Why You Should Try to Trick Your Employees (Before Real Criminals Do)

July 16th, 2018
Why You Should Try to Trick Your Employees (Before Real Criminals Do)

Have you heard of phishing?

Even if you haven’t ever heard of the term, you’re almost certainly familiar with what this type of scam attempts to do. “Phishing” is the term that refers to scams that try to get private data from people in order to access bank accounts, steal identities, collect money from them, etc.

Often this happens through email, but sometimes it involves phone calls. And, increasingly, we see it happen through text messages.

The goal is the same no matter the delivery, though -- tricking well-meaning people into giving up sensitive data like passwords and financial information.

Phishing Then and Now

Phishing is not new, of course, and the first recorded mention of this variety of scam occurred in 1996, well before many people were online. As internet and email access expanded rapidly in the decade following and then exploded with the advent of smartphones in 2007, phishing attacks have grown frighteningly commonplace.

And they continue to evolve…and expand. Phishing attempts are becoming more sophisticated and more realistic all the time. So much so that even employees with traditional cybersecurity training have occasionally been reeled in.

So, what are the current threats?

Attacks today employ a wide variety of techniques and have complex names that are enough to make your head spin. Some of the terminology like session hijacking and content injection sounds like technological jargon to most of us, while others such as vishing (voice phishing over the phone) and smishing (SMS text message phishing) just sound ridiculous.

Unfortunately, they are all serious threats to your business’s cybersecurity, and there are many more.

The email your CEO didn’t send

Social engineering and, more specifically, CEO/Manager fraud are current phishing threats that specifically target employees as they go about their regular work duties. These targeted scams use publicly available information about companies from business directories or the company’s own website to take advantage of staff members’ willingness to help a customer or satisfy their boss. Pretty horrible, right?

Often deployed via email, though sometimes involving text messages and phone calls, too, CEO/Manager fraud attacks attempt to coerce employees to make cash transfers directly to a scammer’s bank account. The scary thing is that it has been proven to work on a regular basis.

Would your financial and accounting employees or others with access to your payment accounts be able to recognize this type of scam and shut it down before literally handing thieves your company’s money?

The only way you can fight back against the con artists and is to give your employees the necessary knowledge to recognize a scam when it floats into their email inbox or flashes across their phone in the form of a text message.

The best answer today is simulated phishing.

If you’re committed to keeping your company safe from external cybersecurity threats, you need to be presenting your employees with mock scams on a regular basis.

You need to be phishing your own organization.

Wait…what?

Don’t worry -- you won’t actually be stealing your employees’ sensitive information. You’ll just be teaching them how to inspect emails for telltale signs of fraud by testing their knowledge and what’s known as “experiential learning.”

“This is only a test.”

Simulated phishing means testing your employees’ ability to recognize dangerous messages that might have infected attachments or that ask for information that should never be shared via email or text. These messages generally contain a variety of red flags that are easy to spot for anyone with experience but are maybe not so immediately obvious to the untrained eye.

Because human error is one of the leading causes of data breaches, it’s not an exaggeration to say that the practice of simulated phishing could save your business. 

Human error is cybersecurity’s biggest enemy

It’s important to remember that even smart, careful employees are more likely to fall for scams when they’re feeling rushed or stretched too thin in their jobs.

Take a look at the email below. Without cheating (and checking your inbox for emails from Amazon), can you tell if this email is legitimate or a scam?

This was a tough one, wasn’t it? It is a scam, and one that many people have fallen for because of human error. Even people who have had some cybersecurity training.

Training gives your busy workers a solid foundation to avoid cybersecurity threats and keep scammers from damaging your business even when they’re working at a light speed pace. Plus, an investment in your employees’ training shows them you care about their livelihood and goes a long way toward embracing a company culture that values people first.

Isn’t tricking your employees mean or illegal?

You might be worried that “tricking” your employees with simulated phishing tests is mean or maybe even illegal. But it’s neither of those things. In fact, simulated phishing has been proven by many small and medium businesses like the ones we work with most closely to be a positive training and education experience for employees.

The key is to implement the tool in a transparent and fair manner. And train. And train again – both before beginning testing and any time an employee fails a test. This helps develop the core cybersecurity mindset of staying alert.

Think again about your financial and accounting employees for a second – how do you think those people would feel if they unknowingly contributed to a huge loss for your company? They may have just cost themselves their job when they were actually trying to do good work. Simulated phishing attacks against these employees empower them with the ability to spot scams and avoid unwittingly causing harm to the company.

“This sounds expensive!”

Spoiler alert: it’s not.

Think about it this way, how much money would your business lose from just a single data breach?

Industry studies have found so far that the full financial impact of a single data breach tends to range between $82,200 to over $250,000. And that’s probably a lot more than you’ll ever have to spend on ongoing training.

In fact, a recent study on the cost of data breaches shows that security awareness training that includes simulated phishing yields up to a 37% return on investment for businesses.

Here at Antisyn, we believe so strongly that simulated phishing is an essential piece of the puzzle in protecting your business, that we include it at no additional cost for our clients.

It’s an Important Piece of the Puzzle – But it’s Just One Piece of Cybersecurity Training

Simulated phishing will not feel mean or wrong to employees who have been adequately trained and prepared for testing ahead of time! It is just one piece in a coordinated security awareness training process that seeks to educate employees through direct experience instead of passive instruction, which experts have found vastly increases retention of material. Think about it. How much do you learn from watching training videos vs. actually being able to try something out for yourself?

How you can get started

As we’ve mentioned, there are two essential pieces in the process of simulating phishing attacks against your employees – training and deploying the mock attacks in a cyclical pattern. And there are a number of paid third-party services on the market that you can use to implement both of those pieces.

Or, you can give us a call, and we’d be happy to help. We offer Jacksonville businesses a free IT Strategy & Cybersecurity consultation to help them determine where their weak spots are and what they need to do moving forward.

Antisyn is here for you, Jacksonville businesses

Want to find out more or have questions about developing and implementing a full IT strategy for your company? Antisyn is here to help for Jacksonville area businesses. Our IT services include full IT support, IT strategy, and cybersecurity services. Get in touch with us to find out how we can help.