If you run an anti-phishing program, you’ve probably run into this. You want to impersonate internal teams in your phishing simulations, because that’s what attackers do. But you get pushback:
“We can’t use that scenario, the HR/IT/Compliance/Finance Department may take offence.” Or, “We just updated our payroll system and that scenario looks a lot like the messages it sends, so we can’t use that one.”
And thus, you eliminate one scenario after the other. Again, attackers impersonate those very departments. They take advantage of changes in your environment and craft spear phishing messages that mimic those situations.
5 Steps to Getting the Green Light
Deciding on the right scenario to use and when depends on the department or function you want to impersonate: their risk profile, previous scenario results, time of year, and current threats. The list goes on.
How can all the pushback and objections be minimised? How do you ensure that your departments are not offended?
There are a few simple steps, which, if taken from the outset, will make the process of selecting and running scenarios less of an ordeal. They apply not only to simulations spoofing internal emails but to any simulations your program might use.
- Communicate Program Objectives – No one likes to be caught off guard. Gain support for your anti-phishing program by identifying the key stakeholders and communicating the organisational anti-phishing objectives. If you’re going to impersonate HR, explain why it’s important to do and give HR time to prepare—for example, alerting appropriate HR staff so they’re not surprised. Of course, before launching your anti-phishing program you’ll want to inform the targets (employees) that the organisation has made this investment and explain their security responsibilities.
- Develop an Action Plan – The saying “If you fail to plan, you plan to fail” applies to anti-phishing programs as well. Plan your program in advance. This will serve as a reference and define the direction of your anti-phishing efforts.
- Review & Revise the Plan Regularly – Nothing is set in stone and the threat landscape is ever changing, so be prepared to revise your program. Consider the triggers which will prompt a program review, take note of them, and revise accordingly.
- Publish the Results – Your employees most likely want to learn how they’re doing. Make the learning process fun! Let people know how they’re doing and how their behaviours impact the overall resilience of the organisation.
- Recognise (and Maybe Reward) – Some users will think that simulations are just a way to trick them. You can counter that by recognising good behaviour and appeal to users’ competitive streaks. Everybody has one, even if it’s small. Entertaining rewards will keep your users engaged and build good will.
It also doesn’t hurt to keep reminding people that the threat is always out there. Remind them of all the emails they’ve received about the delivery of packages they didn’t order, payment notifications for money they were not expecting, invoices they never asked for, or file shares that had nothing to do with them. Those were from attackers imitating not only departments, but sometimes, whole organisations.
Financial organisation employees, for example, receive a plethora of phishing emails claiming to be about SWIFT transactions, invalid payment details, and notices from other banks. They may also receive genuine emails about these same subjects. It is therefore important for them to be able to tell the difference between a genuine email and a fake one. The only way to ensure this happens is to condition employees by running simulations that impersonate departments, reflect organisational changes, or focus on newsworthy events.
If everyone is on the same page from the beginning, scenarios that impersonate internal departments and developments would be a welcome addition to your anti-phishing arsenal.
To learn more about anti-phishing programs, view the most recent Cofense Phishing Resiliency and Defense Report.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.