Every time we read a news story about someone falling for a phishing email, we think “I wouldn’t have been a victim; I can recognize a phishing email as soon as I receive it.” We all know to look for subtle clues like misspelled words, too-good-to-be-true offers, and dramatic warning messages, because we have been told where to look and what to look for.
Our mental state can impact our ability to spot scams
In the morning when you are well rested and ready to start your day, you are probably more alert and more able to spot a phishing email than you are in the late evening, when you are still at your desk dealing with the stress and pressure of a looming deadline and all you want to do is go home.
My point is that no one can forecast their reaction when confronted by a possible phishing email. Even the best-trained people can fall for a simple email scam if it catches them at a bad time.
Training staff to recognize email scams is just half of the strategy any company should undertake to protect itself against phishing. What is the other half?
Studies have demonstrated that people learn more from their mistakes or when they are confronted with the consequences of their behavior. How does this translate to the realm of phishing?
Send phony phishing emails to assess staff readiness
In 2011, Columbia University undertook an experiment to discover how behavior changes when people are confronted with the consequences of their failure. The experiment involved 4,000 students, staff, and faculty members who were sent emails that mimicked real phishing scams, with all the trimmings – attachments, embedded URLs, etc. Those who fell for the scam received a message informing them that their behavior could have put them in a vulnerable situation and were then sent another variation of the phishing email several weeks later to test whether they had learned their lesson. It took four rounds of phony emails before all users were able to identify a phishing email.
Apply the same methodology in your company
You can use a similar approach in your own working environment. Through a simulated phishing attack, you can determine which staff are the most vulnerable and need the most help. The results of a simulation can be used as a benchmark to assess the effectiveness of any kind of remedial action you undertake, such as staff training.