Cybercriminals bombarded organizations with attacks while the whole world was busy fighting a global pandemic in 2020. The worst part is that they were immensely successful, there were more than 37 billion records compromised by the end of the year.

Out of all of the different types of attacks that hackers have to choose from their utility belt, one particular technique was more heavily relied upon than others.

Almost a quarter of all breaches from 2020 involved phishing. 75% of organizations across the globe admitted to experiencing a phishing attack in 2020. 

After reading the statistics that I’ve given thus far, it’s hard not to get worried about your organization from a cybersecurity standpoint. But, I’m not done.

A Stanford University study found that almost 90% of data breaches happen from mistakes made by employees. 

Now, I didn’t just throw that last statistic in to pit you against your team. You should trust your employees. If you don't, you'll quickly head down the path of creating an ineffective work environment where your team doesn't have any motivation because they have so many safeguards placed on them that they don’t have any individuality at their job.

Instead, what I’m trying to point out is that operating your modern-day organization also means that you have to ensure you’re mitigating as much risk as possible from a cybersecurity standpoint.

But how do you mitigate the operating risk of your employees? You don’t have enough time or mental capacity to hover over each workstation, ensuring that they’re following all of the right cybersecurity protocols.

The answer is simple. Employee training.

Now, although the answer to mitigating employee operating risk is training...there’s another jarring statistic that I have to point out to you that throws a wrench into all of this momentum we’ve built up.

95% of organizations state that they deliver phishing awareness training to their employees.

How is it possible that so many employees already get trained on a common technique that hackers use and still end up causing a breach?

Although the answer to that question isn’t as straightforward as the other one, it’s relieving to know that it exists.

Giving your employees phishing training on an annual basis is great. If you’re already doing that, you’re ahead of the game. But, it’s not enough.

The content that’s getting taught is the most important aspect of phishing training for your employees. Frequency comes in second in that regard.

The topics that you teach your team, how up-to-date they are and how they’re presented all have an impact on retention. Luckily, this blog post exists to give you the topics that your phishing training needs to include.

• Topic: An Overview of Phishing

• Topic: Types of Phishing

• Topic: Real-World Examples of Phishing

• Topic: How To Prevent Phishing

• Topic: How To Report Phishing

• Topic: What To Do If You Fall Victim to Phishing

• Feature: eLearning

• Feature: Interactive Questioning

• Feature: Real-Time Reporting

• Feature: Certification Upon Completion

• Feature: Simulation to Track Comprehension

• Conclusion

Although it’s been around since people could interact with each other on the internet, people often confuse phishing with its more specific types.

As a general term, NIST defines phishing as, “Tricking individuals into disclosing sensitive personal information through deceptive computer-based means.”

In other words, phishing is a generalized term for a type of cybercriminal activity...usually on a large scale. Most of the time, the bad actor prepares for and plans a phishing attack on a large scale. They figure out what they’re going to do, make any necessary deceptive copy and/or landing pages, and queue up their attack on a massive scale.

The first and last part of the previous sentence is important. 

How the bad actor carries out their attack and who they target as victims categorizes their phishing attempt.

You must indicate that phishing is a general term for a type of cybersecurity attack in your training. That way, it will be easier for your team to understand that many different types of phishing attempts occur.

Since phishing is a general term for a common type of attack that hackers rely on, there are more specific types that your training should cover.

There are 14 types of phishing that cybersecurity professionals use to help define different attacks that affect organizations that they work with...

• Angler Phishing: Attackers pretend to be customer service representatives to lure the victim into giving them personal information.

• Business Email Compromise (BEC): Sending an email as a representative of a business, asking for urgent action.

• Clone Phishing: Hacker makes a replica of a legitimate email that’s sent from a trusted organization/account.

• Domain Spoofing: Attacker mimic’s a company’s domain design and/or address to capture sensitive login information.

• Email Phishing: Attempt to steal sensitive information via email, en masse.

• Malware Phishing: Attacker includes a malicious link or attachment that injects malware into the victim’s system.

• Malvertising: Publishing of normal-looking advertisements that disguise implanted malicious code.

• Man-in-the-Middle Attack: Monitoring correspondence between two unsuspecting parties, usually happening over a phony Wi-Fi connection.

• Pharming: Rerouting of legitimate web traffic to a spoofed page, that oftentimes steals sensitive information without the user’s knowledge.

• Search Engine Phishing: Cybercriminal creates a fraudulent web page that’s designed to collect personal information and/or payment information. The webpage lands in organic and/or paid search engine results.

• Smishing: Attacker sends a malicious link via SMS that’s often disguised as account notices, prize notifications, and political messages.

