This guide to the DoD Phishing Awareness Challenge gives 9 key takeaways that summarize the training to help you decide if it’s right for you and your organization. The Department of Defense (DoD) Phishing Awareness Challenge is a free half-hour, interactive training slideshow with mini-quizes that give a comprehensive overview of:
- What phishing is
- Examples of phishing tactics, like spear phishing, whaling, and “tab nabbing.”
- Guidelines for how to spot and react to them
Upon completion of the online course, test-takers can download a .pdf certificate of completion, like this one:
This training, Version 4, September 2018, holds up in 2021 insofar as it gives a solid introduction to the topic of phishing. It’s not a one-off total defense against phishing, and it doesn’t present itself as such. Building sustainable phishing resilience for a whole organization requires ongoing participation with continuously updated training content.But the DoD Phishing Awareness Challenge is a strong, no-frills first step along a phishing awareness journey.
1. Who is the DoD Phishing Awareness Challenge for? Everyone.
It was designed for military and government employees – examples are mostly targeted for this audience.
- Companies and organizations: If you’re looking for an entry point into the topic, this is a safe and solid overview of phishing awareness to open employees’ eyes to the threat and teach people the basics on how to respond appropriately so as to keep the organization secure.
- Individual people: Phishing affects everyone who uses email, which includes… everyone. This is an unclassified training that anyone can try, and the knowledge benefits everyone.
2. Is this the same thing as the Cyber Awareness Challenge? No.
The DoD Cyber Awareness Challenge 2020 is a topically-related training created for DoD employees that focuses on how to handle sensitive information. The Phishing Awareness and Cyber Awareness challenges are similar in that they are unclassified and available to everyone.
3. What do I have to do to take it?
Enter the phishing awareness training website. From there:
- Click the yellow Launch Training tab.
- That takes you to a settings & compatibility page with lots of red and green text if your computer / operating system isn’t perfectly compatible. Don’t worry about all that. The training will still (likely) work.
- At the top of the page are links to either Start or Retake Phishing Awareness. Note: This page sets a pretty strong military/government tone. It doesn’t exactly put the “Fun” in “Product Functionality Requirements.”
- Click the Start/Continue Phishing Awareness
- …And away we go!
4. Audio/visual slideshow. Long load times and presentation is loud: Wear headphones if you’re in a shared space
- The phishing challenge immediately launches into a loudly narrated slideshow. If you’re at the office or in a public space, it’s recommended to wear headphones.
- Be prepared for slightly long loading times between each of the 20 slides.
5. Tip: Opt for narrator’s transcript
There’s a lot of information in this presentation. You can, and probably should, choose to get a transcript popup of everything the narrator says. The pop-up text changes with each slide. If you want to save the text and read through it, you could always copy/paste each text box onto a running
6. Tip: Be on your toes and stay frosty from the get-go!
Remember, this interactive training was developed by the Department of Defense. You will be challenged and expected to respond cyber-intelligently right off the bat. Stay frosty from the get-go!
7. Content flow summary: Information | Examples | Knowledge Check Quiz
The format is basically:
- Intro & Phishing awareness: slides 1-15
- Quiz (Knowledge Check): slides 16-18
- Summary: Slide 19
- Certificate: Slide 20
8. Information summary – examples often have military anchors, but widely applicable
- Phishing is the biggest financial threat on the Internet.
- New technologies and abundant social networking forums mean phishing methods are constantly evolving.
- Hackers hope to obtain targeted personal information useful for identity theft. If they gain access to your system, hackers could also hold your data hostage, blocking its access until a ransom is paid.
- Phishing, a type of social engineering, is a high-tech scam that uses e-mail or websites to deceive you into disclosing personal information useful in identity theft, such as your credit card numbers, bank account information, Social Security number, passwords, or other sensitive information.
- Focuses on two methods of phishing: e-mail scams and tab nabbing.
- Email scams:
- Typical phishing: an e-mail sent to a large group of people that attempts to scam the recipients.
- Spear phishing is a message sent to a smaller, more select group of targeted people or to a single individual.
- Whaling, or whale phishing, is a highly personalized message sent to senior executives or other high-level officials.
- Tab nabbing: a hacker takes control of your web browser to gain access to your personal or system-related information
- How to spot phishing emails: Examing sender, greeting, subject line, suspicious text with link or attachment, suspicious URLs, etc.
- The message, or lure, usually says that you need to update or validate your account information. It might threaten some dire consequence if you don't respond, or it might promise you some type of reward, such as money, a trip, or electronics. The message directs you to a website, or hook, that looks just like a legitimate organization's site but is not affiliated with the organization in any way. The purpose of the bogus site is to trick you into divulging your personal information, which is the catch.
9. Final takeaway: The DoD Phishing awareness challenge is a good start
The threat landscape is vast, increasingly sophisticated, and constantly evolving. Yes, phishing attacks are a scary topic. But there are ways to keep you and your people informed without making the topic unnecessarily scary to the point people will be disengaged from training. Consider a more personalized approach that is also more positive, engaging and gamified than is conventionally available. (Traditional phishing awareness training involves punishing or humiliating people for clicking a link or downloading an attachment in a simulated attack email). Ongoing awareness is vital for protecting organization’s from cyberattack at the people layer. 90% of breaches contain a phishing element, so it’s imperative that people are stay up-to-date and engaged with phishing training.There are lots of awareness options out there, so find out which phishing awareness training is best for you in terms of price, format, style, and culture. As the DoD Phishing Awareness Challenge states: “You are the best line of defense against phishing. Remember that you should always be on the lookout for phishing attempts, even from people within your organization.”