Phishing Deep Dive: How to Effectively Phish Employees

Phishing is not about tricking employees into falling for your latest phishing simulation. Instead, phishing should be viewed as an opportunity to educate and prepare your employees to catch and report suspected phish. In this blog we’ll cover when employees are most susceptible to falling for phishing attacks and the 5 Rs of phishing to better ensure your phishing security awareness program will prepare employees to be your best first line of defense against cyber risk.

Cartoon graphic showing cyber criminal trying to steal password credentials

When are Employees Most Susceptible to Phishing Attacks?

When an employee receives a phishing email, they’re not falling for the phish because they don’t know how to identify it - they’re falling for phishing simulations due to the circumstances surrounding receiving that email.

Employees are most susceptible to falling for phishing simulations in the morning, after hours and when catching up. Let’s break down how each affects an employee’s ability to recognize a phish.

  • Morning

Before the first cup of coffee or starting their morning routine, employees are typically less alert and more prone to clicking on a phish. Advise employees to try to avoid checking their email until after they’ve had their first cup of coffee or half an hour after starting the workday.

  • After hours

Cartoon graphic of man falling asleep at the computer

Staying late to finish a project may be necessary at times, however it adds additional stress and can limit an employee’s ability to think clearly when being phished. Advise employees to try to avoid checking emails after hours unless absolutely necessary.

  • Catching up

Catching up after a well-deserved vacation or trying to cram everything in before a vacation can lead to mistakes, like clicking on an obvious phish. Lifestyle changes like changing careers or getting a promotion can also be huge stressors that can leave employees less alert to phishing tactics. Taking a moment or two between tasks can help reduce anxiety and keep employees alert.

The 5 Rs of Phishing 

Realistic

People have developed a perception of what phishing looks like. While the traditional phishing scams still exist, and employees most likely will receive them, try to challenge employees with emails that resemble real and difficult to identify phish. Incorporate clear call to actions, and branding that closely resembles actual brands.

Relevant

Cartoon graphic of lady at desk reading emails

 Sending an employee in marketing a payroll phish won’t mimic legitimate phish they may receive. Craft phish that are relevant to the employee and their role.

Regular

Based on our research, we recommend phishing employees monthly to avoid frustration and best track results.

Randomized

Sending the same email to everyone in the office is not effective since not everyone is going to get the same email from cybercriminals. To best simulate a real phishing experience, phish employees on different days and at different times with different phish specific to their role!

Remediation

It’s important to give employees the opportunity to redeem themselves after falling for a phish. By assigning remedial training such as a course specific to the phish they fell for and rewarding them for completing that training, employees are left feeling empowering and ready to defend the organization.





Previous
Previous

ChatGPT and Getting our Minds Around Artificial Intelligence

Next
Next

How to Implement Consequences and Rewards in Your Security Awareness Program