Best Ways to Conduct Effective Phishing Training with Employees

Cybersecurity threats, such as phishing, cost businesses billions of dollars a year. That number only grows as cybercriminals become wiser and new, advanced threats are crafted to targeted organizations. To protect your organization, cybersecurity training must get carried out from the highest executive to the lowest employee level.

Why Cybersecurity Training is Important

Most cyber-attacks come through email and they often happen in two different types. These phishing attacks can range from broad-stroked attacks aimed across the entire organization, or highly targeted towards specific individuals such as C-level executives or finance directors. These types of attacks leverage LinkedIn information and other sources from public information to craft targeted phishing attacks. Just like there are different levels of intelligence on the business side, cybercriminals also have different levels of sophistication. Some cybercriminals are amateurs and use unsophisticated methods such as quick phishing attacks to target many users. Even the best cybercriminals spend time learning the best methods to grab the reader’s attention and convince them it is a legitimate message.

Unfortunately, it takes only one clicked link or downloaded attachment to put your company at significant risk. In fact, GreatHorn’s To Catch a Phish Report showed email users are not yet that great at catching phishing emails.

Whether your employees are working from the office or home, knowing how they can spot and avoid these phishing threats is the first and best line of defense you have.

Warn Employees of Risk When it Matters Most

Types of Phishing

Phishing is the most widely used way cybercriminals attack organizations. The following are some of the most common email phishing tactics used.

  • Domain Spoofing
    Domain spoofing is when cyber criminals make emails and websites appear to come from a legitimate company. This method is often used by making the URL look close enough to the actual domain that it is hard to tell the difference. The site itself might look like the company’s design. It also comes in the form of emails that appear to come from the company’s email address.
  • Spear Phishing
    Spear phishing is a very targeted attack in which the emails are personalized for specific victims. Through social engineering, the attacker figures out subject lines that the intended victim will find interesting.
  • CEO Fraud
    Some cybercriminals pretend to be the CEO of a company. They create an email intended to look like it is from that CEO to a lower-level employee. The message is typically asking for some form of personal information.
  • Whaling
    Whaling is the opposite of CEO fraud. Instead of targeting lower-level employees, whaling targets executives with highly personalized emails that look legitimate. They might include false information, such as an “employee’s” name and job title.

BUSINESSES BEWARE:
52% FAIL PHISHING TEST

How good are your employees at identifying phishing attacks and what impact do these results have on organizations? 

Download our "2020 End User Phishing Report" to learn more.

How to Train Employees

Providing practical employee phishing training is key to keeping your company safe. The following are activities and tips to help you train employees to stay vigilant.

  • Create Awareness
    The first step in successful cybersecurity training is creating awareness. Without knowing what potential threats are present, your employees do not know what to be vigilant about. Your employees need to know the following:
    1. What exactly phishing is, how it happens, and what risks it poses on a personal and company level
    2. The different methods of phishing attacks, including but not limited to those listed above.
    3. How cybercriminals find and use personalized information to reach their goals.

    Creating this awareness should be the first step in any phishing training program you organize.

  • Expert Speakers
    Having expert speakers educate your employees is a wonderful way to ensure the message gets across. These experts are deeply knowledgeable in their field and skilled in effectively sharing this knowledge.
  • Phishing Email Training
    Phishing email training is another critical step in phishing awareness training. Its primary purpose is to teach employees how to recognize phishing signs of phishing attacks, such as emails with improper spelling and grammar, incorrect email addresses, and fraudulent URLs.

    It should also cover how to recognize phishing links, phishing attachments, and spoofed emails. Additionally, the employee should be aware of what steps to take when they identify a threat.

  • Phishing Simulation Training
    Experience is often the best teacher, so facing phishing attacks is a wonderful way to learn. However, you do not want that experience to pose any risks to security.

    This is where phishing simulation training comes in. It allows you to create “real” phishing attacks to send out to your employees. Through these managed attacks, you gain a better sense of how your business is at risk and the most significant risks- allowing you to customize training. For the employee, getting the results can be an eye-opening experience that can make them pay closer attention in the future.

  • Want to improve detection and remediation?

  • Interactive Video
    Video content can be a great teaching tool, but it can also become tedious. You do not want your employees nodding off or their minds wandering when you are trying to keep your data secure. Do learning modules with interactive video so that your employees are engaging with the material, and their minds stay on the lessons.
  • PowerPoint Presentations
    PowerPoint presentations are commonly used as teaching tools for a good reason. They can be instrumental when used strategically. Follow these four tips for the best results:
    1. Choose a theme that is lively and easy to view.
    2. Keep bullet points short and concise.
    3. Be sure to add visual elements.
    4. Break your points up with exciting and relatable facts, humor, and fun images.

    After the presentation, be sure to make it available so employees can review it on their own time.

  • Quizzes
    Listening to training sessions on anything is not as effective if we feel like we have nothing to learn. Supplying short quizzes on phishing before and throughout any training can help employees recognize that they are not as informed as they thought. This typically makes them much more receptive to training and educational activities.
  • Chunk Lessons
    Avoid supplying long, drawn-out learning sessions. Break lessons down into short, manageable chunks that are spread consistently throughout the year so your employees can fit them into their busy schedules more efficiently.

How Frequently Should You Train Employees?

Employee security awareness training is not a one and done type of task as our Phishing Attack Landscape Report this year shows. Phishing and the cybercriminals behind it are constantly evolving, meaning that your training must be ongoing.

At a minimum, in-depth employee security awareness training should take place every quarter. However, simulations and awareness of any new threats should be on the agenda in between.

How GreatHorn Can Help

Cybersecurity training is essential, but even the most vigilant of employees can make mistakes. By providing the best tools for your employees to use, like GreatHorn’s Advanced Threat Detection, you exponentially increase their chances of success.

Learn how GreatHorn’s Advanced Threat Detection can equip your employees to better combat phishing attacks as well as how your organization can identify threats in the moment of risk and prevent them from getting through defenses. Your employees are your best chance line of defense against successful attacks. With GreatHorn’s User Education tool, you can be sure your company’s email users will be equipped to make better and faster decisions.

Get Your FREE Email Threat Assessment

Learn what advanced threats are currently getting through your existing email security and into your end users’ mailboxes.