Phishing and social engineering remain the number one cause for malicious breaches in organizations. Social engineering is on the rise and it is putting your employees and organization at great risk. Your employees can help to stop the attacks when they arrive in their inboxes only when they have the knowledge and practice. This way you can avoid the negative consequences of a breach such as financial losses, stolen data, or brand damage.
To train your employees on threats, you need to send them attack simulations. Once they start recognizing simulated attacks, they will start recognizing malicious threats alike. This way, it will get much more challenging for attackers to trick your employees. Creating a human firewall is one of the most impactful ways to lower your human risk.
It does require some work to simulate threats, especially if you are doing it manually. Where do you start when you want to make simulations part of your cybersecurity training? What type of attack simulations should you create? And how can your security team build the best attack simulations for cybersecurity training? We will answer these and other questions throughout this guide.
We will show you how you and your security team can build the best attack simulations to use in your cybersecurity training.
Different types of attacks to use in training
There are different types of attacks that are constantly threatening your employees. We have listed the most common threats that employees face and how they work. These attacks are good to start with as part of your simulations program.
Phishing is the most common technique to gain access to sensitive information. Both cybersecurity criminals as well as white hat hackers use phishing as a gateway to penetrate organizations’ digital environments. Phishing often uses email to contact targets.
Spear phishing are attacks that are highly personalized. Usually, the target is well researched before receiving the email. Therefore, the messages can be hard to identify as malicious.
Whaling attacks that are used to target high-profile individuals in organizations. These attacks work similar to spear phishing but mainly focus on the top layers of your organization.
Vishing is also known as phone fraud, where targets get tricked to provide the criminal with sensitive data over the phone. Sometimes, targets are also tempted into visiting malicious websites through which they are asked to download malware.
With smishing targets receive text messages that contain malicious links or other scams to convince recipients to give away sensitive information.
With spoofing attacks, hackers use spoof emails or webpages to look identical to actual ones. Spoofing often aims to trick users to fill out credentials. An example of this could be a real-looking email from “your bank” followed by a login page that looks identical. Spoofing is often associated with phishing.
People should be able to recognize all of these attacks. Solely knowing that they exist won’t help people when they actually encounter a threat.
Setting up a simulated attack program
There are two common ways to building an attack simulations program. In this blog post, we will discuss the process of setting up a simulated attack program in-house. This requires manual work from your team. For organizations with more than 100 employees this is not a scalable approach. Preferably you want to personalize simulations for everyone in the organization so that they can also prepare themselves for spear phishing.
What is the goal of your training?
To start with, you should think of what you want to achieve with building an attack simulation. Think about the following:
- What are your KPIs?
- What types of threats is your organization exposed to?
- How do you plan to test your employees?
- What kind of simulation will you send out?
- When will you send it out?
- Perhaps it would be good to communicate to your employees that they might be tested every now and then?
- Should you tell them how to deal with these attacks?
Variety of simulations
Your team can test employees for different types of attacks.
Do they keep downloading malicious attachments? Then you may want to send out simulated attacks with attachments.
Are employees clicking malicious links repeatedly? Add a URL to the vector.
Combine the different types of attacks (as discussed above) to train your employees for every possible scenario. Also consider that during more persistent attacks, targets can even receive multiple follow-up vectors to add a greater sense of urgency and perceived credibility.
Consider how frequently you aim to test your employees. The more practice people have, the better they will be able to spot odd-looking emails.
Have you noticed a difference in the failure rate when you tested your employees more frequently compared to when you only do one or two tests a year?
Practice can lead behavior change, meaning that people know how to spot and report attacks. With frequent practice, the simulated attacks stay on the top of the employees’ minds. The next time they receive an email threat they will be more cautious. Our statistics show that testing users at least a few times a month without interrupting their workflow is the most effective. Yearly or quarterly tests aren’t sufficient to change employee behavior.
Feedback to employees
Whether your employees have failed or passed a simulation, it’s important to provide them with feedback that this was indeed a simulation. Integrate short pointers into the feedback on what employees should pay attention to when they receive emails. Always use positive reinforcement and reward systems in your feedback to increase the overall motivation and engagement of employees. Punishing your employees will only harm your cybersecurity culture.
Measuring the results
You need to measure the results of a test as well as the overall progress of the company. So, you have to ascertain that you can track and analyze the results and that you have a follow-up plan based on the simulations’ outcome. What happens when employees fail a simulation for instance? Before starting with the simulations, identify what metrics you want to follow for the best possible outcome.
How to set up the simulations manually?
The traditional process of creating simulated attacks consists of several steps. It does require manual work from the security team.
Step 1: Identify the simulation types
The first step is to figure out what type of attack you want to simulate. Preferably you create specific simulations for each department or employee. To save resources, companies usually send one phishing test that suits all employees. Email is the preferred channel for testing because it’s also the main channel for attackers.
Step 2: The technical part
Set up a new email domain that you will use as the sender address. Also set up a website domain to use as a landing page. For example, we might use @hoaxhunt.com and https://www.hoaxhunt.com/ instead of @hoxhunt.com or https://www.hoxhunt.com/. Such nuanced differences in domains are harder to spot. Just make sure to whitelist the sender domain internally so that the simulation reaches your employees’ inboxes.
