Do phishing simulations work?

October 26, 2022
by
Joe Reda

Have you ever opened your inbox and found a message that didn’t seem right? We’re not talking about emails requesting you click here to claim the iPhone you’ve won for a contest you don’t remember ever entering. These are emails from someone you know asking you to do something that feels off. It could be an email from your CEO asking you to send a financial document or a vendor asking you to pay an invoice you don’t recognize. 

These seemingly real messages are a type of cybersecurity attack called phishing—and these attacks can severely damage your business, reputation, and customers. These phishing attacks don’t involve hackers breaking down your security. 

Signs of a phishing attempt

  • An unfamiliar greeting.
  • Grammar errors and misspelled words.
  • Email addresses and domain names that don't match.
  • Unusual content or request – these often involve a transfer of funds or requests for login credentials.
  • Urgency – ACT NOW, IMMEDIATE ACTION REQUIRED.

Instead, they rely on you or your employees to make a simple—but costly—mistake. According to the 2022 Verizon Data Breach Investigation Report, 82% of breaches involve human error, including social attacks like phishing. 

Working with our clients can mean we have access to their sensitive systems, so we put time and effort into continually updating our security standards and training our team on the latest threats and vulnerabilities, like new phishing attacks. One of those ways is with phishing simulations, and we’ll break down what you need to know to keep your team on their toes.

What are phishing simulations?

Phishing simulations are scheduled cybersecurity tests for your employees. A cybersecurity consultant or service sends emails that are designed to look like valid emails, whether that’s one from your CEO or a service provider like a shipping company. 

Every phishing attack is different, varying from focus to medium:

  • Phishing. These attacks usually target many employees and are not targeted toward a specific employee.
  • Spear phishing. These attacks use social engineering to target a specific employee, such as an assistant receiving a message from their manager asking for credit card information or login credentials.
  • Whale phishing. These attacks target executives at a company, including CEOs and CFOs. Hackers impersonate colleagues or partners to get access to financial and other information.
  • Smishing. Similar to phishing, these attacks use SMS spoofing, where the hacker can use a recognized phone number to trick an employee into sharing information.

Phishing simulations can test your organization across all of these attack types to help ensure your team knows what are actual requests and when to stop and ask your security team if an email is suspicious.

Do phishing simulations work?

Unfortunately, no preventive measure is 100% effective at stopping cyberattacks. Phishing simulations do help educate employees, but if they’re done only once, that knowledge can fade, and employees can become complacent with proper cybersecurity practices.

There have been studies done on phishing simulations, and the consensus is that they work—as part of a comprehensive cybersecurity training program. It’s critical not to blame your employees for failing these simulations. Instead, involve them in regular training, workshops, and internal communication, so they feel they’re part of the solution rather than a weak link in your security chain.

Simulations are only part of the solution

While phishing simulations can be helpful, ensuring your employees follow some basic cybersecurity processes to protect your organization, data, and customers is critical.

  1. Make sure your employees use unique, strong passwords.
  2. If you’re not using multi-factor authentication (MFA), your systems are at risk. Every organization should use a software token or physical token MFA system to add an extra level of protection.
  3. Make sure your employees only use work-issued devices for accessing your systems. Whether they are using cloud-based systems or not, personal devices don’t have the same protections as work-issued devices.

How does BitBakery handle client security?

We’ve supported startups, scale-ups, and major enterprises with application development for nearly a decade—and we’ve earned our customers’ trust by always putting security first. Contact us today to learn more.

BitBakery Logo
Unit 100 - 151 Charles St. W.
Kitchener, ON N2G 1H6
(647) 483-2678