Ask most employees and they will tell you what Phishing is and why it’s bad. Yet, Phishing is still a top Cyber Security concern for any organization. I recently conducted several mock phishing campaigns that revealed common problems that prevent employees from being successful at combating phishing attempts.
Phishing is a deceptive attempt to pose as a reputable entity or person in electronic communications, such as email, IM or social networks. Most employees know exactly what Phishing is and why it’s bad. They may even have a story about how a customer, vendor or friend fell for a Phishing scam. Yet, Phishing is still a top Cyber Security concern for any organization.
Recently I sent several mock Phishing emails to my entire company, bringing in some very interesting results. Before any campaign, McKenney’s started out with a failure rate of approximately 60%. After communications from the Technology department and later Marketing, our rate was below 30% failure. To further decrease that rate, we started sending quarterly tests, offering training at department meetings and created simple posters that explained the types of phishing. I’m proud to say McKenney’s consistently has less than a 10% failure rate across the company.
The top three things I learned from the 10% failure and even some of the successes are:
- Awareness is great, but still people aren’t hovering over links
- Employees don’t know they can preview links on phones/tablets, so they simply click on everything thinking mobile devices are more secure
- Urgent emails still get people to take an action, even when they know they shouldn’t
All the news headlines, internal training and personalized communication efforts have raised awareness of the perils of Phishing. Like any skill however, one must practice hovering over links to make it a Habit with a capital H. Can you say you hover every link every time before clicking on it? If not, you’re opening yourself and your organization up to unnecessary risk. The simple act of hovering over links will save you a lot of time and trouble. When you hover over a link always make sure the link matches what you’re expecting. Additionally, the first part of the link (a.k.a. domain) should always be the company of the sender. This can be tricky on very long and confusing links, so focus on the beginning of the link. These tips will prevent you from being the victim of the next phishing scam.
Have a question for our experts? Leave your comment below and check out our website for more information.