The Best Way to Stop Employees from Clicking on Phishing Scams [Case Study]
In a world where cyber crime is a daily threat, but concerns for it are often set aside for things like convenience or cost – how do you stay safe?
Luckily your IT professional has established security features like firewalls, antivirus, and other protections that keep you safe. However, a simple click can unravel that safety in a split-second.
Scams also known as “phishing,” ask for permission to run on your computer and if that permission is granted no amount of firewalls or antivirus can save you.
As cyber crime ups the ante, what is your game plan?
We suggest becoming a scam-artist yourself.
Bait & Phish Your Employees Through Real-Time Training
With 85% of organizations noting that they have suffered from a phishing attack, you can NEVER be too careful.
Education is undoubtedly your best bet against a phishing scam infecting your system, and unorthodox teaching methods might be the wake-up call your employees need. People are fallible, and awareness training is always helpful, but it might be time to test your training.
One of the best real-world exercises is deploying a controlled phishing scam to all your employees – to see who clicks.
Steps to Setting Up Your Controlled Phishing Scam
First and foremost, make sure everyone who needs to sign off is involved with the process. This could include C-levels and the like, but also your internal or outsourced IT department should know what is going on.
Once everyone is on board, the real planning begins.
1. Choose Your Scam
Pick the most efficient way to get your employees to click by concentrating on how your business sends and receives communications.
2. Identify What You Want to Track
Set alerts for when someone clicks on your fake scam. Also, make sure you can follow individual user behaviors to get to the bottom of who is clicking and why they did it.
3. Send Your Scam
Send out your email and, if possible, this link should lead to a fake login page to teach your employees how easy it is to steal their credentials.
4. Bring Everyone in on the Scam
Let your employees know about the phishing teaching moment.
5. Educate Everyone
Those who pass get a pat on the back and those who failed will need some extra training, but everyone should still part of the company-wide training course.
Types of Phishing Email Tests and Cost
Here comes the best part, there are some truly free phishing simulators out there. If you need to wave the “free flag” to get your C-levels on board, you are in the clear. The only downside of free simulators is that they come with limited features.
For paid services, the prices vary dramatically based on how many users you want to send it to, what kind of reporting you’d like, and what kinds of tests it will run. Some even have gamification built in, so your employees will actually enjoy participating.
How cool would it be if the conversation around phishing wasn’t “Who took down the company?” but transformed to “Look who avoided the most scams this month!”
Prices can look steep, but keep in mind that according to Forbes, simulated phishing attack training has yielded 37% return on investment over training that includes only reading.
Case Study: How One Company Went From “Down for Days” to Stopping Phishing Through Employee Training
Still on the fence about doing a phishing security test at your own company? Lets’ dive into how this training works.
We recently ran a phishing simulation to train employees at a company that has been hit with operations-halting ransomware multiple times.
Employees at Company X had fallen for 2 separate “click viruses” back-to-back.
Viruses were delivered through an email scam and were deployed when a malicious link was clicked on. This act resulted in significant downtime for their company’s operations.
To combat this growing “user error” problem, Company X trained their employees in multiple ways to avoid phishing scams. But they needed a way to check if employees would apply what they’d learned. So, they decided to send simulated email scams.
The first round of simulated phishing scams went out company-wide. Of the 65 employees it was sent to, 6 people clicked on the infected links. The second round of testing was more specialized. To keep everyone on their toes, only 15 people from various departments received the scam. Followed by a third round of scams sent to simply one person.
To keep it interesting, each set of emails had different variables:
- Each email came from a different unknown sender.
- Each email asked for different permissions to be granted
- Each email had its own look, theme and language
- Each email had a different set of recipients.
And while Company X continues to send random phishing simulations, their first three speaks to their success.
Round one: sent to 65 people 6 clicked
Round two: send to 15 people 1 clicked
Round three: sent to one person 0 clicks
In just 3 phishing simulations, they were able to maximize training efforts and avoid scams.
Education is the key to protecting your company from phishing scams. But why not go one step beyond traditional training and perform a phishing scam simulation?
They're a reliable, risk-free way to test what your employees have learned. Investing in your company’s safety today will save you money and time in the future.
Down to the minute with the latest news in the world of IT.
About Accent Computer Solutions
Accent Computer Solutions, Inc. is a managed IT services and IT support provider, serving businesses with 30-500 employees throughout Southern California. The company is headquartered in Rancho Cucamonga, California, with IT professionals strategically located throughout San Bernardino, Riverside, Los Angeles, and Orange Counties, as well as Arizona, Texas, and Louisiana.