Simulate phishing email attacks. A phishing email contains links to malicious websites or payload-filled attachments. The email is designed to look legitimate, which throws off the typical user. One of the best ways to find out if employees are mindful of phishing emails is to send some to their inboxes. Your test emails should contain some clues that they are not from the purported sender (for post-testing educational purposes) and contain links that go to a safe website. The site could simply be a page that says, "Security awareness training - phishing test in progress." Security technicians can gather IP addresses of visitors to the page to monitor which employees visited the site and therefore clicked the link.
If your staff is short on time, consider hiring a third party to help you perform simulated phishing attacks. Companies such as KnowBe4 and OneLogin either perform the tests on your employees or provide you with a portal that requires you to enter employee email addresses. You'll get reports detailing the results of the tests to use for additional training.
Follow Up on Security Tests
Talk to employees who click on a phishing link or fall for social engineering tricks as soon as possible. Explain that, although this was only a test, the next incident could be real and result in the theft of important organization or customer data. Your goal isn't to embarrass or belittle your staff but, rather, to further educate them and deepen your organization's security posture.
Organisations that must adhere to government regulations should stress the consequences of a security breach on their compliance status. Failing to maintain effective security, even as a result of user error, can result in an organization being out of compliance and might lead to criminal, legal or financial penalties.
IT should consider performing a second test on this subset of employees within a few weeks to gauge workers progress. Some employees might need additional tests and reminders before they internalize the gravity of potential security breaches.
In discussions with employees after phishing tests, point out elements of the phishing email that should raise red flags. For example, an email that contains spelling and grammatical errors, or threatening language, is most likely bogus. The sender's URL can offer clues as well, especially if it contains an IP address or originates from a domain other than the alleged company's domain.
When it comes to social engineering, many employees feel that security is someone else's problem, from security guards to management; others are simply reluctant to get involved. Make them feel empowered to stop and ask an unknown person why they're in the building and coach them on how to ask for credentials in a professional manner. Regardless of the type of test, emphasize the appropriate steps the employees should have taken, such as contacting a supervisor or the security department immediately.