• Spear Phishing: Highly targeted, well-researched phishing attacks.

• Whaling: A Spear Phishing attack that’s focused on business executives, public personas. and/or other lucrative targets.

• Vishing: Phishing over voice. The attacker calls the victim and pretends to be technical support, a government agency, or other organization to try and extract sensitive information.

I’ll admit, some of the different types of phishing attempts bleed into one another (i.e. Spear Phishing and Whaling).

Regardless, covering all of the different types helps your employees understand just how crafty hackers can be. Not to mention the fact that it’s helpful to know what to look out for from an awareness perspective.

After explaining to your team the different types of phishing that exist out there, you have to make them real.

The only way to connect rhetoric with reality is by tying in examples of successful phishing attempts that have happened in the real world.

What kind of examples do you include?

Well, if you read the introduction (I’m going to assume you did because I’m very proud of it) you’ll notice that it’s entirely based on recent statistics.

Those statistics helped guide me to the entire point of this blog post, which is that the topics you cover during the phishing training you give to your team matters.

You should take that same approach in the training you give your employees.

Start with some overarching, real-world statistics that help drive your narrative such as…

• The FBI determined that phishing was the most common form of cybercrime in 2020.

• Businesses lose almost $18,000 every minute due to phishing.

• Microsoft is the most impersonated brand in the world.

• As of January 17, 2021, there are 2.1 million phishing websites registered by Google.

• 96% of phishing attacks arrive via email.

Each of those statistics was a runner-up to the ones that I included in this blog post’s introduction. They’re equally as impactful but didn’t help me drive home my point.

However, you can use them in your phishing training as a way to introduce the grim reality of the world’s most popular type of cybercrime.

After that, you’ll need to switch gears toward actual examples of successful attacks on organizations. The stories you give don’t have to be 100% related to your industry. However, they’re more impactful.

Don’t worry, I have some real-world examples queued up for you too…

• The spear-phishing attack on Sony’s system engineers, network administrators and others in 2015 that stole gigabytes of files.

• The spam campaign that exposed almost 25,000 of Saint Agnes Health Care, Inc.’s patient records.

• Iran’s successful targeted attack against military personnel on Facebook where they sent malware files via direct messaging.

• The Business Email Compromise (BEC) campaign that resulted in a $2.3 million out-of-pocket cost for Manor Independent School District in Texas.

Since you’re training your employees on such a common type of cyber attack, you’ll be able to find real-world examples regardless of what industry you serve. The little amount of research that you’ll have to conduct will be worth it because each story you explain will have a lasting impact on your employees.

So far, everything that you’ve covered from a training perspective has been pretty dark. If you ended your training after going over the last topic, your team would have a feeling of existential dread wash over them.

They wouldn’t feel like there’s any real way to combat phishing and that it’s only a matter of time before they accidentally help cause reckoning on your organization.

That’s no way a training module should end. Your team needs to feel motivated and ready to take on whatever conflict they’re learning about. Luckily, your training isn’t going to end on a bad note.

The next topic you need to ensure that your phishing training goes over is how to prevent it from happening.

Although technical, one of the best ways for prevention is through identification. You see, nothing happens in a phishing attempt if the potential victim doesn’t participate.

This type of cybercrime is only successful if the victim falls for the social engineering tricks that the hacker tries to pull.

In other words, providing the definitions of the different types of phishing isn’t enough. You also need to include and explain examples of each type.

The image above is a real example of a phishing attempt that one of the members of our organization received. It’s a classic example of clone phishing, based on the definitions I provided in a previous section.

Now, to stay within the scope of this blog post. I’m not going to break down the attempt itself. Instead, what I’m going to do is get to the point I’m trying to make. You don’t have to research for an example of each type of phishing attack.

There’s a good chance that you’ve experienced phishing attempts at your organization before. Take screenshots of each of them and explain them to your employees.

Once your employees understand how to identify each type of phishing, they’ll need to know what to do about them.

Although it’s the easiest route, they probably shouldn’t just ignore all of the attempts they receive and move on with their day. Since phishing attempts happen on a large scale, the odds are good that multiple team members receive the same scam campaign.

As a result, you need to ensure that everyone’s on the same page on the proper course of action if they come across a potential spam campaign.

This is the perfect location to throw in your organization’s security notification policy if you have one.

If you don't, you craft your own, unofficial one just for this training.

Don’t worry, I have an example one for you…

1. Contact your supervisor of what came across your inbox.

2. Notify your IT department with a screenshot of the email.

3. Click on your email provider’s “Report Spam” button.

4. Report the email/text message on the FTC’s official site, www.reportfraud.ftc.gov

Not having a policy for phishing attempt reporting just means that your compliance department has some work to do. In the meantime, though, including the step-by-step instructions above should suffice for this section on reporting.

