There’s a new term you should learn if you don't know it already: Business Email Compromise (BEC).
It’s a formal way of saying someone’s email was used as a part of a cyber attack.
The FBI calls BEC “one of the most financially damaging online crimes” and according to the cyber security awareness training company, KnowBe4, more than 90% of successful data breaches began with an email tactic called phishing.
Phishing is an email scam designed to trick your user into doing some kind of action, like clicking a link or downloading a file, to get access to your organization’s network.
Email is a prime target for cyber criminals and it continues to be a necessity in business, even though executive concerns about email security are increasing.
And improving email security isn't as easy as installing a new spam filter. (Although, if you're not using advanced tools to filter email, that's an area that needs attention.) Cyber criminals can still sneak around spam filters and your other cyber security measures with email phishing.
So, how do you prevent your employees from inviting cyber criminals into your network? Through interactive, fun, and engaging ongoing training.
There's no surefire way to block all phishing, so training employees how to spot these types of email scams is critical.
Why is Email Security Awareness Important?
Before we get into the specifics of the email security training, it's important to understand the tactics that hackers are using to manipulate your people.
To start, let’s take a minute to understand phishing.
- Phishing is the leading security threat used in social engineering attacks. Phishing is an email scam attempting to gain access to your organization’s confidential information.
- Spear phishing is a more sophisticated, targeted attack. Spear phishing attackers use social media sites to gather information about users, executives and companies. Compromised emails accounts on either end of the correspondence can also be used. Cyber attackers tailor the phishing email with specific information, dollar amounts (when trying to trick someone into paying them), or even learn the email mannerisms of a user to really make it seem like they wrote the message.
With phishing, humans are your biggest threat to email security. The better informed your team is about social media and email security, the better chance your organization has to protect itself from these attacks.
What Can I Do To Help My Team Become Security Aware?
Because so many data breaches happen as a result of human behavior, it's not realistic to expect your IT department to ward off all cyber threats. The high-tech security measures are important and should be in place, but nothing is foolproof from human error.
The first thing you need to do is to make sure that any member of your team with access to your network (like email) is aware of the risks and implications that can happen with every CLICK.
Many executives are taking action against phishing attacks with awareness and protection applications like KnowBe4. Here at VC3, we’ve partnered with KnowBe4 to help our clients train their users to recognize and identify the signs of dangerous phishing emails.
What is KnowBe4?
KnowBe4 is a company whose priority is to educate the world on how to avoid being a victim of email scams. They partner with real companies whose names and logos are recognizable to make phishing simulations as difficult to detect as possible.
You can also create tests that spoof your own domain, so they look like internal emails -- this happens for real ALL the time, so it's important to train employees to spot them.
Because their emails look so authentic, KnowBe4’s phishing tests are highly effective. KnowBe4 email security training can be done right at your team’s own workstation or phone.
Here's what one of their phishing simulations can look like:
Looks legit, right? That's the idea.
How Does KnowBe4 Work?
Training with KnowBe4 begins with a customized simulated phishing test to your team.
The first simulated phishing campaign will give you a baseline for how likely your employees are to fall for phishing scams overall, and who specifically is most "phish-prone."
Let me give you an example: We recently ran a phishing simulation campaign for a healthcare provider with 100 employees. Out of those 100 employees, 22 people clicked on the phishing scam. The email looked like password reset instructions sent by their IT team. Of those 22 who clicked, 13 people entered their username and password into the website that fake email sent them to. THIRTEEN!
So, now that company knows who needs some extra training.
Here are a few things you can do with KnowBe4:
1. Customized Phishing Tests
When your objective is to train your team, you want a program designed with those people in mind -- and who knows them better than you?
- By Department – With Knowbe4, email test templates can be customized based on your specific email threats. For example, accounting folks will be more susceptible to scams that claim to be the CEO asking them to send money somewhere.
- Frequency – Schedule how random, how often, and how specific you want the test emails to be delivered. There are hundreds of thousands of emails so users can never get the same test in the same year.
- Consequences – Choose the landing page a user sees if they fail the test. You can choose to show your user which red flags they missed or redirect them to an error page.
The executives we work with typically choose to randomize their simulated phishing tests to be sent at different times of the day, on different days, and to different people. Most of our clients are set up on the automated customization for the tests to be delivered 1-2 times a month.
2. Specified Training Options
In addition to training with simulated phishing tests, training can be delivered as informational emails.
- Training Videos – Executives can request users to watch training videos. Summary reports tell you who watched the training and who didn't.
- Articles - KnowBe4’s Module Store has articles about cyber security, including up to date issues and threats your users might be facing.
- Vishing – A combination of voice and phishing, simulated vishing attacks are also available. These automated calls can be delivered to your team to test their vulnerability to phone scams.
- HR Training – HR departments can send mandatory training (like the California Workplace Harassment Prevention for Employees) through KnowBe4 instead of having to do a required meeting. It's a great way to deliver the training and get visibility into who's completed the training right inside KnowBe4. This is a very popular feature for HR departments.
3. Data Summary Reports
Let's say you think this training is a good idea and you roll it out -- how will you know if this approach to email security training is working?
Enter: monthly reports!
KnowBe4 delivers a summary report PDF and a link to a full detailed report of the test’s results each month.
This report will show you how users responded to the simulated phishing tests, and will help you to identify which members of your team are putting your organization at risk.
Whether or not your team eventually catches on that you are testing them, they'll still be gaining the skills and tools necessary to recognize real phishing attacks. Your priority is to get your team more aware and more mindful of email security, and KnowBe4 can help you do that.
If you’re not sure where to start, feel free to reach out to us here at VC3 any time. We’re here to make your life easier through fast, friendly, frustration-free IT services.