Step 3: Craft the message
Once you have set up an email account and domain, start thinking about the message.
You can use a very simple text-based email without any sort of template. This requires less work. In that case, you still need to think of the email copy.
The other option is building a more advanced template designed with HTML. This allows you to simulate a service email your employees might receive from Microsoft for instance. Setting up an HTML template requires some extra work. Note that HTML behaves differently in each email client. Before sending out the final version we recommend testing the email on different clients, web, apps, and devices to make sure it looks compatible and realistic.
Step 4: Take your simulation to the next level
Add attachments, URLs and/or landing pages to your simulated email. This step is optional, but still recommended if you truly aim to test your employees in a realistic way.
You can add an attachment to the email. However, it is very challenging to measure who opens the attachment unless you use macros in Microsoft Word, PowerPoint, or Excel. Adobe makes it extremely challenging to see whether someone has opened a PDF file. But you can track a link that someone has clicked from within a PDF file. In any case, you should track the employees’ interactions with the email to be able to measure your organization’s cybersecurity awareness progress.
Another option to exploit is the use of landing pages. You can ask for the users’ credentials to test whether they give away such sensitive information. You can also use a landing page as a notifying page to tell your employees that they have fallen for a simulated attack and give some tips on what to pay attention to in the future. For implementing landing pages, set up a new website domain to make it more realistic. You can also decide to use an intranet page.
Step 5: Think about measurement
You want to make sure that you can measure the results of your simulated attacks. How else would you be able to measure your organization’s resilience over time? Set up a system to measure URL clicks and to see who opened simulated malicious attachments.
Step 6: Going live with the simulation
It’s time to send the simulated attack to your employees. The whole organization needs to be trained, including management layers, since they are all receiving real phishing attempts.
Do you have internal mailing lists that you can use? Or if you’re a smaller organization, do you send each individual a personal attack? Do you send a simulation out to everyone at the same time? People may talk about it and spoil the test for others. Consider this before you click ‘send’.
Step 7: Provide your employees with a process
Make sure to have clearly communicated an actionable plan of what employees can do in the case of a simulation or real phishing event. Can they use a report button that sends the email for further analysis? Or what happens when one of your employees clicked a simulated or malicious email? As the security team you should enable your employees to take the right actions. This process should be simple and transparent so anyone can easily follow it.
Elements to consider adding to your attack simulations.
To make the simulated attacks look realistic, consider including techniques that attackers also use.
Think like a real attacker
Your simulations must look like real-life attacks. Think of how an attacker would try to scam your employees and try to simulate that.
Use psychological triggers in your simulations
There are several emotions that scammers use to trigger employees to make the wrong decision. Oftentimes they relate to greed, curiosity, urgency, fear, or helpfulness. You can imagine receiving an email with any of these triggers could be quite challenging to ignore. The goal is for your employees to stay rational with every email they receive, no matter what the psychological triggers are.
Take into consideration the difficulty level
This comes down to adapting the difficulty level to your employees’ progress, so that they will gradually advance and stay motivated to spot and report threats. Very advanced attacks and constantly failing from the start can discourage your employees. And you don’t want them to become inactive.
Use of call-to-actions (CTAs) in emails
Evidently, real attackers want your employees to click or do something harmful. To achieve that they use CTAs like “click here”, “sign in”, and “activate account” that will redirect users to malicious downloads or landing pages.
The context of your simulation is very important
If the email is completely out of context (service email from a bank they do not even use), it will be much easier for employees to spot. Make sure you use relevant content for each employee because that’s how most real tailored attacks work as well.
The design of the email
If you opt for an HTML template, you can make realistic looking copies of service emails including logos and other design features. The more realistic it looks, the more difficult it will be to spot for your employees. A simple plain-text message can also be highly effective.
When you personalize the email with simple things like your employee’s first name it already becomes much more challenging for them to identify it as a simulation. More than ever can attackers personalize their emails with everyone’s life publicly available on social media. We automatically personalize every simulation to each individual based on their role, department, location, language, colleagues, and technical solutions they use.
Impersonation is one technique that scammers use consistently. If your colleague sends you an email, what harm can it do? Of course, in cybersecurity we know that this might be a business email compromise. But imagine receiving an urgent email from your “CEO” with all of the above elements? That’s difficult to detect for anyone.
Timing can play an important role in why employees may fail a simulated attack. If they are in a rush or in a stressful situation, employees may have their guards down. You want your employees to recognize attacks at any time.
Stop building attack simulations manually
Ideally, you train your employees with a combination of these elements continuously. Over time, the main goal should be to change your employees’ behavior related to online threats. You want to provide people with individualized training content frequently that takes into consideration their skill and knowledge level, their role in the organization, department, geography, language, or time spent in the organization. And send the training that’s relevant for them both in terms of content and difficulty. To do so, you must automate the process. Manual training is not feasible. And a one-size-fits-all approach does not facilitate behavior change. When organizations need to educate thousands of employees in a way that results in behavior change, meaning that people can recognize and report attacks, they use solutions like Hoxhunt that automatically adjusts the content and the difficulty of the training for each individual employee.