5 Steps to Targeting Newbies with Phishing Awareness Training

When it comes to phishing awareness training, new hires need special attention. While most may know what phishing is, many won’t have received formal training in recognizing and reporting a phish. This chart shows sample data from a CofenseTM customer whose newbies struggled to spot phishing emails during simulation training.

Before they develop bad inbox habits, it’s important to welcome your brand-new users to your training program, especially if your company has fairly high turnover. Following are 5 tips to make the transition smoother and, ultimately, help your security teams stop phishing attacks.

Step 1: Announce and Set the Stage

The first email you’ll send to new hires won’t be a simulated phish. During their first week of employment, new hires should get an email announcing the program and letting them know they’ll be participating. You can ask HR to include this in the orientation materials new hires receive. Or you can send your own announcement—Cofense PhishMeTM offers a template complete with announcement tracking (when a user reads the email, etc.).

The announcement is one of the most important anti-phishing emails you’ll send, just as essential as the phishing simulations to follow. When they read this email, some newbies will react by thinking, “Um, what’s phishing?” So you’ll need to define it for them before talking about your training program. You don’t have to give an encyclopedic definition, just a couple of sentences about what phishing is, why it’s dangerous, and why users need to be trained to spot it.

You’ll also want to cover:

  • What the program entails—regular simulated phishes appearing in their inboxes, along with educational tips on what they did wrong and how to improve going forward
  • Tips on spotting a phishing email—here’s an example:

Also include:

  • The importance of reporting suspicious emails and how to do it
  • What happens after users report—how security teams close the loop

Step 2: Send the First Phishing Simulation

After 2 or 3 weeks of employment, it’s time for newbies to get their first simulated phish. Select a phishing scenario you use widely in training other employees. Make it an easy scenario, not anything technically difficult, and do the same for the accompanying educational content. You simply want new hires to learn what the phishing clues were and how to report them next time.

Here are 3 scenarios good for simulation newbies:

Pro tip: to simplify tracking in your overall program (for experienced users as well as new hires), use the same theme but vary the complexity. For instance, send new hires an easy “Over the Inbox Limit” phish and other users a more nuanced version of a fake internal message.

Step 3: Send Positive Reinforcement

During a group of new hires’ fourth week on the job, send an email to reinforce the what and why of your training. Begin by thanking new users for their participation, then quickly note some of the benefits: a more aware workforce, a more secure company, and valuable knowledge users can apply throughout their careers.

Be sure to include the educational content used in the first simulation. For users who fell susceptible, it will reinforce what they learned. For users who passed with flying colors, it will give them added knowledge to apply down the road.

Step 4 (Optional): Send a Second Simulation

Here you’re simply giving newbies another chance to practice, if you feel it’s needed. Use one of the simple scenarios shown in Step 2.

Pro tip: report on new hires’ progress separately from that of your other users. Besides learning exactly what you need to know about this at-risk group, you’ll get a more accurate picture of enterprise-wide performance. Because more experienced employees will handle simulations better, your enterprise metrics will look better with newbie numbers extracted.

Step 5: Graduation! Roll New Hires into Your Regular Phishing Awareness Training

Okay, no one ever really graduates from this kind of training. We’ll all be enrolled until email becomes extinct and phishing awareness is no longer needed. Until then, after 2 or maybe 3 initial phishing simulations, your new hires should be ready to receive the same simulations as everybody else.

In no time at all, the newbies won’t be new. But by then it will be time to train another batch of fresh recruits.

Learn more about building and maintaining an anti-phishing program—view our “Left of Breach” e-book.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

UPDATE: Necurs Botnet Banks on a Second Bite of the Apple with New Malware Delivery Method
The Lazy Man’s Guide to Phishing

Leave a Reply