Do Fake Phishing Emails Really Teach Employees to Recognize Real Ones?

Trust is a critical part of safe digital communications. Confidence to click or react is an integral component of online business. But what if that trust is broken? Take, for example, a recent Zoom phishing scam that used an email that looked like an invite to a Zoom meeting. The fake Zoom invite was sent to countless thousands of employees. The scam tricked over 10,000 people into clicking the malicious link, which was used to steal Office 365 login credentials. The phishing scam used behaviors such as the instinct to click a link and trust in a well-known brand. 

Cybercriminals increasingly use phishing as a tactic at the start of a cyber-attack. They use this approach because it works by manipulating natural behaviors. If this is the case, can mocking up phishing scams turn these attacks on their head and teach employees how to recognize real phishing attacks?

What’s Involved in Phishing Employees?

Simulated phishing platforms are typically cloud-based, hosted on-premises, or delivered via an MSP (Managed Service Provider). Advanced phishing simulation platforms provide an automated way to carry out regular and relevant fake phishing exercises with employees. The point of simulated phishing is to change employee behavior and teach staff to recognize real phishing emails. Fake phishing achieves this by engaging employees in phishing exercises where fake phishing emails are sent to inboxes across the organization. When an employee receives a fake phishing email, they will react to it either by clicking a spoof malicious link, downloading a spoof dangerous attachment, or ignoring or reporting the email. All these behaviors are recorded by the simulated phishing platform to provide metrics on phishing susceptibility. Also, advanced phishing email platforms, like SafeTitan, will deliver real-time training exercises to ensure any employee engaging with a fake phishing email understands what would happen if this was an actual phishing email.

An organization can build up an employee's knowledge about phishing using regular sessions, reducing their susceptibility. Creating effective employee fake phishing campaigns is about more than random phishing emails. Effective phishing must be systematic and relevant. 

• Regular Simulated Phishing: Phishing employees using fake malicious emails must be performed regularly. A USENET report shows improvement in phishing training during regular sessions. This could burden IT staff unless the phishing simulation platform uses automation.
• Relevancy: Phishing emails in the real world are often targeted and evolve as new technologies and detection techniques emerge. For example, ChatGPT and other LLM technologies have recently generated more realistic phishing emails. Phishing simulation platforms must be able to offer capabilities to ensure that your fake phishing emails are relevant and reflect actual phishing attacks. For example, SafeTitan provides 1000s of phishing email templates that can be configured to reflect current phishing trends.

An organization can build up an employee's knowledge about phishing using regular sessions, reducing their susceptibility.

Will Fake Phishing Help Your Employees Recognize Real Phishing?

To answer this question, TitanHQ conducted a series of tests using our simulated phishing platform, SafeTitan. The tests followed the employees of companies who use SafeTitan to see how carrying out regular tests over a year changed their behavior towards phishing. The data was collected through metrics generated by SafeTitan over that year. The analysis of these data created a series of industry scoring standards demonstrating the PVP and SPR (Phish Vulnerable Percentage and SMSish Prone Risk). PVP and SPR are indicators of the effectiveness of security awareness training that involves fake phishing email tests. These signs of phishing susceptibility can be directly related to the maturity of a security culture in an organization and the development of that all-important 'human firewall.' Cybercriminals are increasingly targeting human beings in an organization, stealing staff login credentials and data and tricking them into performing tasks that benefit the scammer. PVP and SPR scores provide a benchmark to demonstrate your phishing awareness amongst employees and how you score against industry peers.

TitanHQ conducted a study using fake phishing test metrics to calculate PVP and SPR industry standards across sectors, company sizes, and geographic locations. The study, known as the "2023 Automated Phishing Simulation Success Report," was run over a year, collecting metrics from regular phishing simulation exercises. 

The study offers a comprehensive view of the importance of simulated phishing campaigns in reducing employee phishing vulnerability. The results show that methods and strategies, such as automation and tailored phishing simulation campaigns, can help to improve a PVP and SPR score.

A snapshot of these results demonstrates the importance of using a simulated phishing platform:

Organization Size

According to studies, phishing is more successful in smaller organizations with less than 250 employees. Regarding susceptibility to phishing, TitanHQ's results concur with this, with PVPs in smaller companies being higher before automated phishing simulation exercises. However, after simulated phishing using SafeTitan, smaller companies lowered the susceptibility to phishing by 92%. 

It wasn't just small companies that benefited from fake phishing campaigns. All companies saw at least a 90% drop in phishing susceptibility amongst employees, with the average across all company sizes being a 92% drop in PVP.

Region

Cybercriminals are not bound by geography, and companies worldwide are at risk. TitanHQ analysis of SafeTitan metrics across five geographic regions recorded an average of 92% reduction in employee phishing susceptibility. The USA has the lowest reduction in PVP by 89%, and Africa has the most significant decrease at 94%. 

Sector

The TitanHQ researchers took metrics from SafeTitan use over a year to analyze any effect based on sector. The research involved ten industries, including manufacturing, government, and transportation. The research shows which sectors have the best and the worst phishing susceptibility scores. The study found that some sectors were better than others at spotting phishing attempts: manufacturing and real estate were stars of the study, demonstrating significant and continuous improvement on already excellent PVP scores.

To determine if your sector has a good or bad PVP, read the complete Titan HQ study, "2023 Automated Phishing Simulation Success Report.”

Cybercriminals are adept at generating phishing campaigns that work; over 90% of cyber attacks start with a phishing email.

Essential Features of Phishing Simulations that Teach Employees to Spot Actual Phishing Attacks

A comment on a Subreddit sums up one of the problems that can result in phishing employees if you use a scattergun approach: the employee was an IT employee, and they instantly recognized the phishing email was a company test. The person says this about the fake phishing test: "I realized it was fake and didn't appreciate the message trying to trip up employees being sent out, so I clicked on it a bunch of times to dick with the metrics."

To avoid angering or upsetting employees when carrying out fake phishing campaigns, you should ensure you use the following:

Be Transparent:

• Make your employees aware of the campaign.
• Collaborate with employees on your fake phishing campaign goals and why it's essential for the business's and themselves' safety.
• Take consent about the campaign and offer real-time educational interventions to make the most of simulated phishing sessions. 

Create a Well Thought Out Simulated Phishing Campaign: Use phishing templates to create relevant and effective fake phishing campaigns.

Automate your Campaigns for Regular Sessions: Use automation capabilities built into simulated phishing platforms, like SafeTitan, to train employees regularly to identify phishing attacks.

Collect Metrics: Simulated phishing campaigns should be based on continuous improvement. Metrics offer feedback to allow you to tailor your regular sessions; over time, you will notice changes in employees' behavior when confronted by a fake phishing email.

Fake phishing emails can teach employees how to recognize actual phishing attacks. But to improve the susceptibility rating of your employees, you must carry out regular and relevant fake phishing. 

Ask a TitanHQ expert about how SafeTitan can help reduce your employee phishing susceptibility by 92%.