Why You Should Be Phishing Your Employees

What Is Phishing?

Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.
Wikipedia

How Does Phishing Affect My Organization

According to the 2015 Verizon Data Breach Investigations Report (DBIR), phishing is still a popular and effective attack technique with 23% of recipients opening the messages and 11% opening them.  Also according to the report, it takes on average just 82 seconds after the email arrives to start getting ‘clicks’ and the estimated cost for 1,000 lost records is between $52,00 and $87,000 ($52 to $87 per record).

What Can I do?

By proactively phishing your organization, you can alert the organization to the threats of a phishing  attack (credential harvesting, malware installation, etc.), find out how your organization would respond (to an actual phishing attack) and gather real-world data that could be incorporated into your ongoing training program for existing employees and onboarding training for new employees to help protect.  When you consider the cost of a breach, the cost of phishing your employees directly to help mitigate or eliminate the threat posed by a malicious phishing attack, the value becomes very clear.

A recent example of a phishing attack was against Snapchat, reported by V3 on 29 February 2016.  According to the article, an attacker was able to convince a Snapchat employee to send employee payroll details based on a phishing scam.  Fortunately, no client data was disclosed and Snapchat was able to provide identity theft protection to the affected employees but that’s not always the case.

Others were not so lucky. The executive director of finance at a New Zealand finance institution called Te Wananga o Aotearoa left her job when she sent $118,000 to an offshore bank account after receiving an email that appeared to be from the firm’s chief executive telling her to move the money.

In related news, we are seeing a rise in the number of organizations who are specifically requesting phishing campaigns either as part of a larger engagement or as a stand-alone engagement to either build a baseline to begin incorporating a cyber security training program into their current employee training material or as a follow-up to previous campaigns to measure the effectiveness of the training.

  • Additional information on the Snapchat is available here
  • The 2015 Verizon DBIR is available here