#HowTo: Enhance Your Phishing Training

A text message tricking users into paying for what they think is an undelivered parcel is one of the latest cons being exploited by criminals.

This scam underlines the importance of security awareness training — after all, the user is the first line of defense in cybersecurity.

As such, employee education should be the bedrock of any cyber resilience strategy. All too often, in-house IT security teams or specialist outsourcers focus on products and network, rather than honing-in on the user’s challenges.

There’s no use investing in sophisticated cybersecurity software and services if employees click on dangerous phishing links and grant cyber-criminals access to the business network. It’s like turning on a fancy home security alarm, but leaving a window open — you’ll be left playing catch-up after the bad guys get in.

In response, training providers are working in real-time to adjust the content in their courses and simulations to reflect the latest threat landscape — and businesses need to ensure they’re acting with the same level of agility.

Use Bitesize Sessions to Help Improve Learning

A comprehensive and consistent education program will improve employee vigilance and help to defend endpoints.

Focusing on the method of delivery, as well as frequency of training, will deliver the strongest results. One route is to use ‘microlearning’: short sessions of five to 10-minute modules. This method has been found to improve information retention and can be fitted into a busy workday.

In a world where employees crave career growth and development opportunities, microlearning suits time-poor schedules and will ultimately keep sensitive data safe, reduce stress and improve job satisfaction.

Alongside training, users need the ability to report attacks to the security team for follow-up in the simplest way possible.

Furthermore, business leaders should incorporate reminders and updates about cybersecurity into team meetings and company updates, underscoring the importance and purpose of investing in cyber resilience.

Keeping One Step Ahead Using Threat Intelligence

The threat landscape is constantly evolving. As new scams are identified, providers must be able to update their phishing kit simulations quickly and with no impact to the customer.

But why bother, you might ask, if one phish is no different from another?

Cyber-criminals make money from successful phishing attacks and are therefore constantly changing techniques and tactics to ensure the highest rate of return.

There’s evidence that while phishing attacks are easier than ever to launch with the availability of ‘all-in-one phishing kits’, the cost of sophisticated kits is rising.

Therefore, the criminal’s return on investment must increase inline. This trend is driving innovation and sophistication and pushing their efforts beyond a simple numbers game of saturation.

In response to this rising threat, training providers are also adapting. Updates to phishing kit templates can be made within hours — matching the pace at which cyber-criminals operate and new phishing emails are developed.

Using what we do at Webroot as an example, phishing emails are being identified on the dark web before being put into the public domain. This allows us to simulate the emerging scams in our programs. This disarms the phishers while forewarning potential victims.

After analysing 500 billion+ data objects daily through machine learning, real world phishing attacks can be turned into a template that customers can use within minutes.

The Rise of HTTPS as a Phishing Threat

In their perpetual state of reinvention, cyber-criminals are now exploiting other means to catch out unwary phishing victims.

Users have learned to expect their websites to use the HTTPS protocol to protect communications, but even this is being exploited — a trend which has exploded in the last year.

Criminals are using HTTPS on phishing sites to create a false sense of security for victims, and the encryption can also prevent many web filtering solutions from identifying and blocking malicious communications.

By the end of 2020, 54% of phishing sites used HTTPS, and we expect the majority of phishing attempts to use HTTPS this year.

In this case, its plausible to suggest that training end users on technique changes can be more effective in preventing a phishing attack than deploying a firewall or low-grade anti-virus software.

Employees can be that critical layer of defense if they’re aware of the latest threats, as well as being trained to spot the traps laid by cyber-criminals. If it isn’t the Royal Mail scam, it could be a multitude of other threats.

Businesses must use up-to-the-minute phishing templates that are more realistic and effective as a training tool than outdated versions being used across many organizations.

What’s Hot on Infosecurity Magazine?