Cybercrime has greatly evolved over the past few years, and it’s costing businesses in all industries. A recent global survey by the Ponemon Institute established that on average, data breaches cost companies around USD$139 per leaked record.

It’s no secret that the security of your organisation’s system and data is of great importance. Despite this, unwary employees continue to fall for unsophisticated email phishing scams, and willingly open the door to information security threats.

Once your employees hand over access to your data and systems, hackers can hold you for ransom. Since phishing remains one of the main threats to organisations, it’s imperative that you implement an effective awareness program that seeks to provide your employees with knowledge about data security.

Testing your employees with simulated phishing attacks is an effective strategy that can help foster this environment of phishing awareness.

What is Email Phishing?

Email phishing is a malicious activity that is typically carried out by identity theft criminals and tech-savvy con artists. These individuals often use fraudulent websites that resemble a real, trusted organisation.

This is done with the intention of gathering sensitive information such as credit card numbers, bank account information and other personal employee details.

Examples of Phishing Attacks

The following are some of the most common phishing attacks that businesses are likely to encounter. 

• Deceptive Phishing: This refers to attacks in which hackers impersonate a legitimate company in a bid to steal login credentials or personal information. The extent to which a deceptive phishing attack is successful often depends on how closely the fraudulent email resembles the legitimate firm’s official email correspondence.

• Spear Phishing: This attack relies on heavy personalisation. Spear phishing attacks are characterised by emails that target specific individuals within your organisation. In doing so, the phishers attempt to lure the individual into believing that there is a connection between themselves and the sending address. Those who fall victim to this attack may end up clicking on a malicious email attachment or URL and consequently, pass over their private information or login credentials.

• Pharming: This is an advanced phishing attack that targets the domain system of an organisation. Typically, the naming system of the Internet uses DNS servers to change alphabetical web page names to numerical addresses that can be used to locate computer devices and services. In a pharming attack, fraudsters target your firm’s DNS server before changing the IP address that is associated with your alphabetical website name. This allows them to redirect your employees to their malicious websites even if the users key-in the correct website name. 

How to Test Employees for Phishing Awareness

Education and awareness among employees are critical in protecting your business from these types of email phishing attacks. Attack simulations, which will test your employees’ ability to ward off a phishing attack, are a popular and effective method of gauging employee education, and provide a great starting point for your internal education program.

You can test your employees’ ability to deal with a phishing threat by raising a temporary web server to create a phishing email that will lure your employees to the fake website. Try to make the fraudulent website took as genuine as possible. After emailing all users via a server that enables you to cover the “From” address, keep track of each employee’s response.

Employee error is a significant threat to the information assets of any company, as email phishing reveals. However, it’s just one front where companies battle to safeguard their data.

To learn how your business can protect its valuable information assets with an information security management system, download our ISO 27001 below: