Are you worried about phishing or other social engineering attacks in your organization? You should consider some white hat phishing tests internally to gauge how your team would be impacted by a phishing attack. Measuring the phishing click rate, otherwise known as the response rate, is important to understanding how dangerous phishing is to your business.
Measuring your phishing click rate is just the first step. The next step is decreasing that rate. Ultimately, your goal is to get this number down to 0% —though unlikely, it always best to shoot for the moon and land among the data-secure stars. Various stats out there exist, but varying reports show users acting on phishing emails at a rate between 10 – 30%!
Considering it only takes one user to cost your company millions in lost data, lawsuits, and stolen intellectual property, it’s worthwhile to try to get this number as close to zero as possible. Here are four quick tips to decrease your organization’s phishing click rate.
1. Run Phishing Penetration Tests and Educate
Run your own penetration test, focused specifically on identifying your current phishing click rate. As users fall for your trap, alert them on the landing page. Tell them what they should have spotted with a screenshot of your email with clearly defined arrows and circles that should have indicated that this was a phishing attempt. Also, include a survey box and ask them why they clicked the email. If they don’t answer, go ask in person or via email.
In our article on social engineering attacks, Drew Parrish, a Help Desk Specialist at Wabash College offered some ideas, “Send out blatantly obvious phishing emails with ridiculous email addresses and links to click.” According to Drew, after a year of testing, phishing click rates dropped nearly 100% on the harmful links.
By making these tests obvious, you exaggerate the indicators users should be looking for. On subsequent tests, you should be making these more difficult to identify for the user.
An important step is also to educate the user beyond just the landing page. For people who click on the phishing test, send them more phishing tests than other users. Offer them lunch and learn opportunities—yes, that means you buy the pizza!
2. Make Education Mandatory For New Hires
By educating new employees on the importance of avoiding phishing scams, you show the importance of this subject. What exactly should you be teaching them?
- Stay Alert at Night
Since many attacks occur after-hours, remind them to be vigilant at their house. Their network is less secure (hopefully) than the network at your business.
- Show Them the Stats
Show them some real-life examples of social engineering tactics. Again, refer to our guide to 23 forms of social engineering attacks or find recent news stories on the topic.
- Show Them the Money!
Many users don’t understand the financial impact of a data breach. There are tons of reports that highlight this. The average breach costs organizations $3.92 million!
Context is just as important as examples. By making the user aware of the types of tactics and the potential cost to the business, you’re sure to get their attention and keep that phishing click rate low!
3. Release the Results
After your penetration test, tell your company the results. Compare that to previous tests. Inform them of the expected impact of their actions. Tell them a goal for next time, and if they obtain it, reward them with something. Maybe it’s as simple as a catered lunch. Get management to buy-in and offer a half-day for everyone in the company who misses the test.
If they balk, remind them of the cost of a phishing attack and compare that to the loss of productivity on a Friday afternoon sometime. Also, you can make the goal very difficult to obtain to appease them. For instance, if less than 1% of users take the bait, then they get their reward.
4. Use a File Sharing Solution
When you can access and your files via a file sharing solution, then that cuts down on the likihood of a convincing phishing email designed to look like a legitimate document. Not only is your information encrypted, but with a file sharing solution, you don’t need to fear files being lost or corrupted. Your provider will be able to resolve your issues.
You also have permissions control over who has access to what file and can receive email notifications about file and user activity. And some file sharing solutions, like SmartFile, offer visual tools and detailed logs to help you understand the usage so you can identify outliers and protect your data.
With a solution like SmartFile, we can keep your files safe and your data secure. Employees might still fall victim to phishing scams or click on malicious links, but you can significantly reduce your risks and get some peace of mind when you share files with SmartFile.
One Final Note on Decreasing Your Phishing Click Rate
These four tips are great, but they all require upper management buy-in at some level. If upper management falls for the phishing test, make sure they get the same education as the rest of the users. If you can get upper management to show support for your phishing tests verbally or through an email, you’ll create even more attention.