Businesses can implement the most advanced anti-spam software, email sandboxing, multifactor authentication, anti-phishing solutions, and endpoint security software and will be well protected against email-based attacks, but even with layered security provided by multiple security solutions, it will not be possible to block every threat and malicious emails will land in inboxes, albeit in much smaller numbers. All it takes is for one employee to respond to a phishing threat for an attacker to gain the foothold they need for a much more extensive compromise, and even one compromised email account can result in a large and costly data breach.
As email filtering services have improved, cybercriminals have changed their tactics and come up with novel ways to reach employees and trick them with social engineering. Voice phishing (vishing) and SMS-based phishing (smishing) have increased significantly, often combining initial contact via email or SMS with a number to call. The scammer then tricks the employee into installing remote access software and granting them remote access to their device.
Residents of several cities in the United States are currently being targeted in smishing attacks, with the text messages warning them about unpaid parking tickets. The texts appear to have been sent by the city’s parking violation department and advise the recipient about an unpaid parking invoice or fine. As with many phishing attempts, there is a sense of urgency – The fine will increase by $35 per day unless the initial fine is paid. A link is supplied in the text for the user to pay the fine, using a Google.com open redirect to send the user to the phishing site. Since the google.com domain is trusted, the messages are often delivered without the link being disabled.
To combat these forms of phishing, businesses need to ensure their employees are aware of the threats and that phishing can occur with any form of communication, not just email, and that means providing security awareness training to the workforce. Unfortunately, simply providing training once or twice a year does not necessarily have a significant impact on reducing susceptibility to phishing attempts. While a once-a-year training session for the workforce was once the best practice, it is no longer sufficient due to the rapidly changing threat landscape, the volume of threats, and the use of AI tools for creating new social engineering methods and flawless phishing communications.
Traditionally, businesses would conduct security awareness training presentations or annual training courses where employees would be provided with in-depth information about the types of threats they should be aware of, how to identify those threats, and what to do if a potential threat is encountered. The problem with this approach is that a lot of the information will not be retained and will likely be forgotten within days of the training session. At best, understanding will improve a little, but this approach will not drive the positive behavioral changes the training session is intended to achieve.
Further, the threat landscape is constantly changing, with new attack methods constantly being developed by threat actors. To be effective, training needs to be an ongoing process, with the workforce kept up to date on novel threats and the changing tactics of cybercriminals, with training reinforced regularly.
The best approach is to use a computer-based training course with short modules that can be completed on an ongoing basis. Completing a couple of short training modules each week will be much more effective at changing employee behavior than an annual training session. Shorter and more enjoyable training content will keep employees engaged and should help them to retain the information and apply the training after the training session has been completed.
Quizzes are useful after a training course to check whether the content has been understood, and training should be followed by phishing simulations to give employees practice at recognizing phishing attempts. If a phishing simulation is failed, it should trigger further training, ideally immediately.
With the SafeTitan security awareness training platform it is easy to create and automate ongoing training courses, tailored to the employee’s role to keep it relevant. Training courses can be created from a huge library of training modules, with each training module lasting no more than 10 minutes to keep the employee engaged. Training courses can be easily updated in response to new threats, as new training modules are regularly added to the library in response to the latest threat intelligence.
The platform also includes a phishing simulator, with internal phishing campaigns easily created and automated. The SafeTitan platform can also generate an immediate training module in response to a failed phishing simulation or a detected risky behavior, ensuring relevant training is delivered at the point where it is likely to have the greatest effect at changing behavior.
Phishing is the most common way that cybercriminals steal data and gain a foothold in a network, and attacks are on the rise, so it is important to ensure that your defenses are up to scratch. TitanHQ can help by providing cutting-edge anti-phishing solutions and providing a highly effective training platform to improve your human defenses.
Give the TitanHQ team a call today to find out more about implementing a new security awareness training program with SafeTitan and improving your technical defenses with cutting-edge email and web security solutions.