. This article discusses seven best practices to make anti-phishing training more effective. We also look into some common training mistakes and tips to avoid them.
Anti-phishing training best practices
The table below summarizes seven best practices to remember when organizing anti-phishing training.
In the following sections, we cover the best practices and their importance for anti-phishing training success in detail, helping reduce the risk of successful phishing attacks.
Conduct the training periodically
Humans are forgetful by nature, and only by frequent repetition of something we can increase the chance that it remains in memory. It is also important to consider new employees who might join the company after the training. If the anti-phishing training happens once in a few years, new employees risk becoming victims of phishing attacks. Finally, phishing trends change, making re-training with updated content essential.
It can be resource-intensive and demanding for your company to organize frequent phishing tests and training. Consider service providers that specialize in such training and reduce the workload of your internal IT staff.
Use real-life examples
While the concept of phishing has stayed the same over time, attackers keep getting innovative and coming up with new phishing schemes. For instance, they may leverage current global events, abuse new email features or vulnerabilities in software, and target compromised accounts in ever-evolving ways. Real-life examples and trends improve employees' ability to identify attacks in context. It is crucial that the anti-phishing training covers a wide range of phishing schemes and how to recognize them.
IronScales anti-phishing training examples covering the latest COVID-19 phishing emails (source)
Include third-party entities
Although often forgotten, third-party entities such as contractors or service providers are essential to the anti-phishing strategy. Since such entities often have access to your company’s data or manage your systems, a successful phishing attack against them can devastate your company.
For example, consider an IT service provider that manages your IT infrastructure. Its employees have administrative access to your IT infrastructure, including critical servers, as part of their job. If one of these employees falls victim to credential phishing, an attacker gains administrative privileges in your infrastructure, giving him the keys to the kingdom. That is why including third-party entities (and demanding it) in your anti-phishing training is vital for the success of anti-phishing defense.
Organize interactive training
Interactivity includes training modules that ask users to actively participate via clicking, answer quizzes, drag & drop answers, ask questions, and so on. While it might sound unnecessary, making anti-phishing training more interactive has several benefits, such as:
- Participants must be attentive and actively interact with the content instead of passively listening.
- Increases the chance that employees read and understand the content and not only attend because it is mandatory.
- It makes the training session more enjoyable.
Studies show that higher interactivity in content increases recognition and memory recall of the interactive content. It helps participants remember the content long after the training session.
Include tailored examples
Aside from general phishing examples, anti-phishing training should include phishing examples that relate to the industry in which your company operates. Such attacks are less common but more dangerous. They are tailored to your company, and attackers spend more time and effort crafting them, increasing the likelihood of success. For example, assuming your company operates in the pharmaceutical industry, attackers might craft phishing emails that aim for research & development plans, secret formulas, and customer data instead of standard PayPal credentials.
Example of a phishing email tailored to the pharmaceutical industry (source)
Additionally, include phishing examples for different departments that attend the anti-phishing training. For example, the type of email employees in the finance department receive often differs from phishing emails that Human Resources (HR) receives. Attackers trick the finance team into making large money transfers while they impersonate job applicants for the HR team.
While it is impossible to cover every scenario, try to cover and test examples tailored to the business your company does and your company’s most important departments.
Emphasize compliance and accountability
While most understand the necessity of security training/tests and comply with it, there will always be employees who are negligent and do not attend such training regularly, if at all. Your company should clarify that failing to participate in anti-phishing training is subject to consequences.
Additionally, employees should be encouraged to report phishing emails or incidents, even if they fall victim to the attack. While mistakes happen, recognizing them and reporting them in due time can help the IT security team respond to the attack faster or contain the damage in time. Otherwise, it should be mentioned that not complying with the security best practices or repeatedly not reporting phishing incidents will make employees accountable for their negligence.
Gather feedback and improve
At the end of each anti-phishing training, ask the participants for their feedback on the training session. While we can ensure that we use real-life examples and explain phishing in detail, the audience should also be considered.
For example, explaining phishing to employees in the financial department at a technical level is more challenging than explaining it to a cybersecurity analyst. Different groups of employees should be considered, and the training material should be understandable to everyone. You can ask participants about elements such as
- Clarity—was it too complex?
- Length—was it too long?
- Quality of the material—was the material helpful?
- Understanding (do you feel more knowledgeable about phishing after the training?)
It helps improve future iterations of the phishing training.
Common anti-phishing training mistakes
While the above seven best practices might sound straightforward, the practice has shown that mistakes can still happen, reducing the success rate of the anti-phishing training strategy. For example, three popular mistakes that companies usually make when organizing anti-phishing training are:
Outdated content and examples
Although phishing attacks have existed for a long time, they come in different forms (e.g., via email, SMS, phone calls, etc.) and flavors. Moreover, attackers always abuse major political or social crises like the COVID-19 pandemic to devise innovative ways to deceive victims. That is why it is crucial for anti-phishing training content and phishing tests to evolve alongside new phishing schemes to make sure that employees remain up-to-date and less prone to falling victim to them.
Making anti-phishing training optional
Your company should emphasize that anti-phishing training is important for the company's success and that everyone must attend such training. Managers or C-level staff often need more time for such training, and companies often ignore their absence in security training. This can be dangerous as it takes a single non-security-aware employee to put the entire company at risk, regardless of their position in the company!
Not testing after anti-phishing training
Even if anti-phishing training is mandatory, employees may scroll through the content or stay on the phone without paying attention to the training. By demanding a final test at the end of each training, there is a better chance that employees study and learn the material in depth. Additionally, you can hold phishing simulations and test the results of the anti-phishing training in real-life attack simulations. You can then have a clear overview of the employees who fell victim to the test and require follow-up anti-phishing training.
One-click phishing campaign setup with IronScales (source)
With phishing attacks rising in popularity, preparing your employees against them by conducting anti-phishing training is becoming increasingly important. In this article, we covered the best practices when conducting anti-phishing training, such as repeating the tests periodically, using real-life examples, making them interactive, etc. Moreover, we also looked into common mistakes when conducting such training and how to avoid them. Although there is no perfect solution to the phishing problem, by preparing your employees, you can at least make sure that you raise the bar and make it much more difficult for attackers to be successful.