Phishing attacks are rising all the time, and the damage they cause is considerable. According to the FBI’s Internet Crime Report for last year, phishing was the top scam by a very long way, with people losing an estimated $2.4 billion in one year alone. And that’s just for the crimes that were reported, which might be the tip of the iceberg when we consider that many people are likely too embarrassed to report having fallen victim to phishing scams.
If you still only think of emails claiming to be from Nigerian princes when you hear about phishing, you might wonder how anyone could be taken in. But sadly, phishing has come a long way since the “classic” phishing email.
Today, phishing is a broad and highly sophisticated endeavor that’s spawned variations like spear phishing, which uses personal details to trick the recipient into trusting the sender; smishing, which sends phishing attacks through SMS messages; and vishing, where hackers use deep fakes to create a phony CEO or CFO using video conferencing software to send employees fraudulent instructions.
In the business context, the situation is especially alarming, because one misguided clickthrough can bring down an entire company, by opening the door to malware that destroys your tech, by draining your finances, or by ruining your reputation.
For CIOs and CISOs, the success of phishing attacks is highly frustrating. It’s become clear that there’s no tech tool powerful enough to halt phishing attacks — hence the rise of phishing awareness training.
What is phishing awareness training?
The best phishing awareness training involves gamified scenarios that mimic phishing attempts to help employees become familiar with and recognize fake attacks as they go about their everyday business.
By raising employee alertness, enabling them to spot phishing attempts, providing micro-learning opportunities throughout the day and making it easy for them to report malicious communications, phishing awareness training provides protection that no amount of tech can deliver on its own.
Here’s why your company needs phishing awareness training.
Phishing attacks can’t be caught
Much to the annoyance of enterprise tech teams, there’s no digital safety net that’s powerful enough to catch every phishing email or message. These tools do make a difference, but not enough to make companies genuinely safe without awareness training.
Most phishing protection technology works by scanning incoming emails for keywords, but hackers are wise to this tactic. A well-written phishing email can cause massive damage without any trigger keyword.
Today’s hybrid work environment only makes it harder to protect employees from phishing attacks. People work across multiple devices, so the number of endpoints keeps growing, and employees working remotely are often outside the protection of the office firewall.
Phishing attacks appear genuine
Phishing attacks today are sophisticated enough that they appear “really” real. Account takeovers (ATOs) mean that sometimes the email address doesn’t only look genuine, it is genuine, because the hacker hijacked an email account.
It’s cheap to register fake domains that seem real at first glance, and copying official logos, headers, and footers couldn’t be easier. Cyberthieves create legitimate-looking login portals and websites, sometimes complete with HTTPS “protection,” maintaining the facade of authenticity even once the victim clicks on the link and reaches a fake site.
Now that artificial intelligence (AI) is so accessible, hackers are using it to build “deep fakes.” These are deceptively real-looking images or audio footage of the CEO, director, or other authority figure sending directions to employees to change their logins, re-enter bank account details, or carry out other actions that handover access to personal or business accounts.
Phishing attacks use sophisticated psychology
The hackers who send out phishing messages pay a lot of attention to their wording. They describe plausible scenarios — Nigerian princes aren’t likely to contact you, but Amazon might warn you that your package is held up; Microsoft could ask you to re-enter your login details; and your bank may be in touch to verify if you authorized a certain payment.
Phishing attacks use these and many more believable situations, carefully crafted to make you react instinctively instead of act thoughtfully. Many phishing messages play off our very real fears; after all, delayed packages, fraud, and credit card theft are genuine threats.
There’s usually urgency in phishing attacks, to make the recipient feel stress. They offer a positive action you can take — renew your account, reship your parcel, protect your card — which is more attractive than thinking it out. The strategy (which often works) is to get the victim to click the link immediately in a panic, instead of checking out the authenticity of the message.
Phishing attacks are personalized
Another reason why only customized phishing awareness is effective against today’s phishing attacks is that malicious actors include personal details in their messages, targeting specific individuals to make emails both more convincing, and more likely to escape any anti-phishing net.
Hackers don’t send generic emails any more — they address the recipient by name, mention recent events in the recipient’s life, and often use details about their relatives, friends, or colleagues. For example, they might track the victim on LinkedIn and refer to a conference the person attended.
Phishing timing is personalized, too. They’ll wait for a time when someone is about to go on vacation and is rushing to clear their inbox, because then they’ll be under more pressure and more likely to click, or when the chief decision maker is out of the office, so employees are less alert. If your team stands a chance learning to recognize these threats, your training simulations need to be likewise personalized.
Awareness training brings the protection you need
It’s clear that while cybersecurity tools have advanced by leaps and bounds, so have phishing techniques. Tech alone can’t filter out phishing messages that are personalized, use sophisticated psychology, and have such a strong appearance of authenticity. But human phishing awareness training can equip your employees to see through the facade and keep your organization safe.
