If you aren't yet running phishing simulations across your company, it's time. 29% of data breaches involve phishing (source: Verizon) -- it's a problem worth resolving. We've covered phishing extensively on this blog. Everything from our top 113 favorite phishing simulation emails, to simple steps to help your team identify fraudulent emails, to this advanced guide showing 7 techniques we use to sniff out phishing. However, we think we've overlooked an important topic: what to do when an employee clicks a link on a phishing simulation email. Here are your options:
Just how far will your employees go, once they click on a phishing link? That's the question that a "lure page" aims to answer. The logic is that if a phishing simulation email entices an employee to click a link, you might learn even more by following that link with a login page for whatever service the email claims to be from. Not a legitimate login page, mind you: one that resembles the legitimate one, but is part of your simulation.
Imagine that you found that 12% of your employees "fell for" a phishing simulation, and that 3% actually entered login credentials into a fake "lure page" designed to be part of the simulation. Which employees do you think you'd spend the most time coaching, post-simulation? We'll bet you'll focus on the 3%, and by doing so, you are very likely working with the weakest link in a way that could save your organization from serious danger.
How interconnected are your employees in daily conversation? Are they on a Slack group all day, communicating instantly about all types of challenges that arise? If that's how your team works, you may want to point the links in you phishing simulations at a URL that 404's (a broken link). One of the issues with phishing simulations is when a particular employee realizes that there is a simulation underway, and alerts colleagues. That ruins the simulation. If the phishing simulation emails have links that -- when clicked -- lead to a URL that doesn't load a page, you might successfully skate by without employees realizing the simulation is underway. And, without alerting each other.
This is our favorite, and is what we recommend to most of our clients. When a user clicks on a phishing simulation email, we think it's wonderful to immediately help them understand how they could have known it was a phishing email. The immediacy of that education (we believe) helps employees connect the email they just saw, with the on-screen tips that appear right after. It creates no embarrassment (or at least, it shouldn't). It is time-efficient. It's informative. And, it should help those same employees know how to sniff out suspicious emails the next time you send a follow-up phishing simulation email.
We've heard of companies that point their phishing simulation email clickthroughs at training; or, at least at a page that notes that the particular employee is required to take a follow-up training session. If you take this approach (it's not normally our first recommendation), you'll need to find a way to make the follow-up training feel less like a punishment and more like an opportunity to learn something new about cybersecurity. It's a delicate balance -- directing an employee who "fell for" a phishing simulation to take some follow-on training is certainly justified, but it's difficult to find a way to present that in a positive light. Perhaps some messaging long before the phishing simulation, factually setting expectations that anyone that clicks a phishing simulation will be asked to take a more detailed training? At least the expectations would be clear.
These four destinations are the ones that we've seen clients choose, when they are using the Havoc Shield platform to set up a phishing simulation. Whichever you choose, just be aware that you've got options that can help you tune your phishing simulation in a way that feels right for your organization. And, as always, let us know if you have any questions.