Skip to content

Jeremy Aylott, Lead Ethical Hacker at the Scottish Business Resilience Centre explains why simulated phishing exercises are beneficial as part of an organisation’s cyber security strategy.

There are many arguments about the pros and cons of conducting a simulated phishing exercise within an organisation, with many arguing that they add very little value to a cyber awareness training program. We believe phishing exercises are helpful as a part of a more extensive cyber security awareness program – when carried out correctly. Think of a phishing exercise as a fire drill for a potential phishing attack.

What is Phishing?

Malicious threat actors use phishing attacks, usually via email, to trick users into doing something they shouldn’t. For example, a hacker could direct users to click through to a fake login page to trick them into sharing their login details, or they could attach a malicious document to an email containing malware to infect the victim’s system when opened. 

In the latest Cyber Security Breaches Survey, of the 39% of UK businesses that identified an attack, the most common threat vector was phishing attempts (83%). 

Phishing attacks almost always try to mimic a genuine service, for example, appearing as an alert from your bank about a suspicious transaction or a parcel delivery. Due to this, the best defence against phishing attacks is to ensure that users are aware of the threat and know how to spot a suspicious email and report it. So, where does a phishing resilience exercise come into this?

What are the Benefits of a Simulated Phishing Exercise?

Phishing exercises have several key benefits, which aren’t often achieved with traditional PowerPoint-style training. A phishing exercise gives users a practical experience of receiving, identifying and reporting a targeted phishing email, ensuring they are ready for an attack when it does come. Ideally, every phishing email should be reported according to your organisation’s policies. Still, it’s important to remember that in a real-world scenario, even one or two reported emails from a more extensive campaign are enough for your automated controls to begin recognising and blocking malicious emails.

Another benefit is that through various metrics, phishing exercises allow you to quantify the success of your awareness training, something that many organisations find challenging. This can give you the confidence that your users are aware and prepared to meet the threat and allow you to identify where more training is required. It is more beneficial to measure its effectiveness objectively by conducting rounds of testing before and after phishing awareness training.

Phishing exercises can verify that your technical email filters are working as expected. Phishing lures (emails) of varying qualities can be sent; then, by examining which are blocked and which aren’t, you can find the baseline of what will get through and identify any apparent vulnerabilities; this could also help avoid false positives where legitimate emails are blocked.

The Aims of a Simulated Phishing Attack

A successful, worthwhile phishing exercise must have clearly defined aims. What are you trying to achieve with this test? Remember, the purpose is never just to phish your users. Very little is gained from doing that, and it is likely to generate resentment towards your IT or security team by making your users feel deceived and embarrassed that they clicked on the malicious link. The aim and the expected outcome of a phishing exercise is always to learn. Using a lower-quality lure (phishing email) may even be helpful so users can spot it. Remember, the aim is to raise awareness of phishing attacks, not to catch your team out!

The aims of a phishing resilience exercise could be:

  • To verify the effectiveness of your email filtering systems
  • To show that users understand your phishing reporting policies
  • To demonstrate what a phishing attack looks like
  • To measure the effectiveness of awareness training, using multiple tests before and after the exercise

Identifying which metrics you are measuring in the test is also essential. Yes, you will be recording the number of fails (clicks, when users fell for the attack) but, perhaps more importantly, the number of users who report the email, delete it without reporting, or ignore it. These metrics are a far better measure of your users’ awareness.

Then what do you do with the results? It’s important to remember that users should never be punished for ‘failing’ a phishing test, as this could lead to animosity and a lack of engagement with the IT or security team, reducing the overall security of your organisation in the long run. Punishing users also discourages users from reporting an actual phishing attack, especially if they have fallen for it, the exact opposite of what you want. Instead, offer remedial training based on the areas where the awareness can be improved, but without identifying users who ‘failed’ the tests. You may not even need to collect identifiable information in your phishing exercise; anonymous information could tell you the same thing.

Most of the understandable controversy around phishing exercises results from poorly thought-out lures. A commonly-cited example is a simulated phishing email promising a large bonus to employees. Grateful users opened to link only to be told this was a test, and they failed. Understandably, particularly during a cost of living crisis, this leaves many angry and upset. It is one thing for a criminal to use promises of cash to deceive users; in employees’ view, it is quite another for their employer to do the same. Although the debate over this continues on the basis that hackers will pull no punches, neither should the simulations; many agree that this alienates users and leaves them less inclined to help keep their organisation secure.

How SBRC Can Help

You can arrange a bespoke phishing exercise with the SBRC, executed by our innovative team of ethical hackers. We will plan a custom exercise based on real-world phishing campaigns to raise your users’ awareness of the threat of phishing attacks. We’ll then deliver a comprehensive report on the results of the exercise and make recommendations for improvement where appropriate. We can also provide this with a custom cyber awareness training package for maximum impact. 

If you are part of a large organisation, this service may already be offered to you (NHS organisations can sign up here). Free alternatives are available; however, these will be less tailored to your organisation.

In summary, phishing exercises can be valuable to your cyber awareness training and improve your organisation’s cyber posture. The numerous benefits include:

  • Reminding users of the threat of phishing attacks.
  • Reinforcing the training they have received on identifying and reporting phishing emails.
  • Allowing you to quantify the effectiveness of your training.
  • Identifying gaps in your training or email filtering.

For more information on our phishing exercise or wider Cyber Profesional Services, visit our website page or contact us at: [email protected]