We frequently get asked how to stop phishing attacks. The answer is quite simple: You can’t stop the attacks, but you can change how your users respond. When it comes to these threats, it's up to you if your users will be your biggest weakness, or your greatest asset. The only way you stop these attacks from having any pull on your network is to Get Your Users Trained. There’s the golden ticket. Get a controlled, secured phishing test done, and see where users get tricked. Then, make training a priority. Get training on how to identify those messages as a threat. Get training on how to properly react when those messages come in. Then, get tested again. Do it again and again until that number falls to zero.
We recently ran a follow-up phishing test for a client that had gotten their first test performed in July of 2015. During the first phishing test performed for this organization, their users had a failure rate of 33%. That was 1/3 of their users that willingly gave up their company password to an individual outside of their organization. While it may be easy to think that 33% is an outlier and uncommonly high, this is actually about the norm that we see. Truthfully, it falls a little on the low side of our average. And in comparison to our highest rate of 84% (yes, you read that correctly), it's quite low. The problem is all it takes is 1.
So, when this organization realized after the first test that they had a 33% failure rate of people who would willingly give out their passwords, they knew they had work to do. After the first test, we provided them guidelines on how to approach this issue. Over the course of the year following this test they made sure to make addressing this issue a priority. Based on our recommendations, they coated their users in information on how to respond. When they contacted us to run a follow-up phishing test again this year, we were happy to find that their end result was much lower. In fact, it was less than half of what they had received before. In 2015 they failed with a score of 33%. This year, only 13% of their users gave up their passwords.
For this client, the dropping of over half of the failures for a phishing attempt over the course of a year is great. But they didn’t get there just by wishing that the next time it would be better. And unfortunately there is no magic button that you can press on your spam filter that will eradicate all phishing emails as they come into your network. You can't stop someone from outside your network sending phishing emails, and you can’t be there to monitor every email that your users receive. What you can do is give your employees the tools they need to spot those emails and stop them from doing any damage. That’s the all-powerful secret; Test them, train them, and test them again.