What is a Phishing Test?Phishing testing is perhaps one of the most effective measures a company can take to protect their business. A phishing test is an exercise where a fake phishing email is created and sent to a defined group of users. When the user receives the email, they can interact with it similar to how they would interact with a normal email. But when they click through the email and engage with it, they are brought to some kind of landing page. Depending on the goals of the test, this page can be a regular “404 error” style page (if you don’t want the users to know they are being tested) or it can be an educational page where the user is educated on the nature of phishing and other security threats to create greater awareness in the long term. Data on the emails sent, such as who got the emails, who clicked through, and so on is then logged for analysis. Typically, management will then review the results with their IT advisor and talk about how to improve awareness and/or develop a more robust security posture if needed. To get the most value from phishing testing, I recommend performing multiple tests per year, where different types of emails are sent to users on a regular basis. The content of these emails should be varied and personalized to the audience. For example, an organization who works in the healthcare space should probably get at least one phishing test that appears to be related to health care industry concerns. In general, you want to make these tests tricky in order to create a hardened level of awareness. In other words, if you can teach users to identify less easily recognized fake phishing emails, the more likely they will avoid the real attacks. I would also recommend sorting users who are having a difficult time with recognizing phishing emails into their own group to receive additional, custom training. Some users who get these phishing tests are quick learners, and we see these users have a major drop off in click rates after the initial tests, but other users will inevitably have a harder time. This kind of managed approach to dealing with users who are having difficulty will result in lower risks and better awareness in the future.
Do I need to do a phishing test?Most likely, yes – your organization needs to do this. Not only do certain compliance standards require security awareness training and sometimes even specifically prescribe a phishing test, but it is immediately obvious that this is an external threat that most employees are not prepared to deal with and recognize. Phishing scams target the ignorance of the end user, and due to the volume of attacks, it is really just a numbers game before someone with little awareness falls for a trap resulting in a major impact. If you are expecting your staff to use email regularly for business, you can see how this growing threat represents a significant challenge to managing risk for your organization. One significant cybersecurity incident, like a ransomware attack, will cost the organization far more than a managed phishing testing and cybersecurity awareness program.