Even if you provide the most engaging and interactive phishing training for your employees, there’s still a chance that one of them will inevitably fall victim to an attempt.

There’s always going to be an operational risk when it comes to anything cybersecurity-related. Although it’s a harsh reality, it means that you need to train your employees on what to do if they fall victim to a phishing attack.

Even if they aren’t on the job when they fall for this type of scam, reaction steps are helpful to know.

Like the previous section, if you have a reactionary policy in place...this is the appropriate place in the education session to explain it.

If you don’t, here are some steps you should include…

1. Identify the members of your security team.

2. Explain what happened to your supervisor.

3. Notify your IT department

After falling victim to an email scam, there isn’t much the victim can do other than notify the right parties within your organization. But, if they don’t know who to contact, who knows how long your organization will be at risk.

Other than what topics to touch on during the training session you provide, there are features that it should include as well.

The reality is, in-person training isn’t as effective as it used to be because the alternative is that much better.

Think about it.

When you were in high school, learning about a topic because you had to, what did you do? If you’re like most adolescents, you spent your time daydreaming about what you could be doing instead.

To further prove my point, a Gallup survey had high school students select the top three adjectives that described how they felt about their education. The word chosen most often was “bored”.

Anyway, if your training is in person, there’s a high chance that giving a similar survey to your team after it’s over will produce similar results.

Enter eLearning.

eLearning is the new, modern way to train your team on important topics that they need to know about...like phishing.

The average retention rate for students who take eLearning is 3x higher than those who take in-person classes.

I haven’t even mentioned the fact that organizations and their teams save more time by focusing on eLearning. By offering an online course, your team can take the training when they have time. Thus, saving the organization money in the long run.

Almost 45% of organizations that switch to eLearning report an increase in revenue after switching to eLearning.

When I was talking about eLearning in the section before this one, I wasn’t referring to a pre-recorded slideshow presentation with an instructor who has no enthusiasm for the topic.

Instead, I was referring to the kind that brings together engaging videos with questions.

Think about how much more impactful it is to require interaction with the session from your team before moving on to the next topic.

There have been countless studies that look at the relationship between student engagement and their success, only to find that there’s a strong correlation.

Thus, your phishing training in an eLearning format should utilize this capability.

There have been countless studies that look at the relationship between student engagement and their success, only to find that there’s a strong correlation.

Thus, your phishing training in an eLearning format should utilize this capability.

Another feature your eLearning phishing module should include is real-time reporting.

There’s no way to track your team’s retention rate during an in-person session. Even though you’re looking right at them and talking to them, they could be daydreaming or using the computer they have out for notes to plan their next vacation.

With an eLearning phishing module, retention becomes trackable.

If your employees aren’t paying attention to an eLearning platform, the module won’t proceed until they interact.

It also provides the ability to ask quiz questions throughout the session that relate to the topics discussed. This acts as an immediate review of the material while giving your management team a glimpse into which employees aren’t grasping the content.

Providing your employees with a certification upon completion accomplishes two things.

First, it gives those who complete the training session a sense of accomplishment and motivation. Some eLearning platforms even allow users to share their certifications across social media.

Second, certifications act as a form of proof for your organization. If someone only in our team falls victim to a phishing attempt and it ends up exposing sensitive client information, you’ll have to deal with an investigation.

The person investigating you will take a look at all of the safeguards you’ve put in place to remedy some of your operating risks. Having your employee’s certifications of completion for your phishing module exists as a form of proof.

Thus, you’ll likely have a lesser fine placed upon your organization due to your remedial steps and proof of the same.

Since the majority of phishing attempts occur via email, it provides you with a unique simulation opportunity.

You see, you can take your employee training a step further by sending your team a fake phishing attempt and gauging the results.

If your team clicks the link, then they’re presented with the training module. If they don’t fall for the simulation’s trick, they’re staying attuned to what you taught them in the past.

Of course, the best part about a phishing simulation is that it provides you with another level of important statistics about your employees. Once it’s complete, you’re able to see who would’ve fallen for a similar scheme if it was a real-world situation.

Since phishing is one of the most used techniques that hackers rely on, you have no choice but to train your employees on it.

However, purchasing the first module you come across and sending it en masse to your team isn’t the solution. The statistics from earlier prove that point, but I’ll reiterate it.

Many organizations already provide phishing training to their employees, yet they still experienced a phishing attack in 2020.

That points out that there’s a problem with the content of many existing phishing training modules.

By reading this blog post, though, you now know what this type of module should cover to keep things relevant and what features you need to keep your employees engaged.