The training against phishing involves practice. Like awareness, there are many ways to do it.
At Arsen, we believe that there are two main types of simulation for your phishing exercises: a realistic simulation and a simulation focused on awareness.
To best prepare your teams, it is important to consider which type of phishing simulation to choose.
In this article, we will explore the advantages and disadvantages of these two types of simulation so that you can assess how to use them to meet your needs.
Silent Simulation: Closest to Reality
A "silent" attack simulation replicates the conditions of a realistic attack. The hacker's objective is to remain discreet and not raise suspicion if the victim shares their credentials.
Therefore, after successfully collecting the credentials, the hacker redirects the victim to a page that is consistent with their actions. This page can be an error page asking the user to try again later or a page where the user is already logged in.
For example, in our Office 365 credential harvesting simulation scenario, the target is redirected to Office 365 after submitting their credentials. If the person was already logged in, they will not see the legitimate login screen but will be directly taken to the homepage of their Office account.
Most of the time, the person will feel like they followed the usual login process because Office 365 has a long authentication session.
As a result, they remain logged in after being redirected and are less likely to realize their mistake. The victim will not raise an alert because there is nothing unusual that would make them suspect an attempted credential theft.
To increase discretion, you can conduct attacks in small groups. This limits possible collaboration among colleagues and the risk of someone raising an alert.
Spreading out your simulations over time is also another factor for discretion. It prevents your colleagues from "predicting" the campaign periods and avoids them acting in unrealistic conditions.
In general, a hacker will not send emails to your entire staff at once or test them in small groups every Tuesday. Such behaviors would be too "noisy" and would lead to detection, posing a risk to the attacker.
Advantages of Realistic Phishing Simulation
Firstly, by conducting a realistic attack, you gain insight into the company's resilience under real conditions. It is easier to measure the improvement in your employees' skills throughout these campaigns.
With a silent attack, you raise more awareness about the discreet nature of certain attacks. Users who make a mistake are not immediately informed since they do not receive any specific indication about the error.
According to IBM's 2020 "Cost of a Data Breach" report, it takes an average of 280 days to identify and contain a data breach. Typically, companies only become aware of the attack after suffering its consequences.
Thus, you are getting closer to real conditions.
Disadvantages of Silent Simulation
This type of simulation is very popular during initial training campaigns; however, it has a major drawback.
By using such attacks too often, employees may feel more trapped than trained by the company's security services. If you lose the trust of your colleagues, their investment in the company's cyber resilience may be compromised.
By regularly conducting equally challenging silent attacks, you risk not seeing any improvement. The scores are likely to remain relatively the same if you do not provide detection tools and methods to those being tested.
Therefore, it is beneficial to also use simulations that include awareness content.
Simulation with Integrated Awareness
A simulation with integrated awareness redirects the employee to a learning content when they make a mistake. This method directly trains your colleagues to adopt better behavior. They become more vigilant in order to increase their resilience against phishing.
Advantages of Awareness Phishing Exercises
With this method, you achieve instant awareness. The employee is already in a learning context when they interact with their email. They do not encounter friction such as logging into an e-learning platform or needing to set aside time to go through theoretical content. They are trained directly at the most opportune moment.
You also gain strong engagement from your employees due to the element of surprise. They do not expect to be caught and therefore want to learn directly what their mistakes were and how to avoid them.
Disadvantages of Awareness Phishing Exercises
These simulations can lead to a lack of realism in the collected data. Since employees are aware of the exercise when they make a mistake, they can communicate with each other and artificially improve their security scores by reporting emails they would not have otherwise detected.
Furthermore, it is necessary to produce and adapt diverse content in order to maintain a high level of attention in the training part. Sensitizing too often with the same content can reduce the effectiveness of the training materials.
Recommended Approach
We recommend balancing your campaigns to benefit from their advantages and limit the drawbacks:
- Conduct a "silent" campaign per quarter for the entire staff to measure the concrete evolution of your resilience to phishing.
- Depending on your requirements, conduct an awareness campaign per month or per week to train your employees in protecting themselves against phishing.
There is no one-size-fits-all method, which is why we offer the ability to conduct both types of training: silent attacks and simulations for awareness.
Balance your campaigns and create lasting reflexes among your employees through your phishing simulations.
