Get a free application, infrastructure and malware scan report - Scan Your Website Now

Tips to Prepare for an Effective Phishing Attack Simulation

Posted DateOctober 6, 2021
Posted Time 3   min Read

94% of malware comes via email and 32% of security breaches in 2019 included phishing, according to statistics, and while there has been a big improvement in the way SMEs respond to vulnerabilities and even zero-day attacks over the course of the last year, the result of which is that attackers are changing the focus of their assaults from the operating system to a remote control tool and consultant and changing to phishing attacks that target users.

Businesses have responded to this change by making use of “patch the human” phishing attack simulations, but these are frequently ineffective and sometimes even unethical. The system can be kept safe by staff training but phishing bait needs to keep external issues in mind with the focus of design being on training staff rather than shaming them.

Employees who do not pass a phishing simulation are a demonstration of the way in which the company they work for has failed in their effort to train and protect them. Education needs to be a continuous reinforcement technique in order to succeed, not just an event that catches the attention of the public and results in accidents.

A phishing simulation campaign will not succeed unless there is proper use preparation, so it is important for companies to be aware of what they need to provide or teach before testing their employees.

Explaining the motivation and technique of attackers

Before they start a phishing simulation test the attacker needs to understand the concept of attacking users based upon certain behaviors and topics. Attackers should understand the type of information that people actually want. Over the course of the last year real attackers have used phishing bait based on everything from the pandemic to the US election.

Users should be educated so that they are aware of any news that could be made use of as phishing bait and to distrust news that comes in email links and avoid visiting sites that are offering this type of news.

Strong passwords are essential

Attackers use such sites as a way of tricking users into inputting authentication data, and it is important to explain the way in which this is dealt with by password policies. This is near the tipping point in regard to authentication information management, with one long-standing process method for the protection of authentication information being to ensure that information is changed on a frequent basis.

However, this method can result in authentication information fatigue, and these days other protections that are used include two-factor authentication and technologies that do not use passwords at all. It is important for companies to make sure that users have an understanding of these changes.

Trusted links

Users should be taught to make use of a small number of trusted links and to avoid clicking on links that are included within emails. For instance, if a user receives an email instructing them to change their password, that password should be changed via an established link rather than one included in that email.

It is equally important for administrators to have a management workstation that they trust. Network administrators may need to click on various admin links, and it is a good idea to use bookmarks to enter admin portals. It is important for such links to only be opened via a trusted location. Make use of a workstation that is dedicated to that function, and sufficiently protected, or use remote access.

Identifying malicious links

Users should be taught to only ever visit links that begin with the standard HTTPS and to never visit unprotected sites that only use HTTP. Even experts can find it difficult to check if an SSL certificate is genuinely appropriate and linked to the correct root certificate, so the best that can be done for users is to teach them to check that sites come with a padlock symbol and site certificate. Another method to ensure compliance is to use a browser tool that forces SSL use.

Users need to be taught to hover their mouse cursor on top of the link before clicking on it, as even if you have a firewall or link filtering turned on in your email software, users should still know how to check for links within emails.

Conclusion

Random simulated phishing attacks should be run on a recurring basis, but the process needs to be employed in order to educate workers rather than to berate them.

Indusface offers penetration testing services that can perform a phishing attack simulation and determine the employees who may need additional training.

These services also help to test your company’s email defenses in addition to checking how capable your firewall is, identifying website defense gaps and test and detail how malware such as the likes of ransomware, spyware, viruses and worms are spread throughout your devices and if your security solutions are up to the task of detecting and preventing the spread of malware.

web application security banner

Lindy

Share Article:

Join 51000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

Serialization Attacks and How to Prevent Them
Understanding Serialization Attacks: Risks, Examples, and Prevention

A serialization attack exploits vulnerabilities in serialization processes to manipulate data or gain unauthorized access, posing significant security risks.

Read More
Georgia Web Attack
Georgia Web Attack: Overview of The Attack

Largest cyberattack hit the country of Georgia on Oct 28, 2019. Lean what caused this attack, lessons learned from Georgia attack and what can be done better.

Read More
CISO Responsibilities
CISO Responsibilities and Questions to Ask

Beefing up the security of your website is a necessity in today’s rapidly-changing digital landscape, but do you need a CISO?

Read More

AppTrana

Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Get Started for Free Request a Demo

Gartner

Indusface is the only cloud WAAP (WAF) vendor with 100% customer recommendation for 4 consecutive years.

A Customers’ Choice for 2024, 2023 and 2022 - Gartner® Peer Insights™

The reviews and ratings are in!