At its core, phishing is a practice in manipulation, attempting people into clicking innocuous links that can cause potential harm. Some might not be fully aware of just how deceptive these attacks can be.
A Spoof Vishing Call Audio
We’ve all been right? A friendly voice is on the other end of the phone, they want some details from you, and they sound totally plausible. How could they be a part of a phishing attack? After all, they knew names of your colleagues and they mentioned specific office locations.
There’s often so much more to a cyber attack than just a suspicious link, they frequently evolve to incorporate multiple different methods. They’re specifically designed to bypass our inbuilt threat identification systems. Socially engineered to play on our emotions, to win our trust. Some can be so convincing we may only start to question their reputability after they have made their way in.
So if it’s this difficult to identify a phishing attack, why is it the dominant idea in cybersecurity to simply tell people not to click on suspicious links to make these threats go away? Educating employees is still an important factor in cyber security, but it can only do so much in preventing attacks from happening. A much more effective method in combating attacks that thrive off of stress and negative emotions, is to build employees’ confidence and help them discover a much more positive mindset. Whereas adding to their stress levels is almost certainly a bad idea.
Fake phishing often backfires…
One common practice that companies employ is to create their own fake phishing emails to test their employees and see who takes the bait. One of these incidents landed GoDaddy in some hot water because its phishing email test was so close to a real company email that it practically had no identifiable traits for the employee to tell it was a phishing test.
What was supposed to educate employees ended up making them feel on edge, almost paranoid, that any email or direct form of communication could be an attempt to trip them up and rope them into further corporate training or lead to corporate punishment.
The ethical implications of such a tactic are clear to see, especially when the fake phish promises a $650 bonus during a global pandemic. In such a situation it’s almost impossible to not break trust with your employees. In some cases it can reach a point where people start to avoid legitimate company contact, rather than suffer the consequences of a potential internal phishing test.
This breaking of trust can also lead to employees ‘turning against’ their company if the punishments are severe. Employees might feel less inclined to report a real phishing incident out of fear they’ll get in trouble; after all there’s no way anyone could prove it was me who clicked on it…
A strategy like this affects workflow significantly and potentially makes a company more vulnerable to security threats.
Create an open invitation for conversation
At VIVIDA we believe it’s harmful to think of cyber security as something the individual can be blamed for. The individual should never be at fault, especially not when these attacks are socially engineered to bypass their defences and manipulate the truth.
When it comes to educating employees about phishing emails, what’s most important is being honest. Yes, an individual may be able to identify more obvious phishing attempts and should be doing everything they reasonably can to keep everyone safe online, but they shouldn’t be made to feel any shame when something inevitably slips through the cracks. What’s most important is encouraging people to come forward when this happens. They need to feel comfortable speaking up, not fear the consequences. The sooner a company knows about a successful phishing attempt that is putting people at risk, the better chance they have at ensuring no further damage is caused. On their website, the NCSC outlines many of the things a company can do in response to a phishing attack.
No two ‘phish’ look alike
The VIVIDA Phishing Simulator
When we educate people on what phishing emails look like and how to recognise them, it’s important to remind everyone that a dodgy domain and a misspelt heading isn’t always the way they’re going to look. Email addresses and domains can be spoofed, suspicious links can be made to look less so. Some can look almost indistinguishable from the real thing.
As previously mentioned, scammers can and will frequently incorporate additional methods of contact into their play in order to get an employee to lower their guard. A scam doesn’t look so suspicious when someone rings your company number, uses your name and knows that your co-worker is on holiday in Spain this week. VIVIDA’s own Vishing training focuses on the fact that scammers only need to look to social media to learn a little more about you and earn your trust. We understand that knowing this can be so important in combating these kinds of attacks.
Trust your employees
When VIVIDA teaches your employees about phishing attacks with our online training experiences, we accept that there isn’t a one size fits all solution. We approach employees with empathy and understanding because shaming them is a one-way street to losing their trust, and in the fight against manipulation, trust is an invaluable resource to have. People are able to recognise when something is not right, and we have to learn to trust that instinct. Our education delves into what it means to feel suspicious when receiving a dodgy email, because simply telling people not to click on links only serves to make them feel less confident online, as though anything could be a threat, which isn’t helpful to anyone’s workflow or metal state.
Online scams are more than just links, they’re complicated, manipulative and thrive off of negative emotions. It’s time to change our language in how we connect and communicate with people to build everyone’s confidence.
