Phishing-Abwehr: Entwicklung effektiver Trainingsprogramme für Mitarbeiter:innen

Emails are the preferred gateway for malicious actors. A study by HP Wolf Security from the first quarter of the year shows that 53% of all attacks are carried out using email phishing to spread malware (HP Wolf Security - Report). The attackers are targeting the human "weak spot".

Technical solutions for mitigating social engineering attacks, such as email filters, are indispensable. However, security experts also know that these products can never guarantee complete security. It is therefore all the more important that employees are educated. Their ability to identify an attack and expose a malicious email, for example, can determine the success or failure of an attack.

How do I empower employees to recognize social engineering attacks and act correctly?

Phishing awareness training aims to raise employees awareness of social engineering techniques. Employees should understand:

The content can be conveyed in various forms and via different media channels. Companies can purchase digital self-learning courses or create them themselves. Videos are also popular. In addition to digital forms, many companies hold traditional meetings or training sessions in person. Which form a company chooses is of secondary importance. It is more important that the training is carried out and that it can inspire employees to want to learn more about phishing. It is advisable to include clear and practical examples. This allows employees to understand the reason for the exercise and better transfer the content to their day-to-day work. So show phishing emails that your company has actually received. Exercises also create interactivity and can be made even more exciting with gamification elements. A healthy amount of competition can motivate employees to get more involved and enjoy the task. For example, let your employees check for themselves whether the email is genuine or phishing. In the end, you want your employees to leave the training with a positive impression and the feeling that they can contribute to something very important.

To check how effective the awareness training was, it is advisable to simulate a phishing campaign. The IT security team could create phishing emails based on publicly available information (e.g. LinkedIn) and send them to employees. The emails could then ask them to open a malicious download link or attached malicious file. Such an exercise will result in employees opening the malicious link or file. However, it will also show you where there is a lack of knowledge and how you can improve your ability to recognize attacks. It is important that employees are not punished for incorrect behavior. Equally, employees should not have the feeling that they are being exposed. Seek a conversation, try to understand why an employee has behaved in this way and try to make it clear that phishing takes different forms.

The ability to recognize social engineering attacks and behave correctly takes practice. This is why it is so important that awareness training is carried out several times a year and that phishing simulations are carried out correspondingly more frequently throughout the year. By collecting data, you can demonstrate the long-term improvement of this competence among employees.

Email phishing is omnipresent. The attackers campaigns are becoming ever more sophisticated. The aim is to exploit people's "weak points". However, they are only a weak point if they act out of ignorance. Investing in phishing training should therefore not be an option for any company. Raise awareness of social engineering attacks among your employees through training - in whatever form - and emphasize the importance of each individual's cooperation in this task. If you can do this in a motivating way, attackers will have a much harder time.

Complion also offers phishing awareness training in addition to other cybersecurity services. If you are interested in our cybersecurity services, simply contact us here: mail@complion.de

Author: Jan Philipsen