How to prepare for an effective phishing attack simulation

Here's what users need to know about phishing attacks before you send out a test email.

A fishing lure with multiple hooks baits a binary stream. [fraud / phishing / social engineering]
Curaga / Cofotoisme / Getty Images

Over the last year I’ve noticed that small- to medium-sized organizations have done a better job reacting to vulnerabilities and zero days. As a result, attackers have pivoted to different methods. Rather than attack us through our operating systems, attackers have targeted remote control tools, our consultants, and most importantly our users via phishing attacks.

Companies have attempted to “patch the human” by using phishing simulations. These simulations are often less than ideal and sometimes unethical. Recently, GoDaddy sent phishing simulations to more than 7,000 of its employees. The phishing simulation was an email sent from the company offering a Christmas bonus of $650 and asking them to fill out a form with their personal details. Nearly 500 employees failed the phishing simulation.

The phishing simulation sparked a public backlash and was derided as tone-deaf because its content showed a lack of sensitivity to the economic hardships occurring in this pandemic time. The company apologized to its employees for its insensitive testing process.

Educating users helps keep your system secure, but your phishing lures should be sensitive to external issues and designed to educate, not shame the employee. See their failure to pass the test as your failure to train them and protect them. The key to good education is to not make it into an event that triggers a public relations incident, but rather a constant reinforcement technique.

A phishing simulation campaign can’t be effective unless you’ve properly prepared your users for it. Here is what you need to teach or provide before you test them.

Explain attacker methods and motives

Before launching a test, educate your users that attackers target them based on themes and behaviors. Attackers know what information people want. For example, we started 2020 with attackers pivoting to phishing lures based on COVID-19 themes such as offers of information from the World Health Organization or personal protective equipment.

As the year progressed the attackers pivoted to other headline-grabbing events such as Black Lives Matter protests. As the election grew near, phishing lures pivoted as well. Educate your users to be aware of news that could be used as a lure, but to not trust news from email links or browse to such locations on a trusted machine.

Teach good password practices

Explain how attackers use those headlines as hooks to trick them into giving up their credentials and how that drives your password policy. We are at a bit of a tipping point in credential management. For many years, the standard process that we used to protect our credentials was to change them. Often. That led to credential fatigue whereby we would just slightly change our passwords by adding letters or characters. Now we see a pivot to more passwordless techniques as well as adding two-factor authentication to better protect our accounts. Make sure users understand the reasoning behind that shift.

Provide a set of trusted links

Educate your users to use a set of trusted links rather than clicking on links in emails. For example, if a user gets an email request to change a network password, they should know to use the trusted link rather than the one in the email.

Similarly, your administrators should set up a trusted administration workstation. As a network administrator who has to click on quite a few Microsoft administrative links, I now bookmark links I use to enter the various administrative portals. For any administrator workstation, ensure these links are only opened on a trusted location. Do the same for PowerShell or other scripting solutions. Use or remote into a workstation that is secured with the intention of only being used for that function.

Explain how to identify problem links

Educate your users that they should always go to links with HTTPS rather than an unsecured site that starts with HTTP. The ability to determine if SSL certificates are proper and linked to proper root certificates is difficult even for experts. The best you can do is to educate the user to ensure sites have a site certificate and that the padlock is in place. Alternately, you can use browser tools to force the use of SSL.

Educate your users to hover over links before clicking. Even if you have link filtering enabled either in your email software or your firewall, ensure that your users know how to review links in emails. If they are in doubt, make sure they understand your vetting process, which may include forwarding emails for review.

bradley phishsim Susan Bradley

Dashboard from Microsoft's Attack Simulator

Do run random simulated phishing attacks on a regular basis and use the process for education, not for berating your employees. If you have access to Microsoft Defender for Office 365 Plan 2, you can run your test attacks through Attack Simulator in the Security & Compliance Center. 

Copyright © 2021 IDG Communications, Inc.

8 pitfalls that undermine security program success